HIPAA Breach Notification Letter

Most HIPAA compliant businesses understand that they must notify HHS of any breach that affects more than 500 patients to the HHS no later than 60 days after the breach occurs.

But how do you report small breaches of under 500 individuals? 

How to Draft a HIPAA Breach Notification Letter

HHS has another set of guidelines for these small breaches, which require organizations to submit a list of all breaches affecting fewer than 500 individuals within a jurisdiction no later than 60 days after the end of the calendar year.

Businesses should submit a log containing a notification of each incident to HHS here. 

Notices for each breach must include the following: 

  • The start and end dates of the breach;
  • The discovery dates of the breach;
  • Approximate number of individuals affected by the breach;
  • Type of breach (hacking/improper disposal/loss/theft/unauthorized access);
  • Location of breach (desktop computer/EMR/email/laptop/network server/paper);
  • Type of PHI involved (clinical/demographic/financial);
  • A brief description of the breach;
  • Safeguards in place prior to the breach;
  • Notice that you provided to affected individuals;
  • Actions taken in response to the breach.


Remember, organizations can submit notifications for small breaches at any time, and as they occur. 

However, be sure to do so within 60 days after the end of the last calendar year, otherwise this can become an additional HIPAA violation for your business. 

You can read more about HHS’s guidelines for breach notification here

Do you need help submitting HIPAA breaches to the HHS, or a HIPAA breach notification letter? Gazelle Consulting is here to help!

Give us a call at (503) 389-5666 today or email us at info@gazelleconsulting.org. We make HIPAA compliance feel like a walk through a grassy savanna.

Nav close