Breach Notification

HIPAA Breach Notification Deadline

breach notificationHealthcare organizations that are the victim of breaches have an obligation to report these breaches. Breaches affecting more than 500 individuals must be reported within 60 days of discovery to the Department of Health and Human Services (HHS), affected individuals, and the media. Breaches affecting less than 500 individuals must be reported within 60 days of the calendar year (March 1st) to the HHS and affected individuals.

What is Different About This Year’s Breach Notification Deadline?

The breach notification deadline is based on 60 days from the end of the calendar. Since this year is a leap year, there is an extra day in February, making the breach notification deadline for 2020 February 29.

What Must Be Included in Breach Notification Letters?

Breach notification letters must be sent to affected individuals; there are specific components that are required to be included in these letters.

  • A brief description of the breach, including the date of the breach and the date of the discovery of the breach.
  • A description of the type of protected health information exposed in the breach.
  • Steps that affected individuals should take to protect themselves, such as credit monitoring.
  • A description of how the incident is being investigated.
  • Contact information should affected individuals have questions regarding the breach, including a toll-free number, email address, website, or postal address.

How Must Breach Notification Letters Be Written?

Breach notification letters must be written in plain language, at a reading level appropriate for the general public to understand. The letter should not include extra information that may be confusing to the recipient.  

What is a Substitute Notice?

There are some instances in which there is insufficient contact information for some patients. When 10 or more patients cannot be contacted via mail or email, covered entities must provide a substitute individual notice.

This can be done by:

  • Posting the notice on their homepage for at least 90 days; or
  • Providing the notice in a major print or broadcast media. However, when choosing this option, it is essential that the media source has sufficient circulation to ensure that affected individuals will see the notice.

HIPAA Resources

Need assistance with HIPAA compliance? Compliancy Group can help! They help you achieve HIPAA compliance with Compliance Coaches® guiding you through the entire process. Find out more about the HIPAA Seal of Compliance® and Compliancy Group. Get HIPAA compliant today!

HIPAA Webinars:

Cyber Security


Cyber Security: Top 5 Things You Can Do Tomorrow Morning to Protect Your Practice and Your Clients/Patients

Ransomware hackers attack smaller healthcare practices daily, creating serious data breaches and HIPAA violations. Are you and your clients/patients vulnerable, too?


Social Media and HIPAA Compliance


Social Media and HIPAA Compliance: Protecting Your Practice in the Digital Age

Managing social media use and HIPAA compliance can lead to some of the most common misunderstandings faced by healthcare providers. Improperly trained employees can expose your organization to HIPAA violations and costly fines!


Disclaimer: The views and opinions expressed in the article and on this blog post are those of the authors. These do not necessarily reflect the views, opinions, and position of the Telebehavioral Health Institute (TBHI). Any content written by the authors are their opinion and are not intended to malign any organization, company or individuals.

Rate this post!

(4 raters, 20 scores, average: 5.00 out of 5)

Leave a Reply

Name and email are required. Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.