Breach Notification

HIPAA Breach Notification Deadline

breach notificationHealthcare organizations that are the victim of breaches have an obligation to report these breaches. Breaches affecting more than 500 individuals must be reported within 60 days of discovery to the Department of Health and Human Services (HHS), affected individuals, and the media. Breaches affecting less than 500 individuals must be reported within 60 days of the calendar year (March 1st) to the HHS and affected individuals.

What is Different About This Year’s Breach Notification Deadline?

The breach notification deadline is based on 60 days from the end of the calendar. Since this year is a leap year, there is an extra day in February, making the breach notification deadline for 2020 February 29.

What Must Be Included in Breach Notification Letters?

Breach notification letters must be sent to affected individuals; there are specific components that are required to be included in these letters.

  • A brief description of the breach, including the date of the breach and the date of the discovery of the breach.
  • A description of the type of protected health information exposed in the breach.
  • Steps that affected individuals should take to protect themselves, such as credit monitoring.
  • A description of how the incident is being investigated.
  • Contact information should affected individuals have questions regarding the breach, including a toll-free number, email address, website, or postal address.

How Must Breach Notification Letters Be Written?

Breach notification letters must be written in plain language, at a reading level appropriate for the general public to understand. The letter should not include extra information that may be confusing to the recipient.  

What is a Substitute Notice?

There are some instances in which there is insufficient contact information for some patients. When 10 or more patients cannot be contacted via mail or email, covered entities must provide a substitute individual notice.

This can be done by:

  • Posting the notice on their homepage for at least 90 days; or
  • Providing the notice in a major print or broadcast media. However, when choosing this option, it is essential that the media source has sufficient circulation to ensure that affected individuals will see the notice.

HIPAA Resources

Need assistance with HIPAA compliance? Compliancy Group can help! They help you achieve HIPAA compliance with Compliance Coaches® guiding you through the entire process. Find out more about the HIPAA Seal of Compliance® and Compliancy Group. Get HIPAA compliant today!

Your TBHI Professional Training Options

TBHI specializes in teaching you how to relax when delivering telehealth.  It offers you a step-by-step learning path of online training that helps you be legally and ethically compliant, clinically proficient, and able to handle even the most difficult of clinical scenarios. Take advantage of COVID discount pricing to learn how to sit back and enjoy your telehealth experiences, rather than struggling with ZOOM fatigue and clinical uncertainty. All courses are evidence-based, available 24/7 through any device and most count toward legal and ethical requirements for licensure. Two micro certifications are also available.

    1. Telehealth Group Therapy  — Exciting, highly interactive telehealth learning experience designed to get answers to your questions about legally and ethically managing telehealth group therapy. Digital class will allow you to connect with colleagues ahead of time to ask questions and share answers. Distinguished faculty will lead you through telehealth group therapy theory and exercises.
    2. Telehealth Clinical Best Practices Workshop — Live, interactive webinar, w/ 4 CME or CE hours to discuss preventing and handling complex clinical issues.
    3. Course Catalog
    4. Micro Certifications to give you a broader range of legal and ethical grounding, and allow you to distinguish yourself as a TBHI-credentialed professional on your websites, in social media, directories and other areas.


Disclaimer: The views and opinions expressed in the article and on this blog post are those of the authors. These do not necessarily reflect the views, opinions, and position of the Telebehavioral Health Institute (TBHI). Any content written by the authors are their opinion and are not intended to malign any organization, company or individuals.

Rate this post!

(4 raters, 20 scores, average: 5.00 out of 5)

Leave a Reply

Name and email are required. Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.