Instructions for Completing the Sample Breach Notification Template The attached sample Breach Notification Template is intended to be used to assist in drafting notices required under the HIPAA HITECH Act Breach Notification Rules. The following are instructions for completing the sample Breach Notification Template. It is important to note that the facts and circumstances surrounding any given breach are unique. As a result, the sample Breach Notification Template requires significant customization to the facts of the specific breach. Each numbered instruction below corresponds to a highlighted and numbered section in the Breach Notification Template. Please note that the examples and sample language provided below are intended to be examples only, and not intended to be an exhaustive list of potential descriptors. 1. Patient name: For breaches involving multiple patients who will each receive the same notice, it is appropriate to insert the word "Patient." 2. Description of the incident: Appropriate descriptors of the incident could include "access to," "use of," "disclosure of," "loss of" or "theft of." 3. Summary statement of the overall purpose for the notice: The purpose of this section is to generally inform the recipient of the purpose of the letter. The following are examples of statements that can be inserted depending on the facts: "Although we are not aware of any misuse of your information, we are notifying you to advise you of the incident and steps you can take to protect your information from misuse." In the event that there is evidence of a misuse of the information or potential for misuse, the following may be inserted: "We are notifying you of this incident to inform you of the incident, and describe steps we are taking in response, so that you are able to take prompt action to help protect your information from misuse." 4. Date of the breach: If the incident involves a range of dates, then describe the range (e.g., "between and "). If the exact date is not known, indicate that an estimated date is being provided. 5. Summary description of the incident: Insert a brief statement describing the incident (e.g., a fax containing PHI was inadvertently sent to the wrong number, or a laptop computer containing PHI was stolen). 6. Description of the types of PHI that were involved in the incident: List the types of identifiers and PHI that were involved (e.g., whether name, Social Security Number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved). PHI should be described in terms of categories only - do NOT insert any actual PHI.
7. Discovery Date: A breach is considered to be discovered on the first day that the breach is known, or by exercising reasonable diligence would have been known, to any person who is either a Workforce Member or agent of the Covered Entity, other than the person who committed the breach. For breaches discovered by Business Associates: In the event that a breach occurs to a Business Associate, the Covered Entity is deemed to have "discovered" the breach on the date it is notified of the breach by the Business Associate, UNLESS the Business Associate is an agent of the Covered Entity (under principles of federal common law of agency). If a Business Associate is an "agent" of the Covered Entity, the Business Associate's knowledge of the breach is imputed onto the Covered Entity on the date the Business Associate discovered the breach. 8. Law enforcement-requested delay in notification: In the event that law enforcement requested that notification be delayed, insert the following: "At the request of law enforcement, it was necessary to delay providing you with notification because notification would have impeded a criminal investigation or caused damage to national security." 9. Incident reported to law enforcement: In the event that the incident involved a potential crime and was reported to law enforcement, insert the following: "The incident was reported to law enforcement upon discovery, and together with law enforcement, we began investigating the matter." 10. Summary of conclusions of the investigation or initial investigation: Insert a statement summarizing the conclusions of the internal investigation. For example, insert the findings of a completed investigation or the initial findings of the investigation if it is not completed and will be ongoing (e.g., "although the information was inadvertently [insert appropriate descriptor (e.g., accessed, used or disclosed)], we do not believe it was further used or disclosed for inappropriate purposes" or "our initial investigation found."). If the investigation is ongoing, see also Instruction 11. 11. Summary regarding ongoing investigation: In the event that the investigation is ongoing, insert a summary statement as follows: "The investigation is ongoing and we will provide [you or insert the word "public" here if the breach involves multiple individuals and notice of updated information will be provided in a general, public manner (e.g., via website)] notice if we learn of any inappropriate use of the health information involved in this incident." 12. Mitigation actions: Insert description of mitigation steps (e.g., cooperation with law enforcement, sanctions of employees, implementation of additional security measures, revision of policies and procedures, training of employees or other Workforce 2
