Hipaa Letter Requirements and Best Practices

A HIPAA letter is a formal notification sent to patients when their protected health information has been compromised.

To be compliant, a HIPAA letter must be sent within 60 days of discovering a breach.

The letter should include a clear description of what happened, including the date of the breach and the types of information affected.

A HIPAA letter should also provide contact information for the covered entity, such as a phone number and email address.

The letter should be written in a clear and easy-to-underize manner, avoiding technical jargon and complex medical terms.

Blunders during the notification process do happen too often. There have been several examples of organizations that have experienced a HIPAA breach, then added to the "injury" by serious errors in the notification process.

For instance, Alive Hospice in Tennessee had a mishap with mailing breach notification letters having incorrect names. Aetna settled a claim for $17 million in which they disclosed patients' HIV status through a clear envelope. Ironically, the letters were sent to notify patients of another security breach.

Organizations, especially smaller ones, do not usually have a dedicated employee to handle HIPAA issues. Thus, checks and balances are critical to ensuring all the HIPAA requirements are being followed.

To avoid such mistakes, make sure to include all the necessary information in your breach notification letter. This includes a brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known.

Here are the key elements that must be in a breach notification letter:

Remember, a sample breach notification letter can be found, and it's always better to be safe than sorry.

A HIPAA breach notification letter is a crucial step in responding to a breach of Protected Health Information (PHI). It serves as both a legal requirement and an opportunity to maintain trust and transparency with those affected.

The actual drafting of the letter is a crucial step, and it should include specific components to ensure compliance and effective communication.

The key components of a HIPAA breach notification letter include a description of the breach, the type of PHI compromised, next steps for individuals to take, correcting damage, ordering a credit report, monitoring credit, placing a fraud alert, a helpline for patients to ask questions, apologizing and accepting responsibility, and keeping the language simple.

A table outlining the key components of a HIPAA breach notification letter is as follows:

The delivery of the breach notification letter is also an important aspect of HIPAA compliance. The Breach Notification Rule provides guidelines on the delivery of the notification letter.

Acceptable options for delivering the notification letter include first-class mail, email, and substitute notice. First-class mail is the preferred method, but email is allowed if there is a valid record of the individual having agreed to receive notifications electronically.

If there is insufficient or out-of-date contact information for fewer than 10 individuals, the covered entity may provide notice through an alternative method such as by telephone or an alternative form of written notice. However, if there is insufficient or out-of-date information for 10 or more individuals, the covered entity will need to publish a conspicuous posting on their website’s home page, or a notice in a major print or broadcast media affected individuals likely reside.

Additional reading: Email Hipaa Disclaimer

A HIPAA attestation is a statement that confirms your organization has completed the necessary steps to comply with the HIPAA Security Rule. It's not a substitute for compliance with other laws and regulations, or the need for a business associate agreement (BAA).

The attestation process is required for all covered entities and business associates of Covered Entities (CEs/CAs) by law. It provides assurance that you are aware of the requirements of HIPAA and that you have implemented policies and procedures to protect sensitive health information (SHI) from unauthorized access and disclosure.

The person responsible for overseeing compliance with the HIPAA Security Rule should sign and review the attestation. This is usually the Privacy Officer or equivalent. They should also have access to all documents used to support your compliance efforts.

To develop an effective HIPAA attestation, you should take a few key steps. The statement should be written by someone familiar with your organization's policies and procedures. It should also be reviewed by someone familiar with HIPAA regulations, such as an experienced and licensed CPA firm.

A HIPAA attestation does not guarantee full compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). However, it helps you demonstrate your commitment to protecting patient privacy and understanding what you must do to maintain complete confidentiality.

Here is a list of documents that the person responsible for overseeing compliance with the HIPAA Security Rule should have access to: