How to Notify Patients After a Data Breach: HIPAA Requirements, Timelines, and Template

Definition of Breach

A breach is an impermissible disclosure, acquisition, access, or use of Protected Health Information (PHI) not allowed by the HIPAA Privacy Rule that compromises the security or privacy of the PHI. The rule presumes a breach unless you document a low probability of compromise through a formal risk assessment.

HIPAA’s risk assessment weighs four factors: (1) the nature and extent of PHI involved, including sensitivity and likelihood of re-identification; (2) the unauthorized person who used or received the PHI; (3) whether the PHI was actually acquired or viewed; and (4) the extent to which the risk has been mitigated. You must record this analysis as part of your compliance documentation.

Three narrow exceptions apply: unintentional good-faith access by a workforce member within scope of authority; inadvertent disclosure between authorized persons within the same organization; and disclosures where you reasonably believe the recipient could not retain the information. If PHI is secured—encrypted or destroyed so it is unusable, unreadable, or indecipherable—then it is not Unsecured PHI and the breach notification requirements do not apply.

Discovery triggers timelines. A breach is “discovered” on the first day it is known—or would have been known with reasonable diligence—by the covered entity or business associate. From that date, your breach notification timelines start.

Individual Notification Requirements

You must notify each affected individual without unreasonable delay and in no case later than 60 calendar days after discovery. Send written notice by first-class mail to the last known address, or by email if the individual agreed to electronic delivery. Notices must be written in plain language and tailored to what happened.

Required content

• A brief description of what happened, including the date of the breach and date of discovery, if known.
• The types of Unsecured PHI involved (for example, names, diagnoses, medications, Social Security numbers).
• Steps individuals should take to protect themselves (such as monitoring accounts or placing fraud alerts).
• What you are doing to investigate, mitigate harm, and prevent further impermissible disclosure.
• Contact methods for questions: a toll-free number, email, web page, or postal address.

Substitute notice

If you lack or have out-of-date contact information for fewer than 10 individuals, use an alternative form of written notice, telephone, or other means. If 10 or more are unreachable, post a conspicuous substitute notice on your home page or provide notice in major print or broadcast media in the affected area for at least 90 days, and include a toll-free number active for at least 90 days.

Method and cadence

Provide notices as information becomes available; do not wait for full forensic completion if you can supply the required elements. If a law enforcement official determines that notice would impede an investigation or threaten national security, you must delay notice for the time specified (or up to 30 days on an oral statement, pending written confirmation).

Patient Notification Letter Template

[Covered Entity Name]
[Mailing Address]
[City, State ZIP]
[Date]

Re: Notice of Data Breach Involving Your Protected Health Information

Dear [Name of Patient],

What Happened
On [date of discovery], we learned of a data security incident that occurred on [date or date range] involving your Protected Health Information (PHI).

What Information Was Involved
Based on our investigation, the information may have included [list types of PHI, e.g., name, date of birth, medical record number, diagnosis, treatment information, health insurance information, Social Security number (if applicable)]. Not all data elements were involved for every individual.

What We Are Doing
We immediately [describe investigation and containment]. We have implemented additional safeguards and training to prevent a recurrence. We have also notified appropriate authorities as required.

What You Can Do
We recommend that you [steps for individuals, e.g., monitor Explanation of Benefits, place a fraud alert or security freeze, review credit reports]. We are offering [credit monitoring/identity protection] at no cost to you for [duration], which you can enroll in using the instructions enclosed.

For More Information
If you have questions, please contact us at [toll-free number available at least 90 days], [email], or [postal address]. Our office hours are [hours/time zone].

We regret any concern this incident may cause and appreciate your trust in our care.

Sincerely,
[Name/Title]
[Covered Entity Name]

Media Notification Requirements

If a breach involves more than 500 residents of a single state or jurisdiction, you must notify prominent media outlets serving that area without unreasonable delay and no later than 60 calendar days after discovery. This media notice typically takes the form of a press release and must include the same core elements as individual notices and a way for affected individuals to obtain assistance.

