How to notify affected individuals of a breach

Healthcare organizations must notify individuals of breaches promptly, within 60 days of discovery, primarily through written notice sent by first-class mail. Electronic notification is allowed with explicit consent and secure methods. Prohibited methods include unsecured channels like text messages and personal emails. Notifications should be clear, detail the breach, advise protective actions, and maintain a respectful tone. 

Notification requirements

Under the HIPAA Breach Notification Rule, covered entities must notify individuals if their protected health information (PHI) has been compromised. According to the HHS, "a breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.". Definitive Healthcare also found that "as of the end of February 2024, the number of healthcare data breaches for the year was already nearly 100.”. 

Healthcare organizations must therefore conduct thorough risk assessments to determine the likelihood of the PHI being compromised and the potential impact on affected individuals.

Read more: What are the HIPAA breach notification requirements

Timing of notifications

Healthcare organizations must notify affected individuals without undue delay and no later than 60 days from discovering the breach unless law enforcement delays notification. Early notifications empower individuals to protect themselves from potential harm. Delays in notification can undermine patient trust and compliance with legal requirements, potentially leading to regulatory penalties.

Permitted methods of communication

• Written notice: The HHS states that "covered entities must provide this individual notice in written form by first-class mail" to the individual’s last known address. That ensures secure delivery and maintains confidentiality.
• Electronic notice: Healthcare organizations may send electronic notifications if the individual has provided explicit consent. They must document the consent and send notifications through secure, HIPAA compliant email and text messaging platforms to safeguard PHI.

HIPAA does not allow unsecured methods such as regular text messages, personal email accounts, or social media due to the heightened risk of unauthorized access. Faxing is discouraged unless healthcare organizations can ensure secure transmission, as traditional fax machines are vulnerable to interception.

Related: What happens if an email is not encrypted?

Crafting the notification

• Clarity and conciseness: Notifications should use clear, non-technical language to explain the breach and its implications. Being transparent and honest about what information was compromised helps individuals understand the severity of the incident.
• Specificity: Provide details about the types of PHI involved (e.g., names, Social Security numbers) and, if possible, the timeframe during which the breach occurred. This information assists individuals in assessing their risk and taking appropriate actions.
• Actionable steps: Offer practical guidance on how individuals can protect themselves, such as monitoring credit reports or placing fraud alerts. Include contact information and resources for further assistance to support affected individuals.
• Respectful tone: Acknowledge the seriousness of the breach and apologize for any inconvenience caused. Maintaining professionalism throughout the communication demonstrates empathy and reinforces trust.
  
  

Additional considerations

Provide breach notifications in languages spoken by diverse patient populations to ensure understanding and compliance among all affected individuals. This practice meets regulatory requirements and demonstrates respect for cultural and linguistic diversity within the patient community. Healthcare organizations should maintain a list of commonly spoken languages among their patient population and have access to translation services or bilingual staff to facilitate accurate communication.

Notifications must be accessible to individuals with disabilities to ensure equal access to information. Use larger font sizes and plain language in written notices to enhance readability. For electronic notices, ensure compatibility with screen readers and other assistive technologies commonly used by individuals with visual impairments or other disabilities. Providing alternative formats upon request, such as Braille or audio recordings, further enhances accessibility and compliance with accessibility standards.

FAQs

Can healthcare organizations notify individuals of a breach via social media or public forums?

No, HIPAA does not permit using social media or public forums to notify individuals of a breach. Healthcare organizations should send notifications securely via first-class mail or secure electronic communications.

What should healthcare organizations do if they discover a breach involving the PHI of deceased individuals?

HIPAA breach notification requirements apply to the PHI of deceased individuals. Healthcare organizations should notify the next of kin or personal representative of the deceased person, as applicable, using the same notification methods as for living individuals.

What should I do if I discover a breach involving PHI stored on a lost or stolen device?

Healthcare organizations must conduct a risk assessment to determine if the PHI was encrypted or rendered unreadable if a device with PHI is lost or stolen. If the PHI was unencrypted and the device is lost or stolen, notification to affected individuals is typically required.