HIPAA Breach Notification Call Script
HIPAA BREACH NOTIFICATION CALL SCRIPT
Organization Name: [________________________________]
Breach Reference Number: [________________________________]
Script Version: [____]
Effective Date: [__/__/____]
Approved By (Legal): [________________________________]
Approved By (Privacy Officer): [________________________________]
SECTION 1: PURPOSE AND USAGE INSTRUCTIONS
1.1 Purpose
This call script provides standardized language for telephone notifications to individuals affected by a breach of unsecured protected health information ("PHI"). Telephone notification may be used in two circumstances under the Breach Notification Rule:
-
Urgent Notice (45 C.F.R. § 164.404(d)(2)): When there is a possibility of imminent misuse of unsecured PHI, the covered entity may provide urgent notification by telephone or other means, in addition to the written notice required under § 164.404(d)(1).
-
Supplemental Contact: As a supplement to the written notification letter, to ensure affected individuals receive timely information about the breach and protective steps they can take.
1.2 Required Content Elements
Under 45 C.F.R. § 164.404(c), every breach notification (whether written or oral) must include the following five content elements:
- A brief description of what happened, including the date of the breach and the date of discovery
- A description of the types of unsecured PHI involved in the breach
- Steps the individual should take to protect themselves from potential harm
- A brief description of what the covered entity is doing to investigate, mitigate harm, and protect against further breaches
- Contact procedures, including a toll-free telephone number, email address, postal address, or website
1.3 Instructions for Call Center Staff
- Read through the entire script before making calls
- Speak clearly and at a moderate pace
- Be empathetic but professional — individuals may be upset or confused
- Follow the script closely; do not improvise answers to legal questions
- Document every call using the Call Log Template in Section 11
- Escalate calls per the procedures in Section 7 when necessary
- Written notification must also be sent; the call does not replace written notice
SECTION 2: OPENING / GREETING
2.1 Standard Opening
"Hello, my name is [________________________________], and I am calling on behalf of [________________________________]. May I please speak with [________________________________]?"
If the individual answers:
"Thank you. I am calling to provide you with important information regarding the privacy and security of your health information. This call is being made in accordance with federal law. Do you have a few minutes to speak with me?"
If someone other than the individual answers:
"I am calling from [________________________________] with an important message for [Individual Name]. Could you please let them know to call us back at [Toll-Free Number]? The reference number is [Breach Reference Number]. Thank you."
Note: Do NOT disclose the nature of the call (breach of health information) to anyone other than the affected individual or their personal representative. Doing so could itself constitute an impermissible disclosure of PHI.
2.2 Voicemail Script
"Hello, this is [Caller Name] calling from [Organization Name] with an important message for [Individual Name]. Please call us back at [Toll-Free Number] at your earliest convenience. Your reference number is [Breach Reference Number]. Our call center is available [Hours of Operation]. Thank you."
Note: Do NOT leave details about the breach on voicemail.
2.3 Identity Verification
Before disclosing breach details, verify the individual's identity:
"For your protection, I need to verify your identity before I can share this information. May I please confirm the following?"
☐ Full legal name: [________________________________]
☐ Date of birth: [__/__/____]
☐ Last four digits of Social Security Number (if applicable): [____]
☐ Mailing address on file: [________________________________]
☐ Reference number (if calling back): [________________________________]
"Thank you. I have confirmed your identity."
SECTION 3: DESCRIPTION OF WHAT HAPPENED
3.1 Breach Description Script
"I am calling to inform you that [Organization Name] recently experienced a [security incident / data breach / privacy incident] that may have involved your protected health information."
"On or about [Date of Breach or Date Range], [Brief Plain-Language Description of What Happened — e.g., 'an unauthorized individual gained access to our computer system,' 'a laptop computer containing patient information was stolen from our office,' 'patient records were inadvertently mailed to the wrong address,' 'our system was affected by a ransomware attack']."
