HIPAA Breach Notice
(Individual)


Summary

This template HIPAA breach notice is for a group health plan subject to the Health Insurance Portability and Accountability Act (HIPAA) to notify affected individuals about an unauthorized use or disclosure of the individuals' protected health information (PHI). This template includes practical guidance, drafting notes, and alternate and optional clauses. HIPAA establishes PHI breach notification rules for covered entities and their business associates. 45 C.F.R. § 164.400 to 164.414. For breaches involving fewer than 500 individuals, the covered entity must notify any affected individuals within 60 days of when the covered entity discovered the breach and must notify the Department of Health and Human Services (HHS) no later than 60 days after the end of the year. 45 C.F.R. § 164.408. For breaches involving 500 or more individuals, the covered entity must notify affected individuals, HHS, and the media, without unreasonable delay and no later than 60 days of the breach discovery. 45 C.F.R. § 164.406. The notice may be delivered by a service provider on behalf of the plan, but the plan (as HIPAA covered entity) is responsible for compliance. For extensive coverage of important topics in the healthcare industry, see Healthcare Fundamentals Resource Kit. For a full listing of key content covering HIPAA considerations, see HIPAA Resource Kit. For more on health information privacy and security, see Health Information Privacy and Security Resource Kit. For a full listing of related data breach notification content, see Data Breach Notification Resource Kit. For more information about the HIPAA breach notification rule, including a list of steps in determining whether the HIPAA breach notification rules are triggered, see HIPAA Privacy, Security, Breach Notification, and Other Administrative Simplification Rules — What Does the HIPAA Breach Notification Rule Require? and the following agency resources: HHS, Breach Notification Rule; HHS, October 2022 OCR Cybersecurity Newsletter: HIPAA Security Rule Security Incident Procedures; HHS, Factsheet: Ransomware and HIPAA; and HHS, My Entity Experienced a Cyber-Attack: What Do We Do Now?. For a letter to notify the media of a breach, see HIPAA Breach Notice (Media).