Model Breach Notification Letter: Content and Format
High-level guidance outlining the content requirements for breach notification letters is provided in section 13402, "Notification in the Case of Breach," of the American Recovery and Reinvestment Act and state-level data breach notification and reporting laws in 44 states, the District of Columbia, Puerto Rico, and the Virgin Islands. However, due to the disparity of content and formatting guidelines across differing state laws, the quality, content, and format of notification letters has suffered. Current legislation in California (SB 20) would mandate specific content requirements for breach notification letters in response to the general poor quality of breach notification letters in that state.
In an effort to provide useful guidance AHIMA has reviewed existing data breach notification and reporting laws and compiled the necessary elements of a breach notification letter. This tool is intended to serve as a guide and does not seek to dictate content and format or disavow other existing content and format advice.
A breach notification letter must be written in plain English. It should include:
- Name and contact information of the reporting healthcare provider.
- Contact information of the reporting healthcare organization such as a telephone number, e-mail address, or Web site that the individual may contact for further information and assistance.
- When the security incident occurred, including:
- Date and time of the breach event
- Duration of security breach event, including beginning and end dates and times, if applicable
- Date of discovery
- Scope of the event, including:
- A high-level description of the breach that includes how the breach occurred in general terms.
- The estimated number of persons affected.
- What measures are being taken to address the incident and what resources will be committed to rectify the situation.
- A clear accounting of the type and class of unsecured identifiable personal health information compromised as a result of the unauthorized access and acquisition. The description should include details about the categories of information that have been accessed or acquired by an unauthorized entity. The description should include specific details about information and data of significance to the individual, including but not be limited to health information, Social Security numbers, driver's licenses or state identification numbers, or financial data.
- A description of the possible levels of threat to victims.
- Possible future information security threats to victims.
- Whether criminal complaints have been filed.
- Whether there was a delay in notification because of forensic investigations.
- The type of incident detected.
- Recommended actions to be taken by the individual. (For a checklist of actions consumers can take in the event of medical identity theft, see AHIMA's "Medical Identity Theft Response Checklist for Consumers.")
- Organizational preventive safeguards and practices.
- Mitigation efforts, including the general actions taken by the business to protect the personal information from further unauthorized access.
- Consumer advice directing the individual to review account statements and monitor credit reports.
- Contact information for credit reporting agencies, including the information needed for reports for criminal investigation and law enforcement.
- Contact information for national consumer reporting agencies.
- Consumer advice on how to report suspected identity theft to law enforcement and the Federal Trade Commission.
- The toll-free telephone numbers, addresses, and Web site addresses for the Federal Trade Commission, the office of the attorney general, and the state police or consumer protection agency.
- Information regarding law enforcement contacts.
- Information on security monitoring services such as credit monitoring services provided by the healthcare provider to mitigate future damages resulting from data breach.
- Other discretionary data.