The Terminated Employee Still Has a Laptop Full of PHI. Now What?
> TL;DR: When a workforce member leaves, disabling their accounts is the obvious step. The device in their bag is the one that gets missed — and a laptop full of PHI that never came back is a breach waiting to be reported. HIPAA requires device and media controls (45 CFR 164.310(d), with Disposal and Media re-use Required) and termination procedures (45 CFR 164.308(a)(3)(ii)(C), Addressable). Underneath both sits a requirement OCR keeps returning to: you can't protect ePHI on devices you haven't inventoried. This guide covers what's required, the gap an offboarding checklist usually leaves, and how to tie devices to people so nothing walks out the door.
Offboarding has a script. Disable the email, kill the logins, collect the badge. Most practices do that part well.
Then someone realizes, three weeks later, that the departed employee never returned their laptop. The one with patient files on it.
That's the moment a routine departure becomes a reportable breach. Not because anyone was negligent. Because the offboarding checklist tracked accounts, and nobody tied it to the hardware.
What the rule actually requires
HIPAA addresses this from two directions.
On the device side, Device and Media Controls — 45 CFR 164.310(d)(1) — require "policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility." Two of its implementation specs are Required: Disposal, 45 CFR 164.310(d)(2)(i), and Media re-use, 45 CFR 164.310(d)(2)(ii) — you must address the final disposition of ePHI and remove it from media before re-use. Maintaining a record of device movements and who's responsible (Accountability, 45 CFR 164.310(d)(2)(iii)) is Addressable. (Source: 45 CFR 164.310.)
On the people side, Termination procedures — 45 CFR 164.308(a)(3)(ii)(C) (Addressable) — call for "procedures for terminating access to electronic protected health information when the employment of, or other arrangement with, a workforce member ends." (Source: 45 CFR 164.308.) Addressable, again, doesn't mean skip it. Under 45 CFR 164.306(d) it means do it or document a defensible alternative — and "we forgot the laptop" is not a defensible alternative.
Underneath both is the quiet foundation. OCR has been clear that you cannot conduct an accurate risk analysis, or protect ePHI, on assets you don't know you have. An IT asset inventory isn't a separately numbered checkbox in the rule. It's the thing that makes device control and termination actually work, and it ties straight back to the risk analysis requirement (45 CFR 164.308(a)(1)(ii)(A)).
Where the checklist breaks
The standard offboarding checklist is built around access. Email, EHR, VPN, badge. That's the muscle memory.
Devices live in a different system, if they live in a system at all. A spreadsheet someone updates when they remember. A vague sense of who has what. So when a person leaves, the access gets revoked cleanly and the hardware slips through, because nothing in the process connected the person to the device they were issued.
The fix isn't a longer checklist. It's connecting the two systems, so terminating a person automatically raises every device assigned to them.
The breach that doesn't happen
Here's the payoff, and it's the best kind — the incident you never have to report.
When each device is tied to the employee who holds it, the termination process can't complete with hardware outstanding. The laptop with PHI is flagged the moment the person is offboarded, because the system knows it exists and knows who has it. The device comes back. The PHI never leaves. There's no lost-device breach to investigate, no notification letters, no entry on the wall.
That's the whole game with device control. The win isn't a better incident response. It's the incident that never happens, plus the record proving you had control the whole time.
The evidence gap
Here's the question to sit with. If OCR asked today — show me every device that holds or accesses ePHI, who has each one, and prove the ones belonging to people who've left were recovered or wiped — could you?
For most organizations, the honest answer is no. They can produce an org chart and an access log. They can't produce a device-to-person map, and they definitely can't prove recovery at termination. That's the gap. And it's the gap that turns a quiet resignation into a breach six months later.
How Live Compliance closes it
Live Compliance ties asset management to your people. Each device that holds or touches ePHI is associated with the employee it's assigned to, so you have the inventory OCR expects and the accountability the rule asks for. When someone is terminated, the offboarding checklist surfaces every device tied to them and won't let the process quietly close with hardware unaccounted for. Recovery and disposition get documented, so you have the proof, not just the intention.
And because the inventory lives in the same platform as your risk assessment, the assets you track feed the analysis they're supposed to inform.
We've spent 15 years watching small process gaps turn into reportable breaches — across 500+ organizations, with a 100% audit success rate — and closing the device gap is one of the quiet ones that pays off the most. See how the platform fits together, or talk to us about what's on the devices you've issued.
> Accuracy & legal note. This article is a plain-language summary of HIPAA requirements as of June 2026, based on the HIPAA Security Rule (45 CFR Part 164) and HHS guidance current as of that date. Regulations, OCR guidance, and enforcement priorities change. This is general educational information, not legal advice — verify current requirements at hhs.gov/hipaa or with your compliance counsel before acting. Platform capabilities described reflect Live Compliance as of the publish date. Last updated: June 2026.