How to Write a Breach Notification Letter


After a breach, one of your top priorities is to mail a breach notification letter to everyone whose protected health information (PHI) was compromised. But how do you write a HIPAA breach notification letter?

The Breach Notification Rule requires you to write your letters in plain language and include specific content. This post will describe the required and optional content of the letter. Read to the end to download a sample breach notification letter.

What Should be Included in a Breach Notification Letter?

First, your letter must have the following elements:

  • Description of the breach. Briefly describe the circumstances of the breach. How did the breach happen? When? When was it discovered?
  • Type(s) of PHI compromised. Describe the types of PHI involved in the breach. This may include the patient’s full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information.
  • Steps the individual should take. Provide any steps the patient should take to protect themselves from potential harm resulting from the breach.
  • Mitigation efforts. Briefly describe what your organization is doing to investigate the breach, including how you will mitigate any harm to individuals and steps you will take to prevent another breach.
Graphic of documents, a calculator, a pen, glasses, and a phone, with a magnifying glass on top

Optional Content

Your letter may also encourage patients to:

  • Place a fraud alert on their credit report. Patients can place a fraud alert by calling Equifax, Experian, or TransUnion. This can help prevent an identity thief from opening accounts under the patient’s name.
  • Order their credit report. By establishing a fraud alert, patients will receive a follow-up letter that will explain how to get a free copy of their credit report. Patients can use this report to look for signs of fraud.
  • Monitor their credit report. Even after placing a fraud alert on their account, patients should continue to monitor their credit report to make sure an imposter hasn’t opened an account with their personal information.

Finally, a breach notification letter should end with some form of apology and assurance that your organization is taking corrective steps. However, consult a lawyer before you issue an apology statement. You may also provide a toll-free number or other contact information that patients can use to voice their questions and concerns about the breach.

Once you complete your letter, you must send it through first-class mail to every individual affected by the breach. Read more to learn the who, when, and how of breach notification.

Check out our Breach Notification Letter Template!

Our free template makes it easy to create a compliant breach notification letter.

Breach Notification Letter Template

Need a Little More Guidance?

Never lose track of where and when you sent your breach notification letters. In our cloud-based software, you can track the details of breaches, as well as breach notification and mitigation efforts.

Contact us to learn how HIPAAtrek can streamline your compliance with the Privacy, Security, and Breach Notification Rules of HIPAA.

Request A HIPAAtrek Demo

HIPAAtrek User
Compliance is complicated. Your compliance software doesn’t have to be. Schedule your demo today!

You Might Also Like