Under HIPAA, when a breach of unsecured PHI takes place, the covered entity that sustains the breach must notify affected individuals of the breach. Notification must be provided through a breach notification letter. The content requirements and a HIPAA sample breach notification letter are discussed below.
Patient Notification in Breach Notification Letters
Prior to 2009, many breaches of unsecured PHI went unreported, both to the media and to breach victims. Individuals whose personal data or PHI had been compromised, often only discovered the breach after their credit had been damaged, or their identity had been stolen. In 2009, the Department of Health and Human Services (HHS) issued the HIPAA Breach Notification Rule. This regulation requires covered entities to notify “affected individuals” of a breach of their unsecured PHI or electronic protected health information (ePHI) by letter.
Do you have an effective HIPAA compliance program? Find out now by completing the HIPAA compliance checklist.
An “affected individual” is someone whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of a breach. This lawyer-speak definition acts as a hedge: When a HIPAA-covered entity sustains a breach, it may not know precisely how many (or which) patients’ information was compromised. The provider must often undertake a forensic investigation to discover precisely what happened and who was affected as part of the breach. The full details of breaches that involve phishing, ransomware attacks, or other cyberattacks, may only come to light after forensic examination, in some cases taking weeks or even months. Therefore, the law requires that HIPAA-covered entities inform anyone whom they have reason to believe was the victim of a data breach, of that breach.
In its breach notification rule, HHS set a prompt deadline for delivery of the breach notification letter. Covered entities must provide the letter without unreasonable delay, and, in no case later than 60 calendar days after the breach is discovered. The letter must be provided by first-class mail to affected individuals at their last known addresses.
HHS views providing notification as part of a patient’s rights. An affected individual has a right to be informed of breaches of unsecured protected health information so the individual can take steps if appropriate to protect themselves from the consequences. Failure to provide the breach notification letter itself can subject an organization to HIPAA fines.
HIPAA Sample Breach Notification Letter: What’s In It?
The breach notification rule exhaustively describes what must be in a breach notification letter.
Breach notification letter requirements include:
- A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known;
- A description of the types of unsecured protected health information that were involved in the breach (such as full name, Social Security number, date of birth, home address, account number, diagnosis, disability code, or other types of information involved);
- Any steps individuals should take to protect themselves from potential harm resulting from the breach;
- A brief description of what the organization involved is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches; and
- Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an email address, website, or postal address.
The notification may be provided in one or more mailings as additional information becomes available.
A sample breach notification letter can be found below.
Dear [Patient Name],
I am writing you with important information about a recent breach of your personal information from [Organization Name]. We became aware of this breach on [Discovery Date], which occurred on or about [Breach Date].
The breach occurred as follow:
- Description: [Briefly describe the breach]
- Type(s) of Protected Health Information: [What information was potentially compromised in the breach, i.e. patient name, address, Social Security number, etc.]
- Individual Steps: [What patients should do to protect themselves, i.e. credit monitoring]
- Mitigation: [What the organization is doing to investigate the breach and how they are preventing similar incidents from occurring in the future]
For more information please contact [Compliance Officer Name] at [phone number, email address].
Breach Notification Letter: Does It Always Have to Be Sent?
The HHS-required breach notification letter is not always the first and only notification an individual is entitled to receive. In situations where a healthcare provider believes that providing the breach notification letter can cause a patient extreme anguish or distress, based on the patient’s mental condition or other circumstances, the provider has another option. Here, before sending the breach notification letter, the provider is permitted to call the individual to provide the notification over the phone. Alternatively, before providing the letter, the provider may ask an individual whom it believes may experience extreme anguish or distress, to come to the provider’s office to discuss the breach.
Before providing the breach notification letter, a provider may also call individuals to notify them of the breach when the provider believes urgent notification is required because of possible imminent misuse of unsecured PHI. In other words, if a provider has reason to believe that the compromised data may be imminently misused to harm the individual, the provider may notify the individual by phone, before sending the breach notification letter.
In some instances, the patient may be incapacitated, or have another health condition, that renders them legally incapable of understanding the contents of the notification. The provider may send the breach notification letter to the patient’s personal representative in such instances.
There is one instance when sending a breach notification letter is not required. Suppose a patient has agreed to receive breach notification by email, and the individual has not withdrawn this consent. In that case, the provider may send the breach notification letter by email instead of first-class mail.