"We discovered this incident on [Date of Discovery], and we began our investigation immediately."
3.2 Tailored Descriptions by Incident Type
Hacking / Cyberattack:
"We discovered that an unauthorized individual gained access to our computer systems that contained patient health information. Our investigation determined that the unauthorized access occurred between [Start Date] and [End Date]."
Ransomware:
"Our computer systems were affected by a ransomware attack, which is a type of malicious software that restricts access to data. We took immediate steps to contain the incident and engaged cybersecurity experts to investigate."
Theft / Loss of Device:
"A [laptop / portable hard drive / USB drive / other device] containing patient health information was [stolen from / lost at] [location]. The device [was / was not] protected by encryption."
Misdirected Communication:
"Due to [a mailing error / an email error / a fax error], your health information was inadvertently [sent to / made accessible to] an unintended recipient."
Employee Snooping:
"We discovered that a workforce member accessed patient health information without a legitimate work-related reason. This individual's access has been terminated, and appropriate disciplinary action has been taken."
Improper Disposal:
"We discovered that records containing patient health information were not disposed of in accordance with our policies and procedures."
SECTION 4: WHAT INFORMATION WAS INVOLVED
"Based on our investigation, the following types of information may have been involved:"
Read only the categories that apply to this breach — check all that apply:
☐ Full name
☐ Date of birth
☐ Mailing address
☐ Email address
☐ Telephone number
☐ Social Security number
☐ Driver's license or state identification number
☐ Medical record number
☐ Patient account number
☐ Health insurance member ID / group number
☐ Diagnosis or condition information
☐ Treatment or procedure information
☐ Medication information
☐ Lab results or test results
☐ Provider name and clinical notes
☐ Dates of service
☐ Financial account or payment card information
☐ Medicare or Medicaid beneficiary number
☐ Other: [________________________________]
"I want to emphasize that [we have no evidence that your information has been misused at this time / we are monitoring the situation and will notify you of any developments]."
SECTION 5: WHAT THE INDIVIDUAL CAN DO
"There are several steps you can take to help protect yourself:"
5.1 General Protective Steps
"First, we recommend that you review your Explanation of Benefits statements from your health insurer. If you see any medical services listed that you did not receive, contact your insurer immediately."
"Second, review your bank and credit card statements carefully for any charges you do not recognize."
"Third, you may request a copy of your medical records from your healthcare providers to check for any information that does not appear to be yours."
5.2 If Social Security Number Was Involved
"Because your Social Security number may have been involved, we also recommend the following additional steps:"
"You may place a fraud alert on your credit file by contacting any one of the three major credit bureaus. A fraud alert tells creditors to take extra steps to verify your identity before opening new accounts. The initial fraud alert lasts for one year."
Credit Bureau Contact Information:
| Bureau | Phone | Website |
|---|---|---|
| Equifax | 1-800-525-6285 | www.equifax.com/personal/credit-report-services |
| Experian | 1-888-397-3742 | www.experian.com/fraud |
| TransUnion | 1-800-680-7289 | www.transunion.com/fraud |
"You may also place a security freeze (also called a credit freeze) on your credit file. A security freeze prevents new creditors from accessing your credit report entirely, which makes it more difficult for someone to open accounts in your name. Security freezes are free under federal law."
"You are entitled to a free copy of your credit report from each bureau once every 12 months at www.annualcreditreport.com or by calling 1-877-322-8228."
"If you believe you are a victim of identity theft, you can report it to the Federal Trade Commission at www.IdentityTheft.gov or by calling 1-877-438-4338. The FTC can help you create a personalized recovery plan."
5.3 If Financial Information Was Involved
"Because your financial account information may have been involved, we recommend that you contact your bank or financial institution to discuss placing an alert on your account or requesting a new account number."
5.4 Credit Monitoring / Identity Protection Services (If Offered)
"[Organization Name] is offering [duration, e.g., 12 months / 24 months] of complimentary [credit monitoring / identity protection] services through [Vendor Name]."
