Gazelle Consulting

HIPAA Breach Notification Letter

Most HIPAA compliant businesses understand that they must notify HHS of any breach that affects more than 500 patients to the HHS no later than 60 days after the breach occurs.

But how do you report small breaches of under 500 individuals? 

How to Draft a HIPAA Breach Notification Letter

HHS has another set of guidelines for these small breaches, which require organizations to submit a list of all breaches affecting fewer than 500 individuals within a jurisdiction no later than 60 days after the end of the calendar year.

Businesses should submit a log containing a notification of each incident to HHS here. 

Notices for each breach must include the following: 

  • The start and end dates of the breach;
  • The discovery dates of the breach;
  • Approximate number of individuals affected by the breach;
  • Type of breach (Hacking/improper disposal/loss/theft/unauthorized access);
  • Location of breach (Desktop computer/EMR/email/laptop/network server/paper);
  • Type of PHI involved (Clinical/demographic/financial);
  • A brief description of the breach;
  • Safeguards in place prior to the breach;
  • Notice that you provided to affected individuals;
  • Actions taken in response to the breach.

Takeaways

Remember, organizations can submit notifications for small breaches at any time, and as they occur. 

However, be sure to do so within 60 days after the end of the last calendar year or else this can become an additional HIPAA violation for your business. 

You can read more about HHS’s guidelines for breach notification here

Do you need help submitting HIPAA breaches to the HHS, or a HIPAA breach notification letter? Gazelle Consulting is here to help!

Give us a call at (503) 389-5666 today or email us at info@gazelleconsulting.org. We make HIPAA compliance feel like a walk through a grassy savanna.

Share on facebook
Facebook
Share on google
Google+
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on pinterest
Pinterest

Popular Posts

  • How to Handle the Loss or Destruction of Medical Records

    Whether it be an delete happy IT admin, a theft, or a glitch in your system, lost health records can have an impact on your patients...

  • 2018’s Most Interesting HIPAA Violation Cases

    2018’s Most Interesting HIPAA Violation Cases

    Since the 2003, the Enforcement Act, an addendum to HIPAA that gave the OCR the right to enforce HIPAA on behalf of the HHS, we’ve seen an ever increasing number of fines and breaches.

  • The Specter of HIPAA Enforcement

    Who Enforces HIPAA?

    HIPAA, which stands for the Health Insurance Portability and Accountability Act, is enforced by the Office for Civil Rights (OCR), which is an arm of the Department of Health and Human Services (HHS).

  • Stronger HIPAA enforcement

    HIPAA Consent Form – How to Obtain HIPAA Authorization

    Earlier this month, the Office for Civil Rights (OCR) announced a new plan to strengthen HIPAA enforcement in response to criticism from the Office of Inspector General (OIG). The OCR will be beefing up their compliance investigations and expanding their audit program in 2016.

  • What is the Purpose of HIPAA?

    What is the Purpose of HIPAA?

    HIPAA compliance can be confusing. Is it HIPAA or HIPPA? Do I need to be HIPAA compliant? Who enforces HIPAA? Gazelle Consulting is here to answer your questions and help you to achieve compliance quickly and painlessly!