Sample Breach Notification Letter

Under HIPAA, when a breach of unsecured PHI takes place, the covered entity that sustains the breach must notify affected individuals of the breach. Notification must be provided through a breach notification letter. The content requirements and a HIPAA sample breach notification letter are discussed below.

Patient Notification in Breach Notification Letters

Prior to 2009, many breaches of unsecured PHI went unreported, both to the media and to breach victims. Individuals whose personal data or PHI had been compromised, often only discovered the breach after their credit had been damaged, or their identity had been stolen. In 2009, the Department of Health and Human Services (HHS) issued the HIPAA Breach Notification Rule. This regulation requires covered entities to notify “affected individuals” of a breach of their unsecured PHI or electronic protected health information (ePHI) by letter.

Do you have an effective HIPAA compliance program? Find out now by completing the HIPAA compliance checklist.

An “affected individual” is someone whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of a breach. This lawyer-speak definition acts as a hedge: When a HIPAA-covered entity sustains a breach, it may not know precisely how many (or which) patients’ information was compromised. The provider must often undertake a forensic investigation to discover precisely what happened and who was affected as part of the breach.  The full details of breaches that involve phishing, ransomware attacks, or other cyberattacks, may only come to light after forensic examination, in some cases taking weeks or even months. Therefore, the law requires that HIPAA-covered entities inform anyone whom they have reason to believe was the victim of a data breach, of that breach.

In its breach notification rule, HHS set a prompt deadline for delivery of the breach notification letter. Covered entities must provide the letter without unreasonable delay, and, in no case later than 60 calendar days after the breach is discovered. The letter must be provided by first-class mail to affected individuals at their last known addresses. 

HHS views providing notification as part of a patient’s rights. An affected individual has a right to be informed of breaches of unsecured protected health information so the individual can take steps if appropriate to protect themselves from the consequences. Failure to provide the breach notification letter itself can subject an organization to HIPAA fines.

Let’s Simplify Compliance

Do you need help with breach notification? Compliancy Group can help!

Learn More!
HIPAA Seal of Compliance

HIPAA Sample Breach Notification Letter: What’s In It?

The breach notification rule exhaustively describes what must be in a breach notification letter. 

Breach notification letter requirements include:

  • A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known;
  • A description of the types of unsecured protected health information that were involved in the breach (such as full name, Social Security number, date of birth, home address, account number, diagnosis, disability code, or other types of information involved);
  • Any steps individuals should take to protect themselves from potential harm resulting from the breach; 
  • A brief description of what the organization involved is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches; and
  • Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an email address, website, or postal address.

The notification may be provided in one or more mailings as additional information becomes available.

A sample breach notification letter can be found below.

Dear [Patient Name],

I am writing you with important information about a recent breach of your personal information from [Organization Name]. We became aware of this breach on [Discovery Date], which occurred on or about [Breach Date].

The breach occurred as follow:

  • Description: [Briefly describe the breach]
  • Type(s) of Protected Health Information: