DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
Introduction
This article discusses when a HIPAA breach notification letter must be provided, how the letter is to be provided, and also discusses breach notification letter content requirements.
When Must a Covered Entity Send a Breach Notification Letter to Individuals?
In general, if a covered entity has determined that an incident constitutes a breach of unsecured PHI, the covered entity must send a breach notification letter to individuals affected by the breach.
How Must an Individual Breach Notification Letter be Provided?
Under the HIPAA Breach Notification Rule, following a breach of unsecured protected health information (PHI), covered entities must provide notification of the breach to affected individuals. The HIPAA breach notification letter that must be provided, must generally be provided by first-class mail. If, though, an individual has previously agreed to receive the HIPAA breach notification letter electronically, the organization may provide the HIPAA breach notification letter via email.
The Breach Notification Rule requires that HIPAA breach notification letters to individuals be provided without unreasonable delay, and in no case later than 60 days following the discovery of a breach of unsecured protected health information.
What is “Substitute Notice”?
Sometimes, a covered entity may have insufficient patient contact to provide the notification discussed above, or may have information that is out-of-date because a patient has moved and did not provide a forwarding address.
Substitute Notice: 10 or More Individuals
If a covered entity has insufficient or out-of-date contact information for 10 or more individuals affected by a breach of unsecured protected health information, the organization must provide the HIPAA breach notification letter by substitute individual notice.
Substitute individual notice may be made by the organization in one of two ways. The organization may either choose to:
- Post the notice on its homepage for at least 90 days; or
- Provide the notice in major print or broadcast media where the affected individuals likely reside.
- For a breach affecting more than 500 individuals across a particular state, a prominent media outlet may be a major, general interest newspaper with a daily circulation throughout the entire state.
- In contrast, a newspaper serving only one town and distributed on a monthly basis, or a daily newspaper of specialized interest (such as sports or politics) would not be viewed as a prominent media outlet.
- Where a breach affects more than 500 individuals in a limited jurisdiction, such as a city, then a prominent media outlet may be a major, general-interest newspaper with daily circulation throughout the city, even though the newspaper does not serve the whole state.
When providing substitute notice, the organization must also include, in the HIPAA breach notification letter, a toll-free phone number that remains active for at least 90 days, where an individual can learn whether the individual’s unsecured protected health information may be included in the breach.
Substitute Notice: Fewer Than 10 Individuals
If the organization has insufficient or out-of-date contact information for fewer than 10 individuals, the organization may provide substitute notice by an alternative form of written notice, by telephone, or other means.
What Must a Breach Notification Letter Include?
The HIPAA breach notification letter, regardless of how it is sent, must have certain specific content. This content includes:
- A brief description of the breach. This description should include the date of the breach and the date of the discovery of the breach, if this information is known.
- A description of the types of unsecured protected health information that were involved in the breach (such as whether full name, Social Security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved).
- Any steps individuals should take to protect themselves from potential harm resulting from the breach.
- A brief description of what the covered entity involved is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches.
- Contact procedures for individuals to ask questions or learn additional information, which must include a toll-free telephone number, an email address, website, or postal address.
Are There Any Other HIPAA Breach Notification Letter Requirements?
The HIPAA breach notification letter must be written in plain language. This means that the notice should be written at an appropriate reading level, using clear language, and not include any unnecessary material that might diminish the message the notice is trying to convey.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article