Free HIPAA Breach Notification
Letter generator

Notify affected patients the way HIPAA requires. This generator builds a breach notification letter with the elements set out in the HIPAA Breach Notification Rule (45 CFR §164.404). Preview it as you type, then download it as an editable Word document or PDF. Everything runs locally in your browser, so no data leaves your device and no sign-up is needed.

Letter details

Your organization

Recipient

The breach

Response

Contact for questions

Signatory

Preview

HIPAA BREACH NOTIFICATION LETTER

[Date]

[Patient Name] [Patient Address]

Dear [Patient Name],

We are writing to notify you of a data security incident at [Your Organization Name] that may have involved some of your protected health information. We take the privacy and security of your information seriously, and we are providing this notice in accordance with the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule (45 CFR 164.404).

What Happened

On [date of discovery], [Your Organization Name] became aware of an incident that may have involved some of your protected health information.

What Information Was Involved

The protected health information that may have been involved includes your full name, and medical or clinical information such as diagnoses, treatment, or medical record numbers.

What You Can Do

As a precaution, we recommend that you review statements from your health plan and providers, along with any explanation of benefits, for services you do not recognize, and report anything unfamiliar right away. You may also request a free copy of your credit report and consider placing a fraud alert or a security freeze with the major credit bureaus.

What We Are Doing

We are investigating the incident, have taken steps to secure the information involved, and are reviewing our safeguards and procedures to help prevent something like this from happening again. Where appropriate, we have notified law enforcement and are cooperating with their review.

For More Information

If you have questions or would like more information, please contact [Contact Name] at [toll-free phone number].

We sincerely regret any inconvenience or concern this incident may cause you. Protecting your information is a responsibility we take seriously, and we remain committed to keeping it safe.

Sincerely,

[Name]

[Title], [Your Organization Name]

Generated by BlockSurvey

How the breach notification letter generator works

1

Fill in the details

Enter your organization, the affected patient, what happened, the information involved, and how people can reach you in a short guided form.

2

Review the live preview

Watch the letter assemble in real time, with the HIPAA-required elements written in plain language.

3

Download and send

Export a ready-to-send PDF or an editable Word file. Nothing you enter ever leaves your device.

Free, secure, and HIPAA-standard by default

A breach is stressful enough without a paywall or a form that ships patient details to someone else's server. Every letter this tool produces follows the notice requirements of 45 CFR §164.404:

01

100% in-browser

The letter is built on your device; nothing is uploaded.

02

No account required

No sign-up, no email wall, no tracking.

03

Free, real download

The complete letter as Word or PDF at no cost, not a watermarked sample.

What a HIPAA breach notification letter must include

Under 45 CFR §164.404(c), the notice to affected individuals must contain, in plain language:

  1. A brief description of what happened, including the date of the breach and the date it was discovered, if known.
  2. The types of unsecured protected health information involved (such as name, Social Security number, date of birth, diagnosis, or account number).
  3. The steps individuals should take to protect themselves from potential harm.
  4. What the covered entity is doing to investigate the breach, mitigate harm, and protect against further breaches.
  5. Contact procedures for questions, including a toll-free number, email address, website, or postal address.

Built For Every Healthcare Organization

When an incident happens, the clock starts. This tool helps you send a clear, compliant notice quickly, and it works alongside HIPAA-compliant survey software when you collect health data through forms.

Solo & small practices

Get compliant paperwork without a compliance team.

Multi-location groups

Standardize HIPAA documents across every site.

Digital health startups

Set up HIPAA foundations before you scale.

SaaS & tech vendors

Cover the PHI you touch for your healthcare customers.

Billing companies & MSOs

Handle records for the practices you support.

Nonprofits & community clinics

Stay compliant on a tight budget.

Collecting PHI through forms or surveys?

HIPAA-compliant survey software from BlockSurvey signs a BAA with you, so the tool you use to gather health data is covered too.

More free HIPAA tools

Explore more

Frequently asked questions

When do I have to send a breach notification letter?

You must notify affected individuals without unreasonable delay and no later than 60 calendar days after you discover the breach, under the HIPAA Breach Notification Rule (45 CFR 164.404). A breach is treated as discovered on the first day you knew about it, or by exercising reasonable diligence would have known about it. Waiting until the 60th day is not a safe harbor. Regulators expect you to send notice as soon as you reasonably can.

What has to be in the letter?

HIPAA requires the notice to include, in plain language: a brief description of what happened including the date of the breach and the date of discovery; the types of information involved (such as name, Social Security number, diagnosis, or account number); the steps individuals should take to protect themselves; what your organization is doing to investigate, mitigate harm, and prevent future breaches; and how individuals can reach you with questions, including a contact person, phone number, email, or postal address. This generator prompts you for each of these elements.

How should the letter be delivered?

Send written notice by first-class mail to the individual's last known address. You may use email instead only if the individual has agreed to electronic notice and has not withdrawn that agreement. If you have out-of-date or insufficient contact information for 10 or more people, you must also provide substitute notice, such as a posting on your website or a notice in major print or broadcast media.

Do I also have to notify HHS and the media?

Yes, in addition to notifying individuals. You must notify the Secretary of Health and Human Services through the HHS breach portal. For breaches affecting 500 or more individuals, you must notify HHS and prominent media outlets in the affected area without unreasonable delay and no later than 60 days. For breaches affecting fewer than 500 individuals, you may log them and report them to HHS annually, within 60 days after the end of the calendar year. This tool generates the individual letter, not the HHS or media notices.

Is the generated letter legally sufficient on its own?

The letter includes the elements HIPAA requires, but it is a starting-point template, not legal advice. Breach response often involves state notification laws, law enforcement, cyber insurance, and forensic findings that can change what and when you communicate. Have the letter reviewed by qualified counsel and tailored to your specific incident before you send it.

Do you store the information I enter?

No. The entire letter is assembled locally in your browser. The patient names, addresses, and breach details you enter are never sent to or stored on any server, which is why no sign-up is required.

Can one letter cover many affected patients?

The content of the notice is generally the same for everyone affected by the same incident, but each individual should receive their own addressed letter at their last known address. Use this generator to produce the standard body of the letter, then merge in each recipient's name and address when you print or mail them.

Is this a substitute for legal advice?

No. This tool generates a starting-point draft aligned with the notice requirements of the HIPAA Breach Notification Rule (45 CFR 164.404), but it is not legal advice and is not guaranteed to be complete or suitable for your specific situation. Breach response also depends on state notification laws, your cyber insurance, and the facts of the incident. Have the letter reviewed by qualified legal counsel and tailored to your circumstances before you send it.
Scripts are blocked. This site won’t work properly. If you’re using Brave, click the Shields icon and turn off Block scripts. Otherwise disable your ad blocker for this site.