Q&A: Elements of a breach notification letter

Q: What are the most important elements to include in the breach notification letter?

A: Individual notices must be provided without unreasonable delay, no later than 60 days following the discovery of a breach.

To the extent possible, the notice must include:

• A brief description of the breach
• A description of the types of information that were involved in the breach
• The steps affected individuals should take to protect themselves from potential harm
• A brief description of what the CE is doing to investigate the breach, mitigate the harm, and prevent further breaches
• Contact information for the CE (or business associate, as applicable)

Editor's note: Mary D. Brandt, MBA, RHIA, CHE, CHPS is a healthcare consultant specializing in healthcare regulatory compliance and operations improvement. She is also an advisory board member for BOH. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS. Email your HIPAA questions to editor Kevin Duffy at kduffy@hcpro.com.