HIPAA Breach Notification Template

Q: What is the deadline for sending breach notification letters?

For breaches affecting 500 or more individuals, notification to affected individuals must be provided without unreasonable delay and no later than 60 calendar days after discovery of the breach, per 45 CFR § 164.404(b). For breaches affecting fewer than 500 individuals in a calendar year, the covered entity may delay notification until it has compiled the annual log and report, but must notify no later than 60 days after the end of the calendar year. Many covered entities notify as soon as reasonably possible regardless of size, which is the recommended approach.

Q: What format is required? Does it have to be a mailed letter?

For breach notification, written notice by first-class mail to the last known address of the individual is the standard method under 45 CFR § 164.404(d). Electronic notice is permitted if the individual has agreed to receive electronic notice. If the covered entity has insufficient contact information for an individual (returned mail, no valid address), substitute notice procedures apply — including web posting for 90 days and toll-free number if more than 10 individuals are unreachable.

Q: Should we have legal counsel review the notification letter before sending?

For breaches affecting a significant number of individuals, legal review before sending is strongly recommended. This template provides the regulatory framework and required elements, but the specific facts of your breach, the characterization of the types of PHI involved, and the description of protective steps must be tailored to your situation. Inaccurate or incomplete notification letters can create additional liability. For small breaches affecting a handful of individuals, a Privacy Officer review against this template may be sufficient.

Q: Is this free?

Yes. Enter your email and we will send the full resource to your inbox.

Q: Why do you need my email?

We send the resource directly to your inbox. We will not add you to a marketing list without your consent.

A breach notification letter template with all required elements under 45 CFR § 164.404(c): breach description, types of PHI involved, steps individuals should take, what the covered entity is doing, and contact information. Includes a checklist for 500+ vs. <500 individual notification paths and guidance on media notification under 45 CFR § 164.406.

Short answer

A complete breach notification letter template satisfying 45 CFR § 164.404(c): all required content elements, guidance notes for each section, a 500/under-500 notification path checklist, media notification guidance under 45 CFR § 164.406, and HHS online reporting instructions.

What is inside

Pre-structured letter with all five required content elements per 45 CFR § 164.404(c): breach description and date, types of PHI involved, protective steps individuals should take, covered entity's investigation and mitigation actions, and contact information for questions
Guidance notes for every paragraph explaining what must be included, what must be avoided (PHI in the letter itself, speculative statements about misuse), and what language has worked in prior HHS-reviewed notifications
Notification path checklist: different obligations apply when a breach affects fewer than 500 individuals vs. 500 or more — the checklist walks through each path including timing, method, and HHS portal submission
Media notification guidance for breaches affecting more than 500 residents of a single state or jurisdiction under 45 CFR § 164.406, including timing requirements and how to identify the right media outlets
HHS online reporting guidance: the breach portal submission requirements, the information HHS requires, and the 60-day deadline for breaches of any size (or 30 days for business associate-reported breaches)

We publish the same practical templates and decision tools that clinics use to structure recurring HIPAA work. No enterprise gate. No resource-library gimmicks. Just practical material delivered quickly.

Editorial details

Written by: Angel Campa

Reviewed by: PHIGuard Compliance Research

Updated: April 28, 2026

Best next step: Open the matching product path

Sources

45 CFR § 164.404 — Notification to Individuals | eCFR
45 CFR § 164.406 — Notification to the Media | eCFR
Breach Notification Rule | HHS

Download the PDF

A ready-to-send breach notification letter that satisfies HHS requirements

Enter your email and we will send the PDF.

Questions

What is the deadline for sending breach notification letters?

For breaches affecting 500 or more individuals, notification to affected individuals must be provided without unreasonable delay and no later than 60 calendar days after discovery of the breach, per 45 CFR § 164.404(b). For breaches affecting fewer than 500 individuals in a calendar year, the covered entity may delay notification until it has compiled the annual log and report, but must notify no later than 60 days after the end of the calendar year. Many covered entities notify as soon as reasonably possible regardless of size, which is the recommended approach.

What format is required? Does it have to be a mailed letter?

For breach notification, written notice by first-class mail to the last known address of the individual is the standard method under 45 CFR § 164.404(d). Electronic notice is permitted if the individual has agreed to receive electronic notice. If the covered entity has insufficient contact information for an individual (returned mail, no valid address), substitute notice procedures apply — including web posting for 90 days and toll-free number if more than 10 individuals are unreachable.

Should we have legal counsel review the notification letter before sending?

For breaches affecting a significant number of individuals, legal review before sending is strongly recommended. This template provides the regulatory framework and required elements, but the specific facts of your breach, the characterization of the types of PHI involved, and the description of protective steps must be tailored to your situation. Inaccurate or incomplete notification letters can create additional liability. For small breaches affecting a handful of individuals, a Privacy Officer review against this template may be sufficient.

Is this free?

Yes. Enter your email and we will send the full resource to your inbox.

Why do you need my email?

We send the resource directly to your inbox. We will not add you to a marketing list without your consent.