[Federal Register Volume 77, Number 165 (Friday, August 24, 2012)]
[Notices]
[Pages 51535-51536]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2012-20909]


=======================================================================
-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION


Agency Information Collection Activities; Submission for OMB 
Review; Comment Request; Extension

AGENCY: Federal Trade Commission (``FTC'' or ``Commission'').

ACTION: Notice.

-----------------------------------------------------------------------

SUMMARY: The FTC intends to ask the Office of Management and Budget 
(``OMB'') to extend through September 30, 2015, the current Paperwork 
Reduction Act (``PRA'') clearance for the information collection 
requirements in the Health Breach Notification Rule. That clearance 
expires on September 30, 2012.

DATES: Comments must be filed by September 24, 2012.

ADDRESSES: Interested parties may file a comment online or on paper, by 
following the instructions in the Request for Comment part of the 
SUPPLEMENTARY INFORMATION section below. Write ``Health Breach 
Notification Rule, PRA Comments, P-125402'' on your comment and file 
your comment online at https://ftcpublic.commentworks.com/ftc/healthbreachnotificationPRA2, by following the instructions on the web-
based form. If you prefer to file your comment on paper, mail or 
deliver your comment to the following address: Federal Trade 
Commission, Office of the Secretary, Room H-113 (Annex J), 600 
Pennsylvania Avenue NW., Washington, DC 20580.

FOR FURTHER INFORMATION CONTACT: Amanda Koulousias, Attorney, Division 
of Privacy and Identity Protection, Bureau of Consumer Protection, 
Federal Trade Commission, 600 Pennsylvania Avenue NW., Washington, DC 
20580, (202) 326-2252.

SUPPLEMENTARY INFORMATION: 
    Title: Health Breach Notification Rule.
    OMB Control Number: 3084-0150.
    Type of Review: Extension of a currently approved collection.
    Abstract: The Health Breach Notification Rule (``Rule''), 16 CFR 
Part 318, requires vendors of personal health records and PHR related 
entities \1\ to provide: (1) Notice to consumers whose unsecured 
personally identifiable health information has been breached; and (2) 
notice to the Commission. The Rule only applies to electronic health 
records and does not include recordkeeping requirements. The Rule 
requires third party service providers (i.e., those companies that 
provide services such as billing or data storage) to vendors of 
personal health records and PHR related entities to provide 
notification to such vendors and PHR related entities following the 
discovery of a breach. To notify the FTC of a breach, the Commission 
developed a form, which is posted at www.ftc.gov/healthbreach, for 
entities subject to the rule to complete and return to the agency.
---------------------------------------------------------------------------

    \1\ ``PHR related entity'' means an entity, other than a HIPAA-
covered entity or an entity to the extent that it engages in 
activities as a business associate of a HIPAA-covered entity, that: 
(1) Offers products or services through the Web site of a vendor of 
personal health records; (2) offers products or services through the 
Web sites of HIPAA-covered entities that offer individuals personal 
health records; or (3) accesses information in a personal health 
record or sends information to a personal health record. 16 CFR 
318.2(f).
---------------------------------------------------------------------------

    On May 29, 2012, the FTC sought comment on the information 
collection requirements associated with the Rule. 77 FR 31612. No 
comments were

[[Page 51536]]

