16 CFR § 318.6 - Content of notice.

Regardless of the method by which notice is provided to individuals under § 318.5 (regarding methods of notice), notice of a breach of security shall be in plain language and include, to the extent possible, the following:

(a) A brief description of what happened, including: the date of the breach and the date of the discovery of the breach, if known; and the full name or identity (or, where providing the full name or identity would pose a risk to individuals or the entity providing notice, a description) of any third parties that acquired unsecured PHR identifiable health information as a result of a breach of security, if this information is known to the vendor of personal health records or PHR related entity;

(b) A description of the types of unsecured PHR identifiable health information that were involved in the breach (such as but not limited to full name, Social Security number, date of birth, home address, account number, health diagnosis or condition, lab results, medications, other treatment information, the individual's use of a health-related mobile application, or device identifier (in combination with another data element));

(c) Steps individuals should take to protect themselves from potential harm resulting from the breach;

(d) A brief description of what the entity that experienced the breach is doing to investigate the breach, to mitigate harm, to protect against any further breaches, and to protect affected individuals, such as offering credit monitoring or other services; and

(e) Contact procedures for individuals to ask questions or learn additional information, which must include two or more of the following: toll-free telephone number; email address; website; within-application; or postal address.