What Must be in a HIPAA Breach Notification Letter?

A HIPAA breach notification letter must be sent by covered entities to individuals affected by a data breach. The HIPAA Breach Notification Rule contains specific content requirements for the HIPAA breach notification letter.

How Must Covered Entities Provide a HIPAA Breach Notification Letter?

Under the HIPAA Breach Notification Rule, covered entities, following a breach of unsecured protected health information (PHI), must provide notification of the breach to affected individuals. The HIPAA breach notification letter that must be provided, must generally be provided by first-class mail. If an individual has previously agreed to receive the HIPAA breach  notification letter electronically, the covered entity may provide the HIPAA breach notification letter via email.

HIPAA Breach Notification Letter

The breach notification rule requires that all HIPAA breach notification letters to individuals be provided without unreasonable delay, and in no case later than 60 days following the discovery of a breach of unsecured protected health information.

Do you have an effective HIPAA compliance program? Find out now by completing the HIPAA compliance checklist.

What is “Substitute Notice”?

Sometimes, a covered entity may have insufficient patient contact information to provide a mailing or email. Other times, contact information may be out-of-date because a patient has moved and did not provide a forwarding address. If the covered entity has insufficient or out-of-date contact information for 10 or more individuals affected by a breach of unsecured protected health information, the covered entity must provide the HIPAA breach notification letter by substitute individual notice. Substitute individual notice may be made by the covered entity in one of two ways. The covered entity may either choose to:

  • Post the notice on its homepage for at least 90 days; or
  • Provide the notice in major print or broadcast media where the affected individuals likely reside. 
    • For a breach affecting more than 500 individuals across a particular state, a prominent media outlet may be a major, general interest newspaper with a daily circulation throughout the entire state. 
    • In contrast, a newspaper serving only one town and distributed on a monthly basis, or a daily newspaper of specialized interest (such as sports or politics) would not be viewed as a prominent media outlet. 
    • Where a breach affects more than 500 individuals in a limited jurisdiction, such as a city, then a prominent media outlet may be a major, general-interest newspaper with daily circulation throughout the city, even though the newspaper does not serve the whole state.

When providing substitute notice, the covered entity must also include, in the HIPAA breach notification letter, a toll-free phone number that remains active for at least 90 days, where an individual can learn whether the individual’s unsecured protected health information may be included in the breach.

If the covered entity has insufficient or out-of-date contact information for fewer than 10 individuals, the covered entity may provide substitute notice by an alternative form of written notice, by telephone, or other means. 

What are the Required Components of a HIPAA Breach Notification Letter?

The HIPAA breach notification letter, regardless of how it is sent, must have certain specific content. This content includes:

  1. A brief description of the breach. This description should include the date of the breach and the date of the discovery of the breach, if this information is known.  
  2. A description of the types of unsecured protected health information that were involved in the breach (such as whether full name, Social Security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved).
  3. Any steps individuals should take to protect themselves from potential harm resulting from the breach. 
    • The following language is typically used to satisfy this content requirement:  “We are aware of how important your personal information is to you. If you choose, as a measure of added security, we are offering one year of credit monitoring and reporting services at no cost to you. This service is performed through an organization that watches for and reports to you unusual credit activity, such as creating new accounts in your name. This organization will also request that the three credit bureaus place a “Fraud Alert” on your credit report.”
  4. A brief description of what the covered entity involved is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches.
  5. Contact procedures for individuals to ask questions or learn additional information, which must include a toll-free telephone number, an email address, website, or postal address.

Are There Any Other HIPAA Breach Notification Letter Content Requirements?

The HIPAA breach notification letter must be written in plain language. This means that the notice should be written at an appropriate reading level, using clear language and syntax, and not include any unnecessary material that might diminish the message the notice is trying to convey.

HIPAA Compliance Software

Learn How Simple Compliance Can Be

Get Compliant Today!