"To enroll, [please visit [Enrollment Website] and enter the activation code [Code] / please call [Vendor Phone Number] and provide the activation code [Code]]. You must enroll by [Enrollment Deadline]."
"This service includes [credit monitoring / identity theft insurance / identity restoration services / dark web monitoring]."
SECTION 6: WHAT THE ORGANIZATION IS DOING
"We want you to know that [Organization Name] takes the privacy and security of your health information very seriously. In response to this incident, we have taken the following steps:"
Read the applicable items:
☐ "We immediately began an investigation with the assistance of [internal IT security team / outside cybersecurity firm]."
☐ "We have contained the incident and secured the affected systems."
☐ "We have reported this incident to the U.S. Department of Health and Human Services as required by law."
☐ "We have notified law enforcement."
☐ "We have implemented additional security measures, including [describe measures such as enhanced encryption, additional access controls, enhanced monitoring, password resets]."
☐ "We have provided additional training to our workforce regarding privacy and security of health information."
☐ "We are offering complimentary credit monitoring and/or identity protection services to affected individuals."
☐ "We have reviewed and strengthened our policies and procedures to help prevent similar incidents in the future."
☐ "We have terminated the employment of the workforce member responsible for this incident." (Only if applicable and approved by legal counsel)
SECTION 7: ESCALATION PROCEDURES
7.1 Supervisor Escalation Triggers
Transfer the call to a supervisor immediately if any of the following occur:
☐ The caller becomes abusive, threatening, or uses profanity
☐ The caller threatens to contact the media
☐ The caller indicates they are an attorney or are represented by an attorney
☐ The caller threatens to file a lawsuit
☐ The caller indicates they are a government official or regulator
☐ The caller asks legal questions beyond the scope of this script
☐ The caller reports actual identity theft or financial fraud resulting from the breach
☐ The caller requests information about other individuals' records
☐ The caller asks about the total number of affected individuals
☐ The caller asks for compensation or monetary damages
Escalation Script:
"I understand your concern, and I want to make sure you receive the most complete information possible. With your permission, I would like to connect you with my supervisor, [Supervisor Name], who can better assist you. May I place you on a brief hold?"
7.2 Angry / Upset Caller Script
"I completely understand your frustration, and I sincerely apologize for the concern this has caused you. We take this matter very seriously. Let me make sure I provide you with all the information and resources available to you."
"Is there anything specific I can help clarify or any particular concern you would like to address?"
7.3 Caller Threatening Legal Action
"I understand your concern. I am not able to provide legal advice, but I want to make sure you have all the information we can provide about this incident and the steps you can take to protect yourself. If you wish to speak with someone further about your concerns, I can provide you with our contact information for written correspondence."
Note: Do NOT acknowledge liability, admit fault, or make statements about the merits of any potential legal claim. Do NOT attempt to dissuade the individual from pursuing legal remedies.
SECTION 8: MEDIA INQUIRY REDIRECT
If the caller identifies themselves as a member of the media:
"Thank you for your inquiry. I am not authorized to speak with the media regarding this matter. Please direct your questions to our media contact:"
"[Media Contact Name]"
"[Media Contact Phone Number]"
"[Media Contact Email Address]""We will not be providing any additional information through this call center. Thank you for your understanding."
Note: Do NOT answer any questions from media representatives. Do NOT confirm or deny any details about the breach. Do NOT provide the number of affected individuals. Refer all media inquiries to the designated spokesperson.
SECTION 9: SPECIAL SCENARIOS
9.1 Minor's Records
If the affected individual is a minor (under 18):
"Because the affected individual is a minor, I need to speak with a parent or legal guardian. May I confirm that you are the parent or legal guardian of [Minor's Name]?"
Verify the identity of the parent/legal guardian before disclosing details. Follow state law regarding minor's consent and access to health records (some states give minors independent rights to certain health information).
