Content of Notification

§164.404(c)(1)
Content of Notification.
The notification required by paragraph (a) of this section shall include, to the extent possible:
(A) A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known;
(B) A description of the types of unsecured protected health information that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(C) Any steps the individual should take to protect themselves from potential harm resulting from the breach;
(D) A brief description of what the covered entity is doing to investigation the breach, to mitigate harm to individuals, and to protect against further breaches; and
(E) Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an email address, Web site, or postal address.
(2) The notification required by paragraph (a) of this section shall be written in plain language.

Audit Inquiry

§164.404(c)(1)
Content of Notification
Does the covered entity have policies and procedures for providing individuals with notifications that meet the content requirements of §164.404(c)? Inquire of management; obtain policies and procedures. Evaluate if the specifications at §164.404(c) are met.

Inquire of management whether the covered entity has used a standard template(s) or form letter(s) for notification to individuals for breaches or for specific types of breaches. If the covered entity has used such templates or form letters, obtain the documents and evaluate whether they include this section’s required elements.

Obtain a list of breaches, if any, that occurred in the previous calendar year. Obtain and review a copy of a single written notice sent to affected individuals for each breach incident in the previous calendar year.
For the first five breach incidents that occurred in the previous calendar year, obtain and evaluate documentation related to the required content in the written notices sent to affected individuals.