HIPAA Breach Notification Letter Requirements
What are the HIPAA Data Breach Notification Requirements?
The Breach Notification Rule is an unfortunately necessary component of the HIPAA patient privacy laws, which dictates the steps that an organization must take if it experiences a HIPAA data breach. Notification must be sent to the Department of Health and Human Services, as well as a personal notification to each individual whose protected health information was or may have been exposed. The HIPAA breach notification requirements are specific and must be followed strictly in order to stay in compliance with federal law. A trusted, HIPAA compliant print and fulfillment partner like Spectra can help organizations with these notification letters.
What is considered a breach of HIPAA?
Under this important federal law, companies and nonprofits that collect, use, store, and communicate about protected health information (PHI) of individuals are required to follow protocols to keep that information private. That means having designated, trained, and responsible agents within the organization that have exclusive access to the information while it is in the organization’s possession, plus data security measures in place to prevent the information from making its way outside the boundaries of approved access.
A HIPAA data breach occurs when something happens to lower those security measures and allow outside access to PHI, whether or not that access is the result of a malicious or an accidental event. Most commonly, a breach is not the result of hacking or an identity theft attempt, but rather a failure to follow protocols on the part of one or more employees within the organization. When this occurs, the organization must send a HIPAA data breach notification.
HIPAA Breach Notification Letter To the Patient: Contents
In general, a HIPAA breach notification letter conveys to a patient the fact that their PHI was left unprotected by appropriate data security measures, whether or not that information is ultimately obtained by unapproved agents. The specific contents of the letter, of course, will vary based on the nature, extent, and severity of the breach. Federal law mandates that the letter include the following HIPAA breach notification letter requirements:
- Description of the breach, with as many specifics as possible to indicate what happened, the timing of the breach, and when the organization became aware of the incident
- Protected health information encompasses many different potential data points, and the notification letter should indicate what information was specifically revealed in the breach. In some cases, this could be a Social Security number, DOB, or home address, or it could be medical information such as diagnoses and healthcare provider account numbers.
- If the patient can take steps to mitigate possible damage from the data breach, the notification letter should present those steps and encourage the patient to follow them.
- Finally, the letter should inform the patient about the mitigation efforts that the healthcare organization itself is taking and plans to take in order to remediate the issue.
HIPAA Breach Notification Letter To the Patient: Optional Content
In addition to the HIPAA breach notification letter requirements, the law encourages that organizations include additional optional content as relevant to the individual breach event. This optional content is primarily concerned with credit reporting, and applies in the case that the personally identifiable information revealed in the breach could potentially be used in fraud crimes.
By providing guidance to patients on how to place a fraud alert, request a free credit report, and monitor their credit report on an ongoing basis in a HIPAA breach notification letter to a patient, organizations can help victims of data breaches ensure that they do everything possible to prevent identity theft and other types of fraud.
Additional Help With Breach Notification
Is your organization required to send a HIPAA breach notification letter to patients? Spectra can help! Our third party print and fulfillment company is certified to provide HIPAA compliant services, including notifying patients about privacy breaches. Our direct mail campaigns prioritize security, accuracy, and affordability for our clients in the healthcare industry.