HIPAA Breach Notification Templates

The HIPAA Breach Notification Rule (45 CFR §§164.400–414) was added to HIPAA by the HITECH Act. It requires covered entities to provide notifications after discovering a breach of unsecured Protected Health Information — specifying who must be notified, what the notification must contain, and when it must be sent.

Failing to notify, or notifying with missing required elements, is a separate HIPAA violation on top of the underlying breach. The notification process itself carries its own compliance obligations.

What Triggers Notification Requirements

Notification is required when an impermissible use or disclosure of unsecured PHI constitutes a breach under HIPAA. A breach is presumed unless the covered entity demonstrates through a documented 4-factor risk assessment that there is a low probability that the PHI has been compromised.

“Unsecured PHI” means PHI that has not been rendered unusable, unreadable, or indecipherable through encryption or destruction. PHI on an encrypted device that is lost is not “unsecured.” Notification may not be required if the encryption keys are not compromised.

If the 4-factor risk assessment does not establish low probability of compromise, notification is required. Document the determination either way.

Notification to Affected Individuals

Timeline

Individual notification must be provided without unreasonable delay and no later than 60 calendar days after the date of discovery of the breach (45 CFR §164.404(b)). “Discovery” is the date the covered entity knew or should have known of the breach — not the date the investigation is complete.

A breach discovered on January 15 must be notified to individuals by March 16 — 60 days later — regardless of whether the investigation is finished. If notification is required before the investigation is complete, send an initial notice with available information and state that you will provide additional details as the investigation continues.

Method of Notification

Notice must be provided by first-class mail to the individual’s last known address of record, or by email if the individual has agreed to electronic notice. For deceased individuals, the notice may be sent to the next of kin or personal representative.

If the covered entity has insufficient or out-of-date contact information for 10 or more individuals, substitute notice is required (see below).

Required Content of Individual Notice (45 CFR §164.404(c))

The notification letter must include all of the following elements. Missing any element is a compliance failure:

1. A brief description of what happened. Include the date of the breach and the date of its discovery, if known.

2. A description of the types of unsecured PHI that were involved. Specify the categories of information — for example: name, address, date of birth, Social Security number, diagnosis codes, financial account information. Do not include the actual PHI in the notification letter.

3. Any steps individuals should take to protect themselves. If the breach involved Social Security numbers, recommend credit monitoring. If the breach involved financial account information, recommend reviewing account statements. Tailor this section to the type of PHI involved.

4. A brief description of what the covered entity is doing. Describe the investigation, steps taken to mitigate harm to individuals, and protective measures put in place to prevent future breaches.

5. Contact procedures for individuals to ask questions or learn more. Include a toll-free telephone number, email address, website, or postal address. This contact must remain available for at least 90 days.

Sample Notification Letter Structure

The following illustrates the required elements in a compliant notification letter:

---

[Clinic Name]
[Address]
[Date]

Dear [Patient Name],

We are writing to inform you of a security incident that involved your Protected Health Information.

What Happened: On [date of breach], [brief description of what occurred]. We discovered the incident on [date of discovery].

What Information Was Involved: The following types of information may have been involved: [list the categories of PHI, not the specific values — e.g., “your name, date of birth, health insurance identification number, and diagnosis codes for care received on [date]”].

What You Should Do: We recommend that you [appropriate steps based on the type of PHI involved — e.g., “review your Explanation of Benefits statements from your health insurance company for any services you did not receive” or “place a fraud alert on your credit file by contacting one of the three major credit bureaus”].

What We Are Doing: [Description of steps the clinic is taking — investigation, remediation, safeguard improvements. Be specific about what has been done, not just general assurances.]

For More Information: If you have questions about this incident, please contact our Privacy Officer at [toll-free number / email / postal address]. This contact line will remain available until [date at least 90 days from notice date].

We apologize for this incident. If you have questions or concerns, please contact us using the information below.

Sincerely,
[Privacy Officer Name]
[Clinic Name]

---

Notification to HHS

Breaches Affecting 500 or More Individuals (45 CFR §164.408(b))

For breaches affecting 500 or more individuals, the covered entity must notify HHS contemporaneously with the individual notices — within the same 60-day window.

Notification is made through HHS’s online breach reporting portal at hhs.gov/hipaa. Breaches affecting 500 or more individuals in a single state are posted to HHS’s public “Wall of Shame” — the breach notification portal that lists reported large breaches. This is a significant reputational consequence in addition to the regulatory filing requirement.

Breaches Affecting Fewer Than 500 Individuals (45 CFR §164.408(c))

For breaches affecting fewer than 500 individuals, the covered entity must maintain a log of all breaches occurring during each calendar year and submit the annual log to HHS no later than March 1 of the following year.

The March 1 annual report is the breach notification obligation most small clinics miss. The 60-day individual notification was completed, the breach felt resolved, and the HHS annual log slipped off the radar. Put March 1 on your compliance calendar as a hard deadline — not a reminder to check on it.

Notification to Prominent Media (45 CFR §164.406)

If a breach affects 500 or more individuals in a single state, the covered entity must also notify prominent media outlets serving the affected state(s). This notification is required in addition to — not instead of — individual notification.

“Prominent media” typically means a statewide newspaper or television broadcaster. The notification must be made without unreasonable delay and no later than 60 days after discovery. The notice must contain the same required elements as the individual notice.

Business Associate Breach Discovery

When a business associate discovers a breach of PHI it holds on behalf of a covered entity, the BA must:

1. Notify the covered entity without unreasonable delay and no later than 60 days after discovery (45 CFR §164.410)
2. Provide the covered entity with the identity of each individual whose PHI was breached, if known

The covered entity’s notification clock runs from the date the BA discovered the breach — not from the date the covered entity received the BA’s report. If a BA discovers a breach on January 1 and notifies the covered entity on January 30, the covered entity still has until March 1 to notify individuals. Not 60 days from January 30.

If a business associate takes its time notifying you, your window to notify patients shrinks accordingly. Your BAA should require prompt notification from business associates — well within the 60-day outer limit — so you have enough time to conduct your own assessment and prepare the notices.

Substitute Notice for Missing or Insufficient Addresses

If a covered entity cannot reach 10 or more individuals because it has insufficient contact information (outdated addresses, no address on file), it must provide substitute notice (45 CFR §164.404(d)):

For fewer than 10 affected individuals with insufficient contact information: The covered entity may use an alternative form of written notice, a telephone call, or other reasonable means.

For 10 or more affected individuals with insufficient contact information: The covered entity must post a notice conspicuously on its website for at least 90 days OR provide notice through major print or broadcast media in the geographic area where the affected individuals likely reside.

Substitute notice must include a toll-free number that remains active for at least 90 days.

Documentation Requirements

All breach notification activities must be documented and retained for six years from the date of notification:

• The 4-factor risk assessment and breach determination memo
• Copies of individual notification letters with the date of mailing
• Documentation of HHS notification (screenshot of submission confirmation or portal reference number)
• Documentation of media notification (if applicable)
• The annual breach log submitted to HHS each March 1

What PHIGuard Changes

PHIGuard’s incident management module tracks the breach determination through the risk assessment and feeds directly into the notification process — generating the notification letter template with the required elements pre-populated from the incident record, tracking the 60-day notification deadline from the date of discovery, and creating the March 1 HHS annual report filing as a recurring calendar task.