In February 2024, OCR settled with a New York medical practice for $100,000 after the organization failed to provide a timely written response to a patient's records access request. The issue wasn't that the practice denied access — it was that their HIPAA letter responding to the request never went out within the 30-day window required by the Privacy Rule. One missing letter. Six figures in penalties.

Healthcare organizations draft dozens of formal letters tied to HIPAA obligations every year. Yet most compliance programs treat correspondence as an afterthought — a clerical task rather than a regulatory requirement with real enforcement consequences.

What Qualifies as a HIPAA Letter Under Federal Regulations

There is no single document the regulations call a "HIPAA letter." Instead, the term encompasses every piece of formal written communication your covered entity or business associate is required to produce under 45 CFR Part 164. These letters carry the weight of federal compliance obligations.

The most common categories include:

  • Breach notification letters — required under the Breach Notification Rule (45 CFR §§ 164.404–164.408) when unsecured protected health information is compromised.
  • Patient access response letters — required under the Privacy Rule when individuals request access to their PHI (45 CFR § 164.524).
  • Denial of access letters — required when a covered entity denies a records request, with specific content mandated by regulation.
  • Authorization and revocation letters — correspondence confirming valid authorizations for PHI disclosure or acknowledging a patient's revocation of authorization.
  • Privacy complaint acknowledgment letters — written responses to individuals who file complaints about your organization's privacy practices.

Each of these documents must meet specific content requirements. Getting the substance wrong — or missing a deadline — can trigger an OCR investigation.

Breach Notification: The HIPAA Letter With the Strictest Deadline

Under the Breach Notification Rule, your organization must send individual breach notification letters to affected patients without unreasonable delay and no later than 60 calendar days from the date of discovery. Not 60 business days. Calendar days.

The letter must include specific elements outlined in 45 CFR § 164.404(c):

  • A brief description of the breach, including the date of the breach and the date of discovery.
  • A description of the types of PHI involved (e.g., name, Social Security number, diagnosis codes).
  • Steps the individual should take to protect themselves from potential harm.
  • A description of what your organization is doing to investigate, mitigate harm, and prevent future breaches.
  • Contact information for the individual to ask questions, including a toll-free number.

In my work with covered entities, I consistently see organizations underestimate how long it takes to draft, review, and mail these letters — especially when thousands of individuals are affected. Start your template before you have a breach. Waiting until an incident occurs virtually guarantees you'll miss the 60-day window.

Patient Access Request Letters and the 30-Day Rule

OCR has made patient right of access its top enforcement priority. Since 2019, the agency has settled more than 45 right-of-access cases, with penalties ranging from $3,500 to $240,000. Almost every one of those cases involved a failure to respond to a patient's written request in a timely manner.

When your organization receives a records access request, you must act on it within 30 days under 45 CFR § 164.524(b)(2). A single 30-day extension is permitted if you provide the individual with a written statement of the reasons for the delay and the date you expect to fulfill the request.

That extension notice is itself a HIPAA letter with regulatory teeth. If you grant the extension but never send the written explanation, you've violated the rule.

What a Denial of Access Letter Must Contain

If you deny a patient's access request — which is only permissible on specific grounds listed in the Privacy Rule — your denial HIPAA letter must include:

  • The basis for the denial.
  • A statement of the individual's right to have the denial reviewed, along with instructions on how to request a review.
  • A description of how the individual may file a complaint with your Privacy Officer or directly with OCR.

Skipping any of these elements doesn't just expose you to a HIPAA violation — it signals to OCR that your workforce lacks adequate training on patient rights.

Building a HIPAA Letter Template Library Your Workforce Can Use

Healthcare organizations consistently struggle with correspondence compliance because the responsibility is scattered across departments. The front desk handles access requests. IT leads breach response. The Privacy Officer fields complaints. Without a centralized template library, each department invents its own approach — and errors multiply.

Your compliance program should maintain reviewed and approved templates for every category of HIPAA letter your organization may need to send. Each template should reference the applicable regulatory citation, include all required content elements, and specify the deadline by which it must be sent.

Equally important: every workforce member who might draft or send one of these letters needs to understand the regulatory stakes. A receptionist who doesn't know the 30-day access rule can't be expected to escalate a request appropriately. Investing in HIPAA training and certification for staff at every level ensures your team recognizes when a regulatory letter is triggered and what it must contain.

The Minimum Necessary Standard Applies to Letters Too

When your organization sends any written communication that includes PHI, the minimum necessary standard under 45 CFR § 164.502(b) applies. A breach notification letter should describe the types of information involved — not reproduce the actual compromised data. An authorization confirmation should reference the scope of the disclosure without including extraneous clinical details.

I've reviewed HIPAA letters from organizations that inadvertently created a second privacy incident by including too much PHI in their correspondence. Apply the same minimum necessary analysis to outgoing letters that you apply to any other PHI disclosure.

Document Retention and Proof of Delivery

Sending the letter is half the obligation. Proving you sent it is the other half. OCR investigators will ask for evidence that notification letters were mailed, and "we think we sent it" does not satisfy a federal inquiry.

Best practices include:

  • Sending breach notification letters via first-class mail with a certificate of mailing or certified mail for high-risk cases.
  • Retaining copies of every HIPAA letter for a minimum of six years, consistent with the documentation requirements in 45 CFR § 164.530(j).
  • Logging the date sent, recipient, and letter type in your compliance tracking system.

Strengthen Your Organization's HIPAA Letter Compliance Today

A single missing or deficient letter can turn a manageable compliance issue into a six-figure enforcement action. Your organization needs written procedures, approved templates, and a trained workforce that understands when federal regulations require formal written communication.

Start by conducting a risk analysis of your current correspondence workflows. Identify gaps where required letters aren't being generated or tracked. Then equip your team with the knowledge they need through HIPAA Certify's workforce compliance program — because the best template in the world is useless if your staff doesn't know when to use it.