What to Include in a Breach Notification Letter: A HITECH Content Checklist for Small Practices (45 CFR § 164.404(c))

Executive Summary

When a breach of unsecured protected health information (PHI) occurs, covered entities are legally required to notify affected individuals. But under 45 CFR § 164.404(c), this notice must follow strict content guidelines. The failure to include even one required element may result in regulatory enforcement, penalties, or a damaged provider-patient relationship. This article offers a complete content checklist based on the HITECH Act and HIPAA Breach Notification Rule and is specifically designed for small healthcare practices. From the language used to the timing and format, we cover exactly what needs to be included in every breach notification letter to stay compliant.

Legal Basis: What 45 CFR § 164.404(c) Requires

The HIPAA Breach Notification Rule, as modified by the HITECH Act, outlines what covered entities must include when notifying patients about a breach of unsecured PHI. According to § 164.404(c), the individual notice must be written in plain language and include, at a minimum:

A brief description of what happened, including the date of the breach and the date of discovery
A description of the types of unsecured PHI involved
The steps individuals should take to protect themselves
A description of what the covered entity is doing to investigate, mitigate harm, and prevent future incidents
Contact procedures for individuals to ask questions or learn more, including a toll-free number, an email address, website, or postal address

Each element is considered mandatory, not optional. Omitting or misrepresenting any of these points can be treated as a failure to comply with federal law.

Real-Life Case Study: The Cost of an Incomplete Notification

In 2020, a primary care group in the Midwest discovered that an employee’s laptop containing unencrypted PHI had been stolen from a car. The practice promptly mailed breach notification letters to affected patients but failed to include clear guidance on what patients could do to protect themselves. Many recipients were left confused, and some filed complaints with HHS.

An investigation by the Office for Civil Rights (OCR) found that the notice did not meet the content requirements under 45 CFR § 164.404(c). As a result, the practice faced a $60,000 settlement and had to revise its breach notification process and templates.

Lesson Learned: Even when notice is timely, it must be complete and clear. A lack of actionable guidance for patients violates the rule.

Your HITECH-Compliant Notification Letter: A Content-by-Content Guide

1. A Clear Description of What Happened

Your letter should include:

The date the breach occurred
The date it was discovered
A short, factual explanation of how the breach happened (e.g., "an unauthorized individual gained access to a secure email account")

Avoid speculation or overly technical language. Keep it brief but clear enough for a layperson to understand.

2. Types of PHI Involved

List the categories of information compromised. Common examples include:

Full name
Social Security number
Diagnosis or treatment information
Insurance policy number
Date of birth
Billing or claims data

Be specific. “Your PHI” is not adequate, patients deserve to know what was at risk.

3. What the Individual Should Do

Tell the patient what actions they should take. Recommendations may include:

Monitoring financial or medical accounts
Placing a fraud alert with credit bureaus
Requesting an Explanation of Benefits (EOB) review
Enrolling in complimentary credit monitoring (if offered)

Make sure any resources or links are legitimate, current, and easy to access.

4. What the Practice Is Doing

You must describe how your practice responded, such as:

Investigating the breach internally
Disciplining or retraining staff
Working with forensic security firms
Updating policies or technical safeguards

If applicable, explain how you're preventing future breaches.

5. Contact Information

Provide a reliable, responsive way for patients to get more information. This should include at least:

A toll-free phone number staffed during business hours
An email address monitored by compliance or patient services
A mailing address and, optionally, a link to a secure patient portal

These contact channels must be active for at least 90 days after the notice is sent.

Delivery Methods for Individual Notification

Although this article focuses on content, it’s critical to remember that how you send the notice matters, too. Acceptable delivery methods under 45 CFR § 164.404(d) include:

First-class mail to the last known address
Email, if the patient has agreed to electronic communication
Substitute notice, such as phone calls or website postings, if contact information is insufficient

Do not delay sending the letter while seeking the ideal method. The 60-day deadline from discovery still applies.

Common Pitfalls and How to Avoid Them

Pitfall 1: Writing in Technical or Legal Jargon

Many breach letters are written by lawyers or IT professionals who use language that is confusing for patients. When patients don’t understand what happened or what they should do, your letter fails the “plain language” requirement.

