After a breach, one of your top priorities is to mail a breach notification letter to everyone whose protected health information (PHI) was compromised. But how do you write a HIPAA breach notification letter?
The Breach Notification Rule requires you to write your letters in plain language and include specific content. This post will describe the required and optional content of the letter. At the end, you’ll find a downloadable sample breach notification letter.
What Should be Included in a Breach Notification Letter?
First, your letter must have the following elements:
- Description of the breach. Briefly describe the circumstances of the breach. How did the breach happen? When? When was it discovered?
- Type(s) of PHI compromised. Describe the types of PHI involved in the breach. This may include the patient’s full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information.
- Steps the individual should take. Provide any steps the patient should take to protect themselves from potential harm resulting from the breach.
- Mitigation efforts. Briefly describe what your organization is doing to investigate the breach, including how you will mitigate any harm to individuals and steps you will take to prevent another breach.
Your letter may also encourage patients to:
- Place a fraud alert on their credit report. Patients can place a fraud alert by calling Equifax, Experian, or TransUnion. This can help prevent an identity thief from opening accounts under the patient’s name.
- Order their credit report. By establishing a fraud alert, patients will receive a follow-up letter that will explain how to get a free copy of their credit report. Patients can use this report to look for signs of fraud.
- Monitor their credit report. Even after placing a fraud alert on their account, patients should continue to monitor their credit report to make sure an imposter hasn’t opened an account with their personal information.
Finally, a breach notification letter should end with some form of apology and assurance that your organization is taking corrective steps. However, consult with a lawyer before you issue an apology statement. You may also provide a toll-free number or other contact information that patients can use to voice their questions and concerns about the breach.
Once you complete your letter, you must send it through first-class mail to every individual affected by the breach. Read more to learn the who, when, and how of breach notification.