New Toolkit Offers HIPAA Breach Notification Rule Guidance

Since the 2013 publication of the Omnibus Final Rule, breaches of all sizes involving various types of protected health information (PHI) have affected the healthcare industry. At the same time, healthcare organizations have been working to comply with the rule’s requirements for actions to be taken in the event of an information breach. Many factors must be considered and accounted for, such as:

  • Investigation
  • Assessment
  • Mitigation
  • Education and training
  • State laws
  • Response times
  • Required notifications
  • Annual reporting of a breach to the Department of Health and Human Services


Policies and procedures, a breach risk assessment, and other tools and guidance must be in place to ensure that the overall management of a breach is compliant with the HIPAA breach notification rule.

AHIMA recently published the Breach Management Toolkit: A Comprehensive Guide for Compliance, providing a comprehensive collection of resources and best practices to help healthcare organizations and HIM professionals navigate their way through the HIPAA breach notification rule and the overall breach management process. It is to be used as a framework and reference guide to assist with the breach investigation, determination, mitigation, notification, reporting processes, and to provide assistance with understanding and complying with federal regulations within the required time frame required by federal law. An excerpt from the toolkit is available below.


Breach Management Toolkit Excerpt

The following excerpt describes the required elements of a breach notification letter.

The breach notification letter must contain five required elements addressed in a customized manner according to the situational circumstances and consisting of:

1. A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known

2. A description of the types of unsecured PHI that were involved in the breach (i.e., full name, Social Security number, date of birth, home address, account number, diagnosis, or disability code)

3. Any steps individuals should take to protect themselves from potential harm resulting from the breach

4. A brief description of what the organization is doing to investigate the breach, to mitigate harm to the individuals, and to protect against any further breaches

5. Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Website, or postal address If appropriate. The organization may include other customized information, including:

  • Information about steps the organization is taking to prevent future similar breaches
  • Information about sanctions the organization imposed on workforce members involved in the breach; Identity of workforce members should be on a need-to-know basis according to organizational policy
  • Consumer advice directing the individual to review account statements and monitor credit reports
  • Recommendations that the individual place a fraud alert on their credit card accounts, or contact a credit bureau to obtain credit monitoring services, if appropriate
  • Contact information for credit reporting agencies, including the information needed for reports for criminal investigation and law enforcement
  • Contact information for national consumer reporting agencies


For the full list, refer to the toolkit, which is free to AHIMA members. To access the full toolkit, available as a digital download, visit


Submit a Comment

Your email address will not be published. Required fields are marked *

Share This

Share This

Share this post with your friends!