Corporate Compliance

Q&A: How would you construct a letter to inform patients about stolen PHI?

Compliance Monitor, June 24, 2009

Q: How would you construct a letter to inform patients about stolen Protected Health Information (PHI)?

A: Most states have enacted identity theft protection laws, and their provisions specify the information providers must include in this type of letter.

The breach notification provisions of the American Recovery and Reinvestment Act of 2009, Title XIII, Subpart D, also specify the information covered entities must include in a letter when a patient’s PHI is stolen. Knowing which state agency enforces breach notification laws in the state in which an organization operates is sound business practice. Most can provide a sample letter for use in notifying patients of such thefts. Sample letters are also likely to be available from HHS within the next few months.

Generally, the following information is required:

  • What information was stolen or breached
  • When the breach occurred or during what period of time
  • The likely cause of the breach
  • Information patients can use to protect their identities from being stolen (e.g., credit bureau contact information, advice about contacting law enforcement officials or the Federal Trade Commission, and information about requesting a credit freeze)
  • A contact within the organization and that individual’s phone number in case patients have questions not answered by the letter
  • Steps taken to mitigate damages
Chris Apgar, CISSP, answered this question for the June 2009 issue of the HCPro newsletter Briefings on HIPAA. For more information about this newsletter visit the HCMarketplace.

Most Popular