In the event of a breach, Covered Entities (CEs) are responsible for providing notice to the affected individuals. If a breach occurs at or by a Business Associate (BA), the CE is ultimately responsible for ensuring individuals are notified, but the CE can also delegate this responsibility to the BA. Depending on the circumstances, including which organization has the relationships in place, the CE and BA can determine which entity is best equipped to provide the appropriate notice.
Manner of Providing Notice
CEs are required to provide notice to affected individuals in the following ways:
- Written form by first-class mail, or by email if the individual in question has agreed to receive such notices electronically.
- If the CE does not have access to sufficient or recent contact information for 10 or more affected individuals, it is required to provide another form of notice by either posting it on its website’s main page for at least 90 days or providing the notice in major print or broadcast media where the individuals probably live.
- The CE must also include a toll-free number for at least 90 days for individuals to call in order to learn if their information was involved in the breach.
- If there are less than 10 individuals with insufficient or out-of-date contact information, the CE may provide substitute notice by an alternative form of written notice, by telephone, or other means.
Sample Breach Notification Letter
Dear [Patient Name],
I am writing you with important information about a recent breach of your personal information from [Organization Name]. We became aware of this breach on [Discovery Date], which occurred on or about [Breach Date].
The breach occurred as follow:
- Description: [Briefly describe the breach]
- Type(s) of Protected Health Information: [What information was potentially compromised in the breach, i.e. patient name, address, Social Security number, etc.]
- Individual Steps: [What patients should do to protect themselves, i.e. credit monitoring]
- Mitigation: [What the organization is doing to investigate the breach and how they are preventing similar incidents from occurring in the future]
For more information please contact [Compliance Officer Name] at [phone number, email address].