The javascript used on this site for creative design effects is not supported by your browser. Please note that this will not affect access to the content on this web site.
Skip Navigation
H H S Department of Health and Human Services
U.S. Department of Health and Human Services
Health Information Technology and Quality

A-Z Index  |  Questions?  |  Order Publications  |  HRSA Mobile

What does a breach notification need to include?

The breach notification to the individual or the media should include:

  1. A brief description of the breach incident, including the date of the breach and the date of the discovery of the breach, if known
  2. A description of the types of unsecured PHI involved in the breach (e.g., full name, SSN, date of birth, home address, account number, diagnosis, disability code).  The description should not include a listing of the actual protected health information that was breached (list the individual's SSN or credit number that was breached) and should avoid any sensitive information.
  3. Any steps individuals should take to protect themselves from potential harm resulting from the breach.  For example, if credit card information was breached, the notice may include recommendations that the individual contact his or her credit card company and information about how to contact the credit bureaus and obtain credit monitoring services. 
  4. A brief description of what the health care provider is doing to investigate the breach, to mitigate harm to individual, and to prevent against future breaches
  5. Contact procedures for individuals to receive additional information or to ask questions, which must include a toll-free telephone number, an e-mail address, Website, or postal information.

The breach notification should be written at an appropriate reading level using clear language and syntax. The notification has no page limits, but should not include any other material that may diminish its message. Depending on the individuals affected by the breach, providers should also consider whether the notification should be translated into a frequently encountered language or be made in alternate formats for individuals with disabilities, such as Braille, large print, or audio, to comply with other laws.

The breach notification to the Secretary is specified on the HHS website.


Developed by the Health Resources and Services Administration as a resource for health centers and other safety net and ambulatory care providers who are seeking to implement health IT.
Health Information Technology Toolboxes help health centers, safety net providers, and ambulatory care providers with electronic and online resources and technical assistance to improve patient care.  More>
Stay Informed