9.2 Deceased Individual
If the affected individual is deceased:
"I understand, and I am very sorry for your loss. Under federal law, we are required to provide this notification. May I speak with the next of kin or personal representative of the estate?"
Per 45 C.F.R. § 164.502(g), a personal representative of a deceased individual has the same rights as the individual with respect to PHI. Verify the caller's status as personal representative (executor, administrator, next of kin as applicable under state law).
9.3 Personal Representative
If someone other than the individual is authorized to receive the notification:
"I understand you are the [power of attorney / legal guardian / personal representative / executor] for [Individual Name]. Before I can share this information with you, I need to verify your authority."
☐ Confirm personal representative status per documentation on file
☐ If no documentation on file, request that the personal representative submit documentation and call back, or provide a mailing address for written notification
9.4 Limited English Proficiency (LEP) Callers
If the individual does not speak English or has limited English proficiency:
"I want to make sure you understand this important information. Do you need an interpreter?"
☐ Access language line services at: [________________________________]
☐ Language line phone number: [________________________________]
☐ Language line access code: [________________________________]
Available languages include: Spanish, Mandarin, Cantonese, Vietnamese, Korean, Tagalog, Russian, Arabic, Haitian Creole, French, Portuguese, and others.
Note: Under Title VI of the Civil Rights Act of 1964 and Section 1557 of the ACA, covered entities receiving federal financial assistance must provide meaningful access to individuals with limited English proficiency. This includes breach notifications.
9.5 Individuals with Hearing Impairments
☐ TTY/TDD number: [________________________________]
☐ Relay service information: 7-1-1 (national relay service)
☐ Offer to provide all information in writing if preferred
SECTION 10: FREQUENTLY ASKED QUESTIONS (FAQs)
Q1: "What information was compromised?"
"Based on our investigation, the types of information that may have been involved include [list applicable types from Section 4]. I can go through the specific categories again if that would be helpful."
Q2: "When did this happen?"
"The incident occurred on or about [Date of Breach or Date Range]. We discovered it on [Date of Discovery] and began our investigation immediately. We are notifying you now because we needed to complete our investigation to determine what information was involved and who was affected."
Q3: "How did this happen?"
"[Provide the approved description from Section 3]. Our investigation is [ongoing / complete], and we have taken steps to prevent this type of incident from occurring again."
Q4: "Why did it take so long to notify me?"
"We understand your concern about the timing. After discovering the incident, we needed to conduct a thorough investigation to determine exactly what information was involved and identify all affected individuals. Under federal law, we are required to provide notification without unreasonable delay and within 60 days of discovering the breach. We worked as quickly as possible while ensuring the accuracy of our notification."
Q5: "What are you doing about it?"
"We have taken several steps in response to this incident, including [summarize from Section 6]. We are committed to protecting your information and have implemented additional safeguards to help prevent similar incidents in the future."
Q6: "Will I get credit monitoring?"
If credit monitoring is being offered:
"Yes, we are providing [duration] of complimentary [credit monitoring / identity protection] services through [Vendor Name]. [Provide enrollment instructions from Section 5.4]."
If credit monitoring is NOT being offered:
"Based on the nature of the information involved in this incident, [we are not offering credit monitoring services at this time / we are evaluating what additional services may be appropriate]. However, I can provide you with information about steps you can take to protect yourself, including how to place a fraud alert or security freeze on your credit file at no cost."
Q7: "How do I protect myself?"
"There are several steps you can take. [Review applicable protective steps from Section 5]. Would you like me to go through any of those in more detail?"
Q8: "Can I sue?"
"I am not able to provide legal advice. If you have questions about your legal rights, we recommend that you consult with an attorney. I can provide you with our mailing address and the contact information for our Privacy Officer if you would like to submit a written inquiry."
Note: Do NOT provide any opinion on the merits of legal claims. Do NOT discourage the individual from seeking legal counsel.
Q9: "Who do I contact for more information?"
