Sample HIPAA Breach Notification Letter: What To Include

Melissa Whetzel

This is a letter no healthcare organization wants to send. But remember — breaches of protected health information (PHI) can still occur despite the best safeguards. When it happens, it is much easier to have a sample HIPAA breach notification letter on hand, rather than trying to create one in the moment.

This blog post offers a quick overview of the requirements as well as tips for crafting a clear, informative, and compliant breach notification letter. If you want to skip right to the sample HIPAA breach notification letter, here’s a link to both a ready-to-use HIPAA Breach Notification Policy and sample letter to patients.

Whether you are preparing for a potential incident or responding to a current breach, these insights will help you navigate the complexities of HIPAA breach notifications with confidence.

What Is a HIPAA Breach Notification Letter?

A HIPAA breach notification letter is a formal communication sent by a healthcare organization or its business associates to individuals whose protected health information (PHI) has been compromised due to a security incident or breach. The purpose of the letter is to inform affected individuals about the nature and extent of the breach, what specific information was involved, what actions are being taken to address the situation, and provide contact information.

What Constitutes a Breach That Requires Notification?

Covered entities and business associates must provide notification to affected individuals if the breach involves unsecured protected health information, as defined in guidance from HSS . A risk assessment should be conducted to determine the probability that the PHI has been compromised. If there is low probability, notification may not be required. There are a number of exceptions to the notification requirement, so healthcare organizations should review these carefully on a case-by-case basis.

Notification Requirements At-A-Glance

Notification of individuals: A written HIPAA breach notification letter must be sent to affected individuals without unreasonable delay and no later than 60 days after the breach has been discovered.
Notification of HHS Secretary:This online form should be used to report the breach . If the breach impacted more than 500 individuals, the form should be filled out within 60 days. If the breach impacted less than 500 individuals, the breach should be reported no later than 60 days after the end of the calendar year in which the breach occurred.
Notification of media: This is only required for breaches that impact more than 500 individuals within one state.

Essential Elements Included in the Sample HIPAA Breach Notification Letter

The goal of the HIPAA breach notification letter is to demonstrate transparency, maintain trust, and help affected individuals take appropriate actions to protect themselves from potential adverse effects. The following five items must be included:

Description of the Breach : A brief description of what happened, including the date of the breach and the date of its discovery.
Types of Information Involved : Information about the types of PHI that were involved in the breach, such as names, addresses, birth dates, Social Security numbers, medical records, etc.
Steps Covered Entity Has Taken : Details about what the healthcare organization is doing to investigate the breach, mitigate harm, and protect against future breaches.
Protective Measures for Individuals : Recommendations for individuals on how to protect themselves from potential harm, such as monitoring their credit reports or enrolling in identity theft protection services.
Contact Information : Contact details for a representative who can provide additional information and answer questions, typically a toll-free number or a dedicated email address.