How to Avoid It: Have nonmedical staff review your draft for clarity. If they can’t understand it, your patients won’t either. Use short sentences, everyday terms, and avoid acronyms unless defined.

Pitfall 2: Leaving Out the Discovery Date

Some practices mention when the breach occurred but fail to state when it was discovered. This omission can create confusion about whether the practice delayed notification, which is a common source of regulatory scrutiny.

How to Avoid It: Always include both dates. For example, “The incident occurred on January 3 and was discovered on January 9.”

Pitfall 3: Using Generic Language to Describe PHI

Phrases like “some of your health information was compromised” are too vague. Patients want to know what kind of data was affected so they can take protective actions.

How to Avoid It: Clearly list categories of data (e.g., “your name, date of birth, and lab results”). If Social Security numbers or financial data were not involved, state that explicitly.

Pitfall 4: Failing to Mention Mitigation Efforts

Patients are more likely to trust your practice if they know you took the incident seriously. Notices that fail to describe the steps you've taken can appear dismissive or incomplete.

How to Avoid It: Include specific, tangible steps taken after the breach, such as hiring cybersecurity firms, revising access controls, or implementing encryption protocols.

Pitfall 5: Not Offering Next Steps for Patients

Even if no financial data was compromised, patients should still be advised on how to monitor their records. Letters that do not offer practical next steps fall short of the regulatory standard.

How to Avoid It: Suggest one to two realistic actions (e.g., requesting copies of medical records, watching for suspicious mail). If appropriate, provide phone numbers or websites for additional support.

Pitfall 6: Poorly Maintained Contact Information

If the phone number provided in the letter goes to voicemail or the email address is unmonitored, patients will quickly lose confidence, and HHS may view the notice as ineffective.

How to Avoid It: Assign a dedicated staff member or compliance officer to manage all breach-related inquiries for at least three months after sending the notice.

Checklist: HITECH-Compliant Breach Notification Letter Content (45 CFR § 164.404(c))

Task	Responsible	Frequency
State a clear description of the incident, including date of breach and date of discovery	Privacy Officer	Per incident
List the categories of PHI involved (e.g., name, DOB, diagnosis, SSN, billing data)	Privacy Officer	Per incident
Provide plain-language, actionable steps individuals should take to protect themselves	Compliance Officer	Per incident
Describe what the practice is doing to investigate, mitigate harm, and prevent recurrence	Compliance Officer	Per incident
Include at least one toll-free phone number, an email address, and a mailing address for inquiries (active 90+ days)	Admin Staff	Per incident
Ensure the letter is written in plain language without unnecessary legal/technical jargon	Privacy Officer	Per incident
Confirm both breach date and discovery date are included	Privacy Officer	Per incident
Avoid generic PHI descriptions — list exact data types compromised	Compliance Officer	Per incident
State mitigation steps taken (e.g., policy changes, IT security upgrades)	Compliance Officer	Per incident
Suggest at least 1–2 practical next steps for patients	Privacy Officer	Per incident
Verify all contact info is functional and monitored	Admin Staff	Per incident
Archive letter and documentation securely for at least 6 years	Records Manager	Ongoing

References and Further Reading

Final Thoughts and Recommended Next Steps

Breach notification is not just about checking boxes, it’s about demonstrating transparency, restoring trust, and fulfilling a legal duty under HIPAA and HITECH. A complete, timely, and clear notification letter can help limit reputational damage and regulatory scrutiny. For small practices, having a compliant template ready can streamline the response process in a stressful situation.

Next Steps for Your Practice:

Draft or revise your breach notification template to align with 45 CFR § 164.404(c)
Ensure all required content elements are present in every letter
Assign responsibility for content review and legal compliance before letters are sent
Store sent letters and supporting documentation securely for at least six years

HITECH compliance should be a living process. By leveraging a regulatory tool, your practice can maintain real-time oversight of requirements, identify vulnerabilities before they escalate, and demonstrate to both patients and payers that compliance is built into your culture.