Gazelle Consulting

HIPAA Breach Notification Letter

Most HIPAA compliant businesses understand that they must notify HHS of any breach that affects more than 500 patients to the HHS no later than 60 days after the breach occurs.

But how do you report small breaches of under 500 individuals? 

How to Draft a HIPAA Breach Notification Letter

HHS has another set of guidelines for these small breaches, which require organizations to submit a list of all breaches affecting fewer than 500 individuals within a jurisdiction no later than 60 days after the end of the calendar year.

Businesses should submit a log containing a notification of each incident to HHS here. 

Notices for each breach must include the following: 

  • The start and end dates of the breach;
  • The discovery dates of the breach;
  • Approximate number of individuals affected by the breach;
  • Type of breach (hacking/improper disposal/loss/theft/unauthorized access);
  • Location of breach (desktop computer/EMR/email/laptop/network server/paper);
  • Type of PHI involved (clinical/demographic/financial);
  • A brief description of the breach;
  • Safeguards in place prior to the breach;
  • Notice that you provided to affected individuals;
  • Actions taken in response to the breach.


Remember, organizations can submit notifications for small breaches at any time, and as they occur. 

However, be sure to do so within 60 days after the end of the last calendar year, otherwise this can become an additional HIPAA violation for your business. 

You can read more about HHS’s guidelines for breach notification here

Do you need help submitting HIPAA breaches to the HHS, or a HIPAA breach notification letter? Gazelle Consulting is here to help!

Give us a call at (503) 389-5666 today or email us at We make HIPAA compliance feel like a walk through a grassy savanna.

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest

Popular Posts

  • How to Handle the Loss or Destruction of Medical Records

    Whether it be an delete happy IT admin, a theft, or a glitch in your system, lost health records can have an impact on your patients...

  • Who Enforces HIPAA?

    HIPAA, which stands for the Health Insurance Portability and Accountability Act, is enforced by the Office for Civil Rights (OCR), which is an arm of the Department of Health and Human Services (HHS).

  • 2018’s Most Interesting HIPAA Violation Cases

    2018’s Most Interesting HIPAA Violation Cases

    Since the 2003, the Enforcement Act, an addendum to HIPAA that gave the OCR the right to enforce HIPAA on behalf of the HHS, we’ve seen an ever increasing number of fines and breaches.

  • Stronger HIPAA enforcement

    HIPAA Consent Form – How to Obtain HIPAA Authorization

    Earlier this month, the Office for Civil Rights (OCR) announced a new plan to strengthen HIPAA enforcement in response to criticism from the Office of Inspector General (OIG). The OCR will be beefing up their compliance investigations and expanding their audit program in 2016.

  • Is G Suite HIPAA Compliant?

    Is G Suite HIPAA Compliant?

    Yes, G Suite can be configured to be HIPAA compliant. In this post, we will discuss G Suite apps and learn what it takes to operate your G Suite account in a HIPAA compliant manner.