If your business or organization experienced a HIPAA breach, one of the important responses includes a HIPAA breach notification letter, to notify the individuals affected by the breach.
The HIPAA Rule mandates that if the security or privacy of protected health information (PHI) has been compromised, a specific process has to be followed in the notification of affected individuals and the required notification of regulatory entities. Even if your organization has not had a privacy breach, it’s important to familiarize yourself with the requirements of a HIPAA Breach Notification Letter and to address the HIPAA Breach Disclosure Requirements.
Develop your response plan in the event of a breach. Having a response plan at the ready will enable you to act fast if a breach is discovered. Failure to comply with the requirements can result in stiff financial penalties.
Composing the response letter
Blunders during the notification process do happen too often! There have been several examples of organizations that have experienced a HIPAA breach, then added to the “injury” by serious errors in the notification process.
Alive Hospice in Tennessee had a mishap with mailing breach notification letters having incorrect names. In 2017, Aetna settled a claim for $17 million in which they disclosed patients’ HIV status through a clear envelope. Ironically, the letters were sent to notify patients of another security breach.
Organizations, especially smaller ones, do not usually have a dedicated employee to handle HIPAA issues. Thus, checks and balances are critical to ensuring all the HIPAA requirements are being followed.
Components of a HIPAA breach notification letter
- Description of the breach. This can be brief, but you need to include when and how it was discovered and how the data was compromised.
- Protected Health Information (PHI). Explain what PHI was compromised. This may include patient names, addresses, phone numbers, date of birth, Social Security number, account numbers, etc.
- Next steps. What are the steps the individuals need to do to protect themselves? Offer monitoring service or other assistance.
- Correcting damage. Describe the steps you will take to avoid another breach and how you are mitigating the losses for your patients.
- Order a credit report. You can encourage patients to order copies of their credit reports and check them carefully. Free reports can be ordered from the three national credit bureaus.
- Monitor credit. Patients should continue to monitor their credit even after placing a fraud alert on their accounts.
- Fraud alert. Encourage your patients to place a fraud alert with the three national credit bureaus.
- Helpline. Let patients voice their opinions. Include contact information or a toll-free number for patients to ask questions.
- Apologize. It’s not required, but it’s good practice to accept responsibility and let the affected individuals know that you are sorry.
- Keep the language simple. You want your letter to be easily understood by everyone reading it. Aim for a sixth grade or below reading level.
Timing the notification letter
Individuals need to be notified within 60 days of discovering the breach via first-class mail unless the patient has authorized notification via email. If more than 500 persons are affected, the U.S. Department of Health and Human Services (HHS) must be notified within the first 60 days of discovering the breach.
If it’s a breach involving less than 500 individuals, HHS doesn’t need notification until 60 days before the end of the year. Additionally, if the breach impacts more than 500 persons, the media must be notified within 60 days as well.
When drafting a HIPAA breach notification letter, be sure to cover all the requirements without opening yourself up to liability. Since mishaps do happen, laptops can be lost, online data can be hacked, you need to be sure you have a response plan ready in the event of any possible breach.