"You can contact us in the following ways:"
"By phone: [Toll-Free Number], available [Hours of Operation]"
"By email: [Email Address]"
"By mail: [Mailing Address]"
"Online: [Website URL with breach information]"
"Your reference number is [Breach Reference Number]. Please have this number available when you contact us."
Q10: "Has my information been misused?"
"At this time, [we have no evidence that your information has been misused / we are continuing to monitor the situation]. However, we encourage you to remain vigilant and take the protective steps we have discussed. If you discover any suspicious activity, please contact us immediately and also report it to [the FTC at IdentityTheft.gov / your local law enforcement]."
Q11: "How many people were affected?"
"I am not able to provide the total number of affected individuals at this time. Our focus is on providing you with the information you need to protect yourself."
Note: Do NOT disclose the total number of affected individuals unless specifically authorized by legal counsel and the Privacy Officer.
Q12: "Will you pay for damages I have suffered?"
"I understand your concern. At this time, I am providing you with information about the breach and the resources available to you. If you have experienced specific financial harm that you believe is related to this incident, please [contact our Privacy Officer at the number/address I will provide / submit your concerns in writing to our Privacy Officer]."
Note: Do NOT make any promises regarding compensation. Escalate to supervisor if the caller insists.
SECTION 11: CALL DOCUMENTATION
11.1 Call Log Template
Every call must be documented. Complete the following for each call:
Call Log Entry
| Field | Details |
|---|---|
| Breach Reference Number | [________________________________] |
| Call Date | [__/__/____] |
| Call Time (Start) | [____:____] AM/PM |
| Call Time (End) | [____:____] AM/PM |
| Caller Agent Name | [________________________________] |
| Individual Called | [________________________________] |
| Phone Number Called | [________________________________] |
| Call Outcome | ☐ Notification completed ☐ Left voicemail ☐ No answer ☐ Wrong number ☐ Disconnected number ☐ Individual called back ☐ Transferred to supervisor |
| Identity Verified? | ☐ Yes ☐ No — Reason: [________________] |
| Spoke With | ☐ Individual ☐ Personal representative ☐ Voicemail ☐ Other person (no info disclosed) |
| Interpreter Used? | ☐ Yes — Language: [________________] ☐ No |
| All 5 Content Elements Delivered? | ☐ Yes ☐ No — Explain: [________________] |
| Credit Monitoring Enrollment Info Provided? | ☐ Yes ☐ No ☐ N/A |
| Questions Asked by Individual | [________________________________] |
| Individual Concerns / Complaints | [________________________________] |
| Escalated to Supervisor? | ☐ Yes — Reason: [________________] ☐ No |
| Follow-Up Required? | ☐ Yes — Action: [________________] ☐ No |
| Agent Notes | [________________________________] |
11.2 Callback Log
For individuals who call back with questions:
| Field | Details |
|---|---|
| Reference Number | [________________________________] |
| Callback Date / Time | [__/__/____] [____:____] AM/PM |
| Individual Name | [________________________________] |
| Identity Verified? | ☐ Yes ☐ No |
| Reason for Callback | [________________________________] |
| Resolution | [________________________________] |
| Escalated? | ☐ Yes ☐ No |
| Agent Name | [________________________________] |
SECTION 12: CLOSING SCRIPT
12.1 Standard Closing
"Before we end this call, I want to make sure I have provided you with all the information you need. Do you have any other questions?"
[Address any remaining questions]
"As a reminder, you will also receive a written notification by mail with all of this information in detail. Your reference number is [Breach Reference Number]. Please keep this number for your records."
"If you have any questions in the future, you can reach us at [Toll-Free Number], available [Hours of Operation], or by email at [Email Address]."
"On behalf of [Organization Name], I sincerely apologize for any inconvenience or concern this may have caused you. We are committed to protecting your health information and have taken steps to prevent this from happening again."
"Thank you for your time, and have a good [morning/afternoon/evening]."
