How to Write a Breach Notification Letter (Sample Letter Included)

Graphic that says Breach Notification Letter with an image of a priority mail envelope
Share on facebook
Share on twitter
Share on linkedin

After a breach, one of your top priorities is to mail a breach notification letter to everyone whose protected health information (PHI) was compromised. But how do you write a HIPAA breach notification letter?

The Breach Notification Rule requires you to write your letters in plain language and include specific content. This post will describe the required and optional content of the letter. Read to the end to download a sample breach notification letter.

What Should be Included in a Breach Notification Letter?

First, your letter must have the following elements:

  • Description of the breach. Briefly describe the circumstances of the breach. How did the breach happen? When? When was it discovered?
  • Type(s) of PHI compromised. Describe the types of PHI involved in the breach. This may include the patient’s full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information.
  • Steps the individual should take. Provide any steps the patient should take to protect themselves from potential harm resulting from the breach.
  • Mitigation efforts. Briefly describe what your organization is doing to investigate the breach, including how you will mitigate any harm to individuals and steps you will take to prevent another breach.
Graphic of documents, a calculator, a pen, glasses, and a phone, with a magnifying glass on top

Optional Content

Your letter may also encourage patients to:

  • Place a fraud alert on their credit report. Patients can place a fraud alert by calling Equifax, Experian, or TransUnion. This can help prevent an identity thief from opening accounts under the patient’s name.
  • Order their credit report. By establishing a fraud alert, patients will receive a follow-up letter that will explain how to get a free copy of their credit report. Patients can use this report to look for signs of fraud.
  • Monitor their credit report. Even after placing a fraud alert on their account, patients should continue to monitor their credit report to make sure an imposter hasn’t opened an account with their personal information.

Finally, a breach notification letter should end with some form of apology and assurance that your organization is taking corrective steps. However, consult a lawyer before you issue an apology statement. You may also provide a toll-free number or other contact information that patients can use to voice their questions and concerns about the breach.

Clickable sample breach notification letter for download

Sample Breach Notification Letter. Click to download your copy.

Tweet: A #breach notification letter to patients should 1) describe the breach and types of #PHI compromised, 2) provide steps patients should take to protect themselves, and 3) describe your efforts to mitigate the breach. #HIPAAbreach #breachmanagement @HIPAAtrek

A #breach notification letter to patients should 1) describe the breach and types of #PHI compromised, 2) provide steps patients should take to protect themselves, and 3) describe your efforts to mitigate the breach. #HIPAAbreach #breachmanagement @HIPAAtrek


Once you complete your letter, you must send it through first-class mail to every individual affected by the breach. Read more to learn the who, when, and how of breach notification.

Download Our Free Guide! 

Need a Little More Guidance?

Never lose track of where and when you sent your breach notification letters. In our cloud-based software, you can track the details of breaches, as well as breach notification and mitigation efforts.

Screenshot of HIPAAtrek's breach notification log landing page

Use HIPAAtrek’s Breach Notification Log to keep track of your breach mitigation and notification efforts.

Contact us to learn how HIPAAtrek can streamline your compliance with the Privacy, Security, and Breach Notification Rules of HIPAA.

Request A HIPAAtrek Demo

Compliance is complicated. Your compliance software doesn’t have to be. Schedule your demo today!

You Might Also Like

Learn about Hipaa

Join the HIPAA Huddle

The HIPAA Huddle is a monthly meeting for compliance officers and others with HIPAA oversight responsibility to meet LIVE in a collaborative  environment to work through a single issue or discuss best practices.