The basic elements of a HIPAA compliant breach notification

Under HIPAA, covered entities must notify affected individuals, the U.S. Department of Health and Human Services (HHS), and in some cases, the media, of any breach involving unsecured protected health information (PHI). Notification must occur without unreasonable delay, no later than 60 days after discovery. The notification should include a description of the breach, the types of information involved, steps individuals can take to protect themselves, the steps taken by the entity to investigate and mitigate harm, and contact information for further inquiries.

Related: HIPAA Compliant Email: The Definitive Guide

The elements of a HIPAA compliant breach notification

1. Brief description of the breach: A HIPAA compliant breach notification should provide affected individuals with a concise but informative description of the incident. This description offers context for understanding the nature and potential implications of the breach. For example, if a hacker gained unauthorized access to a healthcare provider's database containing patient records, the notification should outline how the breach occurred and its scope.
2. Description of the types of information involved: In the event of a breach, specify the types of PHI that were compromised. Whether it includes names, addresses, medical records, social security numbers, or other sensitive data, this information helps individuals gauge the extent of their vulnerability. Understanding precisely what information is at risk allows patients to take appropriate actions to safeguard their privacy.
3. Steps for individual protection: Guide affected individuals on how to protect themselves from potential harm resulting from the breach. This may include advice on monitoring financial accounts, being vigilant for phishing attempts, or taking other preventive measures. Providing patients with knowledge about potential risks and proactive steps to mitigate them can reduce the breach's impact.
4. Description of investigation and mitigation: The notification should outline the actions taken by the covered entity to investigate the breach. Additionally, it should highlight the measures put in place to mitigate the harm caused by the breach and prevent similar incidents in the future. 
5. Contact information for the covered entity: The notification must provide contact information for the covered entity or a business associate to address any questions or concerns individuals may have regarding the breach to foster transparency and accessibility. Being responsive to patient inquiries helps build trust and demonstrates the organization's commitment to resolving the issue.

Related: What is the HIPAA breach notification rule?

Timeline of the breach notification

According to the HHS, "If a breach affects 500 or more individuals, covered entities must notify the Secretary without unreasonable delay and in no case later than 60 days following a breach. If, however, a breach affects fewer than 500 individuals, the covered entity may notify the Secretary of such breaches on an annual basis. Reports of breaches affecting fewer than 500 individuals are due to the Secretary no later than 60 days after the end of the calendar year in which the breaches are discovered.". Prompt action minimizes the impact of the breach on affected individuals and enables them to take necessary precautions promptly.

Failure to meet the 60-day deadline can have consequences for covered entities, like penalties being imposed, and their reputation may suffer, leading to a loss of trust among patients and partners. Additionally, delayed notification may hinder affected individuals from taking timely actions to protect themselves, potentially exacerbating the harm caused by the breach.

Related: Understand HIPAA violations and breaches

FAQs

Can a covered entity use email to send breach notifications?

Yes, covered entities may use email to notify individuals about a breach if they have obtained prior consent from the patient to communicate via email, and the message must be encrypted if PHI is included.

Can breach notifications include marketing materials or offers?

No, breach notifications must strictly provide information about the breach and necessary protective actions. Including marketing content would not only be inappropriate but could also violate HIPAA's marketing rules.

How long does a covered entity need to keep documentation of breach notifications?

Covered entities must retain documentation of breach notifications and the associated investigation for a minimum of six years, in compliance with HIPAA's recordkeeping requirements.