• E-mail
• Print
• RSS

HIPAA Q&A: Letter to patients

HIPAA Weekly Advisor, October 12, 2009

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

Q. How would you construct a letter to inform patients about stolen PHI?

A. Most states have enacted identity theft protection laws, and their provisions specify the information that providers must include in this type of letter.

The breach notification provisions of the American Recovery and Reinvestment Act of 2009, Title XIII, Subpart D, also specify the information that covered entities must include in a letter when a patient’s PHI is stolen.

Knowing which state agency enforces breach notification laws in the state in which an organization operates is sound business practice. Most states can provide a sample letter for use in notifying patients of such thefts.

Generally, organizations must disclose:

• What information was stolen or breached
• When the breach occurred or during what period of time
• The likely cause of the breach
• Information that patients can use to protect their identities from being stolen (e.g., credit bureau contact information, advice about contacting law enforcement officials or the Federal Trade Commission, and information about requesting a credit freeze)
• A contact within the organization and that individual’s phone number in case patients have questions not answered by the letter
• Steps taken to mitigate damages

Editor’s note: Chris Apgar, CISSP, answered this question. This is not legal advice. Consult your attorney regarding legal matters.

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

• E-mail to a Colleague
• Print
• RSS
• Archive