This template HIPAA breach notice is for a group health plan subject to the Health Insurance Portability and Accountability Act (HIPAA) to notify affected individuals about an unauthorized use or disclosure of the individuals' protected health information (PHI). This template includes practical guidance, drafting notes, and alternate and optional clauses. HIPAA establishes PHI breach notification rules for covered entities and their business associates. 45 C.F.R. § 164.400 to 164.414. For breaches involving fewer than 500 individuals, the covered entity must notify any affected individuals within 60 days of when the covered entity discovered the breach and must notify the Department of Health and Human Services (HHS) no later than 60 days after the end of the year. 45 C.F.R. § 164.408. For breaches involving 500 or more individuals, the covered entity must notify affected individuals, HHS, and the media, without unreasonable delay and no later than 60 days of the breach discovery. 45 ...