Media notice is in addition to, not a substitute for, direct patient notification. If substitute notice is also required for unreachable patients, you must perform both. Coordinate messaging to ensure accuracy and avoid conflicting statements.

Notification to the Secretary

Breaches affecting 500 or more individuals: notify the Secretary of Health and Human Services without unreasonable delay and no later than 60 calendar days from discovery. Submit through the designated breach reporting channel and retain confirmation.

Breaches affecting fewer than 500 individuals: log each incident and report them in aggregate to the Secretary no later than 60 days after the end of the calendar year in which the breaches were discovered. Your submission must include details such as the number of individuals affected, type and location of breach, dates, and mitigation steps.

Business Associate Notification

Business associates must notify the covered entity of a breach of Unsecured PHI without unreasonable delay and no later than 60 calendar days after discovery. Many Business Associate Agreements (BAAs) set shorter contractual deadlines; meet the shorter timeline if applicable.

Business associate obligations include identifying each affected individual, describing the nature and extent of the PHI involved, and providing any other information the covered entity will need to meet patient, media, and Secretary notification duties. If some details are not immediately available, the business associate must provide them as a supplement as soon as possible.

Administrative Requirements

Covered Entity Responsibilities include establishing written policies and procedures for breach response; training your workforce on identifying, escalating, and documenting incidents; applying appropriate sanctions for violations; and implementing technical and physical safeguards to reduce risk. Maintain a clear decision tree for classifying and escalating potential impermissible disclosures.

Document and track Breach Notification Timelines. “Without unreasonable delay” means move promptly; the 60-day outer limit is not permission to wait. Use rolling notifications when practicable. If law enforcement requests a delay, keep the written statement (or document the oral request and the 30-day limit) with your incident file.

Align HIPAA requirements with state breach statutes, contractual obligations, and cyber insurance conditions. Where multiple rules apply, follow the most stringent timeline and content standard while ensuring consistency across all notices and stakeholder communications.

Documentation Requirements

• Risk assessment worksheets supporting any “low probability of compromise” conclusion.
• Copies of individual notices, media releases, substitute website postings, call scripts, and FAQs.
• Mailing proofs, email logs, bounce reports, and hotline/toll-free number records (retain at least 90 days for substitute notice lines).
• Breach logs for incidents affecting fewer than 500 individuals and submissions to the Secretary for all reportable events.
• Business Associate communications, including dates of discovery, data elements involved, and subsequent supplements.
• Policies, procedures, workforce training records, sanctions, and evidence of safeguards and remediation.
• Retention: keep all compliance documentation for at least six years from the date created or last in effect.

Conclusion

HIPAA’s breach rule centers on fast, plain-language communication, accurate facts, and thorough records. By confirming whether Unsecured PHI was involved, acting within the 60-day window, coordinating with business associates, and preserving complete compliance documentation, you meet legal duties and help patients protect themselves.

FAQs.

What information must be included in a patient notification after a breach?

Your letter must explain what happened (including breach and discovery dates, if known), what types of PHI were involved, steps patients should take, what you are doing to investigate and mitigate, and how to contact you (toll-free number, email, web page, or address). Write in plain language.

When must patients be notified following a data breach?

Notify patients without unreasonable delay and no later than 60 calendar days after discovery. Begin rolling notifications as soon as you can provide the required elements instead of waiting for every detail.

What are the media notification requirements for large breaches?

If more than 500 residents of a state or jurisdiction are affected, issue a media notice to prominent outlets serving that area without unreasonable delay and within 60 days. This is in addition to direct patient notification.

How do business associates notify covered entities of breaches?

Business associates must notify the covered entity without unreasonable delay and no later than 60 days after discovery, identify affected individuals if possible, describe the PHI involved, and supply additional information promptly as it becomes available, consistent with their Business Associate Obligations and any stricter BAA deadlines.