TOOL: Model HIPAA Breach Notification Letter to Patient

Data security breaches involving patient records can occur despite your best efforts to prevent them. If prevention fails, your lab needs to switch to incident response mode and take measures to control the privacy damage. In some circumstances, that may include providing written notification to each individual patient affected by the breach. Patient notification must be provided within 60 days of discovering the incident and meet the requirements of the HIPAA Breach Notification Rule. Here is a Model Patient Notification Letter listing the required information that you can adapt for your own use. (Note that the bold-faced subheads are illustrative only and need not be included as part of the actual letter.) This material is for informational purposes only and not for the purpose of providing legal advice. You should always contact your attorney to determine if this information, and your interpretation of it, is appropriate to your particular situation.   For step-by-step guidance on responding to HIPAA breaches, see GCA, January 2017