A HIPAA breach notification letter must be sent by organizations to individuals affected by a data breach. The HIPAA Breach Notification Rule contains specific content requirements for the HIPAA breach notification letter.
Who Must be Notified of a Breach?
Depending on how many patients are affected by a breach, there are different requirements for who must be notified.
- Breaches affecting less than 500 patients. These breaches must be reported to the Department of Health and Human Services, and affected patients.
- Breaches affecting 500 or more patients. These breaches must be reported to the Department of Health and Human Services, affected patients, and local media outlets.
How to Provide a HIPAA Breach Notification Letter
Under the HIPAA Breach Notification Rule, organizations, following a breach of unsecured protected health information (PHI), must provide notification of the breach to affected individuals. The HIPAA breach notification letter that must be provided, must generally be provided by first-class mail. If an individual has previously agreed to receive the HIPAA breach notification letter electronically, the organization may provide the HIPAA breach notification letter via email.
The breach notification rule requires that all HIPAA breach notification letters to individuals be provided without unreasonable delay, and in no case later than 60 days following the discovery of a breach of unsecured protected health information.
What is “Substitute Notice”?
Sometimes, an organization may have insufficient patient contact information to provide a mailing or email. Other times, contact information may be out-of-date because a patient has moved and did not provide a forwarding address. If the organization has insufficient or out-of-date contact information for 10 or more individuals affected by a breach of unsecured protected health information, the organization must provide the HIPAA breach notification letter by substitute individual notice.
Substitute individual notice may be made by the organization in one of two ways. The organization may either choose to:
- Post the notice on its homepage for at least 90 days; or
- Provide the notice in major print or broadcast media where the affected individuals likely reside.
- For a breach affecting more than 500 individuals across a particular state, a prominent media outlet may be a major, general interest newspaper with a daily circulation throughout the entire state.
- In contrast, a newspaper serving only one town and distributed on a monthly basis, or a daily newspaper of specialized interest (such as sports or politics) would not be viewed as a prominent media outlet.
- Where a breach affects more than 500 individuals in a limited jurisdiction, such as a city, then a prominent media outlet may be a major, general-interest newspaper with daily circulation throughout the city, even though the newspaper does not serve the whole state.
When providing substitute notice, the organization must also include, in the HIPAA breach notification letter, a toll-free phone number that remains active for at least 90 days, where an individual can learn whether the individual’s unsecured protected health information may be included in the breach.
If the organization has insufficient or out-of-date contact information for fewer than 10 individuals, the organization may provide substitute notice by an alternative form of written notice, by telephone, or other means.
What Must a Breach Notification Letter Include?
The HIPAA breach notification letter, regardless of how it is sent, must have certain specific content. This content includes:
- A brief description of the breach. This description should include the date of the breach and the date of the discovery of the breach, if this information is known.
- A description of the types of unsecured protected health information that were involved in the breach (such as whether full name, Social Security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved).
- Any steps individuals should take to protect themselves from potential harm resulting from the breach.
- The following language is typically used to satisfy this content requirement: “We are aware of how important your personal information is to you. If you choose, as a measure of added security, we are offering one year of credit monitoring and reporting services at no cost to you. This service is performed through an organization that watches for and reports to you unusual credit activity, such as creating new accounts in your name. This organization will also request that the three credit bureaus place a “Fraud Alert” on your credit report.”
- A brief description of what the covered entity involved is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches.
- Contact procedures for individuals to ask questions or learn additional information, which must include a toll-free telephone number, an email address, website, or postal address.
Are There Any Other HIPAA Breach Notification Letter Requirements?
The HIPAA breach notification letter must be written in plain language. This means that the notice should be written at an appropriate reading level, using clear language and syntax, and not include any unnecessary material that might diminish the message the notice is trying to convey.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article