HIPAA Breach notification rule, HIPAA Breach notification form, sample breach notification letter

The HIPAA Breach Notification Rule Deadline Approaching (3/1/22)


February 15, 2022 | Reading Time: 2 Minutes

Please support Telehealth.org’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker. How

An important HIPAA deadline is coming up that behavioral health professionals must be aware of: the HIPAA Breach Notification Rule deadline. Hopefully, you have already reported more significant breaches that affected 500 or more patients. However, if your practice was breached and the incident involved less than 500 patients, now is the time to report it.

There are several types of incidents that are considered reportable breaches. Reportable breaches include:

  • Hacking incidents
  • Unauthorized access or disclosure of protected health information (PHI)
  • Theft or loss of paper records or films
  • Theft or loss of an unencrypted device with access to electronic PHI
  • Improper disposal of medical records

When is the HIPAA Breach Notification Rule Deadline?

The HIPAA Breach Notification Rule dictates specific reporting deadlines for unsecured PHI incidents. The deadline to report breaches that affected less than 500 patients in 2021 is March 1, 2022. It is essential to keep track of all minor breaches within your practice throughout the calendar year so that breach reporting is timely,  including breaches that affected just one patient. However, breaches that affected 500 or more patients should have been reported within 60 days of discovery.

HIPAA Breach Notification Form

A form is completed on the HHS website to submit a breach notice to the Department of Health and Human Services (HHS). The HIPAA Breach Notification Form asks reporting entities to input information into several tabs, including general, contact, breach, a notice of breach and actions taken, attestation, and summary. Each tab on the HIPAA Breach Notification Form asks a series of questions, including whether you are a covered entity or business associate, how many patients were affected by the breach, when the breach occurred, what type of breach occurred, etc. (for a complete list of the questions asked when reporting a PHI breach, please visit the HHS website).

Sample Breach Notification Letter

The March 1st deadline applies to reporting minor breaches to the HHS. However, reporting requirements for patients are stricter. Regardless of the size breach, breach notification letters must be mailed to affected patients within 60 days of discovery. If ten or more patients were not reachable by mail, a substitute breach notice must also be made available for 90 days on the organization’s website.

The HHS dictates specific information that must be included in patients’ breach notification letters.

  • A brief description of the breach
  • A description of the types of information involved in the breach
  • The steps affected individuals should take to protect themselves from potential harm
  • A brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches
  • Contact information for the covered entity.

Below is a sample breach notification letter.

Dear [Patient Name],

I am writing you with important information about a recent breach of your personal information from [Organization Name]. We became aware of this breach on [Discovery Date], which occurred on or about [Breach Date].

The breach occurred as follow:

  • Description: [Briefly describe the breach]
  • Type(s) of Protected Health Information: [What information was potentially compromised in the breach, i.e., patient name, address, Social Security number, etc.]
  • Individual Steps: [What patients should do to protect themselves, i.e., credit monitoring]
  • Mitigation: [What the organization is doing to investigate the breach and how they are preventing similar incidents from occurring in the future]

Please contact [Compliance Officer Name] for more information at [phone number, email address].

This Article is Contributed by Compliancy Group

Need assistance with HIPAA compliance? Compliancy Group can help!

Essential Telehealth Law & Ethical Issues

Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!

Disclaimer: Telehealth.org offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. Some of Telehealth.org’s blog content is generated with the assistance of ChatGPT. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Telehealth.org Privacy Policy and Terms and Conditions.

Please share your thoughts in the comment box below.

Notify of
Inline Feedbacks
View all comments

Register for Free

Receive Any of Our 57 FREE Newsletters!


Most Popular Blog Topics

You May Also Like…

2022 Healthcare Data Breach Report
2022 Healthcare Data Breach Report

When healthcare organizations suffer a breach and 500 or more patients are involved in the United...