The breach notification to the individual or the media should include:

1. A brief description of the breach incident, including the date of the breach and the date of the discovery of the breach, if known
2. A description of the types of unsecured PHI involved in the breach (e.g., full name, SSN, date of birth, home address, account number, diagnosis, disability code).  The description should not include a listing of the actual protected health information that was breached (list the individual's SSN or credit number that was breached) and should avoid any sensitive information.
3. Any steps individuals should take to protect themselves from potential harm resulting from the breach.  For example, if credit card information was breached, the notice may include recommendations that the individual contact his or her credit card company and information about how to contact the credit bureaus and obtain credit monitoring services. 
4. A brief description of what the health care provider is doing to investigate the breach, to mitigate harm to individual, and to prevent against future breaches
5. Contact procedures for individuals to receive additional information or to ask questions, which must include a toll-free telephone number, an e-mail address, Website, or postal information.

The breach notification should be written at an appropriate reading level using clear language and syntax. The notification has no page limits, but should not include any other material that may diminish its message. Depending on the individuals affected by the breach, providers should also consider whether the notification should be translated into a frequently encountered language or be made in alternate formats for individuals with disabilities, such as Braille, large print, or audio, to comply with other laws.

The breach notification to the Secretary is specified on the HHS website.

Tools:

• Sample Breach Notification - Protected Health Information Policy  (Word - 256KB)  -- Prepared by the HIPAA Collaborative of Wisconsin (2009)