Sample HIPAA Breach Notification Letter: What To Include

Melissa Whetzel
Woman looking thoughtfully at computer

This is a letter no healthcare organization wants to send. But remember — breaches of protected health information (PHI) can still occur despite the best safeguards. When it happens, it is much easier to have a sample HIPAA breach notification letter on hand, rather than trying to create one in the moment.

This blog post offers a quick overview of the requirements as well as tips for crafting a clear, informative, and compliant breach notification letter. If you want to skip right to the sample HIPAA breach notification letter, here’s a link to both a ready-to-use HIPAA Breach Notification Policy and sample letter to patients.

Whether you are preparing for a potential incident or responding to a current breach, these insights will help you navigate the complexities of HIPAA breach notifications with confidence.

What Is a HIPAA Breach Notification Letter?

A HIPAA breach notification letter is a formal communication sent by a healthcare organization or its business associates to individuals whose protected health information (PHI) has been compromised due to a security incident or breach. The purpose of the letter is to inform affected individuals about the nature and extent of the breach, what specific information was involved, what actions are being taken to address the situation, and provide contact information. 

What Constitutes a Breach That Requires Notification?

Covered entities and business associates must provide notification to affected individuals if the breach involves unsecured protected health information, as defined in guidance from HSS. A risk assessment should be conducted to determine the probability that the PHI has been compromised. If there is low probability, notification may not be required. There are a number of exceptions to the notification requirement, so healthcare organizations should review these carefully on a case-by-case basis. 

Notification Requirements At-A-Glance

  • Notification of individuals: A written HIPAA breach notification letter must be sent to affected individuals without unreasonable delay and no later than 60 days after the breach has been discovered. 
  • Notification of HHS Secretary: This online form should be used to report the breach. If the breach impacted more than 500 individuals, the form should be filled out within 60 days. If the breach impacted less than 500 individuals, the breach should be reported no later than 60 days after the end of the calendar year in which the breach occurred.
  • Notification of media: This is only required for breaches that impact more than 500 individuals within one state.

Essential Elements Included in the Sample HIPAA Breach Notification Letter

The goal of the HIPAA breach notification letter is to demonstrate transparency, maintain trust, and help affected individuals take appropriate actions to protect themselves from potential adverse effects. The following five items must be included: 

  • Description of the Breach: A brief description of what happened, including the date of the breach and the date of its discovery.
  • Types of Information Involved: Information about the types of PHI that were involved in the breach, such as names, addresses, birth dates, Social Security numbers, medical records, etc.
  • Steps Covered Entity Has Taken: Details about what the healthcare organization is doing to investigate the breach, mitigate harm, and protect against future breaches.
  • Protective Measures for Individuals: Recommendations for individuals on how to protect themselves from potential harm, such as monitoring their credit reports or enrolling in identity theft protection services.
  • Contact Information: Contact details for a representative who can provide additional information and answer questions, typically a toll-free number or a dedicated email address.


Download a free and ready-to-use HIPAA Breach Notification Policy.

Streamline Your Organization’s HIPAA Breach Prevention and Response

HIPAA Training

HIPAA training is required for all healthcare employees, but don’t just stop there. Assign microlearning courses throughout the year to keep HIPAA policies and protections top of mind. Review your post-course assessment data to see if there are specific areas of HIPAA regulations where employees score lower and offer additional training in those areas. Be sure to include training on your organization’s policies and procedures related to breach prevention and response. Using a healthcare-specific learning management system (LMS) makes all of these training tactics much easier to implement.

Effective Policy Management

Policies are a great way to keep your organization’s processes and expectations top of mind. A HIPAA breach notification policy is required and should include specifics on who must adhere to the policy, what is required of employees, notification requirements, how to report, and more. Download a ready-to-use HIPAA Breach Notification Policy. Using a full-cycle healthcare policy management platform, you can create or upload the policy, secure board approval (if needed), track versions, get employee acknowledgements and digital signatures, and store it for easy access in case of a breach.

Collaborate With Knowledgeable Partners

As you’re selecting vendors, such as a LMS or policy management solution, look for organizations that specialize in healthcare and share their expertise with customers. Then you’re getting more than just a software company — you’re getting a trusted partner.

Looking for a trusted healthcare compliance partner? Consider MedTrainer’s all-in-one compliance platform.