12.2 Closing When Individual Declines to Listen
"I understand. We will be sending you a written notification with all of the details by mail. If you have questions after reviewing it, please call us at [Toll-Free Number]. Your reference number is [Breach Reference Number]. Thank you for your time."
12.3 Closing After Supervisor Escalation
"[Supervisor Name] here. Thank you for speaking with me today. I hope I was able to address your concerns. As a reminder, your reference number is [Breach Reference Number], and you can contact us anytime at [Toll-Free Number]. We value your trust and are committed to resolving this matter. Thank you."
SECTION 13: CALL CENTER OPERATIONS
13.1 Call Center Setup Checklist
☐ Dedicated toll-free number established and tested: [________________________________]
☐ Call center hours established: [________________________________]
☐ Staffing plan developed (estimated call volume: [____] calls)
☐ All agents trained on script and escalation procedures
☐ Supervisors briefed on escalation scenarios
☐ Language line services confirmed and access codes distributed
☐ Call logging system configured and tested
☐ FAQ reference sheets printed and distributed to agents
☐ Private/secure workspace established for agents (calls discuss PHI)
☐ Quality assurance monitoring plan in place
13.2 Quality Assurance
☐ [____]% of calls will be monitored for quality and compliance
☐ Supervisors will review call logs daily
☐ Agent feedback sessions conducted [weekly / bi-weekly]
☐ Script adherence tracked and documented
☐ All five required content elements verified on monitored calls
13.3 Reporting
Daily reports shall be generated and provided to the Privacy Officer including:
☐ Total calls attempted / completed / voicemails / callbacks
☐ Number of individuals successfully notified
☐ Number of calls escalated to supervisor (with reasons)
☐ Number of calls requiring interpreter services
☐ Common questions and concerns reported
☐ Any reports of actual identity theft or financial fraud
SECTION 14: CROSS-REFERENCE TO RELATED TEMPLATES
This Call Script works in conjunction with the following Organization documents:
- HIPAA Breach Response Plan — Comprehensive breach response procedures
- HIPAA Security Incident Response Plan — Security incident identification and response
- HIPAA Breach Risk Assessment Worksheet — Four-factor risk assessment documentation
- HIPAA Breach Notification — HHS — HHS breach portal submission guide
- HIPAA Breach Notification — Media — Media notification and press release template
SOURCES AND REFERENCES
- 45 C.F.R. § 164.404 — Notification to Individuals
- 45 C.F.R. § 164.404(c) — Content of Individual Notification (Five Required Elements)
- 45 C.F.R. § 164.404(d)(2) — Urgent Notification by Telephone
- 45 C.F.R. § 164.502(g) — Personal Representatives
- 45 C.F.R. §§ 164.400-414 — Breach Notification Rule (Complete)
- HHS OCR — Breach Notification Rule Guidance (https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html)
- FTC — IdentityTheft.gov Recovery Plans (https://www.identitytheft.gov)
- FTC — Free Credit Reports (https://www.annualcreditreport.com)
- Title VI of the Civil Rights Act of 1964 — Language Access Requirements
- Section 1557 of the Affordable Care Act — Nondiscrimination in Health Programs
This template is provided for informational purposes only and does not constitute legal advice. Organizations should have this script reviewed and customized by qualified legal counsel before use. All communications regarding a breach should be reviewed by legal counsel and the Privacy Officer.
For use on ezel.ai — a legal template platform for solo practitioners and small firms.
About This Template
These templates cover the everyday paperwork that happens between patients, providers, and health plans: consent forms, medical record authorizations, directives for end-of-life care, and requests to approve or deny treatment. Getting them right matters because they document medical decisions, release sensitive health information, and often have to meet both federal privacy rules and state-specific requirements. A form that is missing a required disclosure can be rejected by a provider or challenged later in court.
Important Notice
This template is provided for informational purposes. It is not legal advice. We recommend having an attorney review any legal document before signing, especially for high-value or complex matters.
Last updated: March 2026