received. Pursuant to the OMB regulations, 5 CFR Part 1320, that 
implement the PRA, 44 U.S.C. 3501 et seq., the FTC is providing this 
second opportunity for public comment while seeking OMB approval to 
renew the pre-existing clearance for the Rule. For more details about 
the Rule requirements and the basis for the calculations summarized 
below, see 77 FR 31612.
    Estimated Annual Burden: 100 hours per breach (to determine what 
information has been breached, identify the affected customers, prepare 
the breach notice, and make the required report to the Commission) + 
192 hours to process an estimated 500 calls in the event of a data 
breach.
    Estimated Frequency: 2 breach incidents.
    Total Annual Labor Cost: $13,379.
    Total Annual Capital or Other Non-Labor Cost: $7,918.
    Request For Comment:
    You can file a comment online or on paper. For the Commission to 
consider your comment, we must receive it on or before September 24, 
2012. Write ``Health Breach Notification Rule, PRA Comments, P-125402'' 
on your comment. Your comment--including your name and your state--will 
be placed on the public record of this proceeding, including to the 
extent practicable, on the public Commission Web site, at http://www.ftc.gov/os/publiccomments.shtm. As a matter of discretion, the 
Commission tries to remove individuals' home contact information from 
comments before placing them on the Commission Web site.
    Because your comment will be made public, you are solely 
responsible for making sure that your comment does not include any 
sensitive personal information, like anyone's Social Security number, 
date of birth, driver's license number or other state identification 
number or foreign country equivalent, passport number, financial 
account number, or credit or debit card number. You are also solely 
responsible for making sure that your comment does not include any 
sensitive health information, like medical records or other 
individually identifiable health information. In addition, do not 
include any ``[t]rade secret or any commercial or financial information 
which is * * * privileged or confidential'' as provided in Section 6(f) 
of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 
4.10(a)(2). In particular, do not include competitively sensitive 
information such as costs, sales statistics, inventories, formulas, 
patterns, devices, manufacturing processes, or customer names.
    If you want the Commission to give your comment confidential 
treatment, you must file it in paper form, with a request for 
confidential treatment, and you have to follow the procedure explained 
in FTC Rule 4.9(c).\2\ Your comment will be kept confidential only if 
the FTC General Counsel, in his or her sole discretion, grants your 
request in accordance with the law and the public interest.
---------------------------------------------------------------------------

    \2\ In particular, the written request for confidential 
treatment that accompanies the comment must include the factual and 
legal basis for the request, and must identify the specific portions 
of the comment to be withheld from the public record. See FTC Rule 
4.9(c), 16 CFR 4.9(c).
---------------------------------------------------------------------------

    Postal mail addressed to the Commission is subject to delay due to 
heightened security screening. As a result, we encourage you to submit 
your comments online. To make sure that the Commission considers your 
online comment, you must file it at https://ftcpublic.commentworks.com/ftc/healthbreachnotificationPRA2, by following the instructions on the 
web-based form. If this Notice appears at http://www.regulations.gov/#!home, you also may file a comment through that Web site.
    If you file your comment on paper, write ``Health Breach 
Notification Rule, PRA comments, P-125402'' on your comment and on the 
envelope, and mail or deliver it to the following address: Federal 
Trade Commission, Office of the Secretary, Room H-113 (Annex J), 600 
Pennsylvania Avenue NW., Washington, DC 20580. If possible, submit your 
paper comment to the Commission by courier or overnight service.
    Visit the Commission Web site at http://www.ftc.gov to read this 
Notice and the news release describing it. The FTC Act and other laws 
that the Commission administers permit the collection of public 
comments to consider and use in this proceeding as appropriate. The 
Commission will consider all timely and responsive public comments that 
it receives on or before September 24, 2012. You can find more 
information, including routine uses permitted by the Privacy Act, in 
the Commission's privacy policy, at http://www.ftc.gov/ftc/privacy.htm.
    Comments on the disclosure and reporting requirements subject to 
review under the PRA should additionally be submitted to OMB. If sent 
by U.S. mail, they should be addressed to Office of Information and 
Regulatory Affairs, Office of Management and Budget, Attention: Desk 
Officer for the Federal Trade Commission, New Executive Office 
Building, Docket Library, Room 10102, 725 17th Street NW., Washington, 
DC 20503. Comments sent to OMB by U.S. postal mail, however, are 
subject to delays due to heightened security precautions. Thus, 
comments instead should be sent by facsimile to (202) 395-5167.

Willard K. Tom,
General Counsel.
[FR Doc. 2012-20909 Filed 8-23-12; 8:45 am]
BILLING CODE 6750-01-P