Members). Consider whether the following optional mitigation action should be taken: "Part of our commitment to protecting our patients' information means taking an abundance of caution in the event an incident like this occurs. To that end, we will cover the cost for you to receive months of credit report monitoring [or identity theft insurance]. To obtain this service, [insert details re: this offer]." 13. Steps to prevent reoccurrence of the incident: Insert any actions taken from an operational perspective to prevent further similar breaches. These actions may overlap with the mitigation actions, but both types of actions need to be addressed. 14. Notification to others: For breaches involving 500 or more individuals insert the following: "We will also report this incident to the United States Department of Health and Human Services, Office for Civil Rights." Note that there may be other state reporting obligations. As a result, the contents of the notification letter may need to be customized to address other states' security breach notification laws. 15. Description of steps for affected patients to take to protect themselves: The steps described in this section are common steps to be taken in the event that a breach potentially creates a risk of identity theft. Depending on the nature of the breach at issue, the provisions in this section may need to be included. There may be other steps that should be taken depending on the nature of the breach. As a result, this section should be customized. 16. Contact procedures: The contact procedures to be inserted will depend on the nature of the breach. For breaches affecting large numbers of patients, it is possible that a third-party call center may be engaged to handle questions. For breaches affecting a small number of patients, the Privacy Officer may be inserted as the primary contact. It is important to emphasize that the contact procedures must include EITHER a toll-free number, e-mail address, website or postal address. The following are examples of potential contact procedures: "If you have further questions or concerns, please contact our Privacy Officer at [insert telephone number]. "We have established a toll-free number and an e-mail address to contact us with questions and concerns about this incident. You may also call the Privacy Compliance Department toll-free at [insert telephone number] during normal business hours or e-mail us at [insert e-mail address]. We have also established a section on our website, [insert website address], with information on the incident and its investigation." 3
[insert date] [insert patient name and address, unless breach involves multiple patients who will each receive the same notice] Dear [insert patient name (Instruction 1)]: We are writing to inform you of a recent incident involving [insert appropriate descriptor (Instruction 2)] your personal health information at [insert Covered Entity or Business Associate Name]. [Insert summary purpose of the notice (Instruction 3)]. Description Of The Incident And Information Involved On [insert date (Instruction 4)], [insert a brief description of the incident, including a summary statement of what happened (Instruction 5)]. [Insert a description of the types of PHI that were involved in the incident (Instruction 6)]. We became aware of this incident on [insert discovery date (Instruction 7)]. [In the event of a law enforcement delay in notification, see Instruction 8]. Our Investigation And How We Are Responding To The Incident We take the protection of the privacy and security of your personal health information very seriously. Upon discovery of this incident, we initiated an internal investigation. [If the incident was reported to law enforcement, see Instruction 9]. We have concluded from our internal investigation that [insert brief statement of conclusions (Instruction 10)]. [In the event that the investigation is ongoing, see Instruction 11]. In response to this incident, we have taken the following actions [insert mitigation actions (Instruction 12). In addition, to help prevent an incident like this from happening in the future, we have taken the following actions [insert preventive actions (Instruction 13)]. [If a breach involves 500 or more individuals or residents, see Instruction 14]. What Steps You Can Take To Protect Yourself [See Instruction 15.] Although we are not aware of any misuse of your personal health information, we advise you to remain vigilant and consider taking the following steps.
Call the toll-free numbers of any of the three major credit bureaus (below) to place a fraud alert on your credit report. This can help prevent an identity thief from opening accounts in your name. You only need to contact one of the credit bureaus. As soon as that credit bureau confirms your fraud alert, the other two credit bureaus will automatically be notified to place alerts on your credit report, and all three reports will be sent to you free of charge. Equifax: 1-800-525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241. Experian: 1-888-EXPERIAN (1-888-397-3742); www.experian.com; P.O. Box 9532, Allen, TX 75013. TransUnion: 1-800-680-7289; www.transunion.com; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790. Review your credit reports. By establishing a fraud alert, the credit bureaus will send you a free credit report. When you receive a credit report, you should examine it closely and look for signs of fraud, such as credit accounts that are not yours. Continue to monitor your credit reports and other accounts. Even though a fraud alert has been placed on your credit report, you should continue to monitor your credit reports to ensure an imposter has not opened an account with your personal information. You should also closely monitor your financial and other account statements, and if you notice any unauthorized activity, promptly contact the creditor. Contact law enforcement if you find suspicious activity. If you find suspicious activity on your credit reports or other account information, contact your local police department and file a report of identity theft. Keep copies of such reports for your records, as you may need to give them to creditors. Other resources. For more information about steps you can take to avoid identity theft, you may contact the Federal Trade Commission, by mail at Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue, NW, Washington DC, 20580, via the Internet at www.ftc.gov/idtheft or by phone at 1-877-ID-THEFT (1-877-438-4338). We deeply regret that this incident has occurred and apologize for the concern that this incident has caused you. [Insert contact procedures for affected patients to ask follow-up questions (Instruction 16)]. Sincerely, 5