[Federal Register Volume 81, Number 22 (Wednesday, February 3, 2016)]
[Notices]
[Pages 5750-5751]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2016-01975]


=======================================================================
-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION


Agency Information Collection Activities; Submission for OMB 
Review; Comment Request

AGENCY: Federal Trade Commission.

ACTION: Notice and request for comment.

-----------------------------------------------------------------------

SUMMARY: In compliance with the Paperwork Reduction Act (PRA) of 1995, 
the FTC is seeking public comments on its request to Office of 
Management and Budget (OMB) to extend for three years the current PRA 
clearance for the information collection requirements contained in the 
Health Breach Notification Rule. That clearance expires on March 31, 
2016.

DATES: Comments must be received by March 4, 2016.

ADDRESSES: Interested parties may file a comment online or on paper by 
following the instructions in the Request for Comment part of the 
SUPPLEMENTARY INFORMATION section below. Write ``Health Breach 
Notification Rule, PRA Comments, P-125402'' on your comment, and file 
your comment online at https://ftcpublic.commentworks.com/ftc/healthbreachnotificationpra2 by following the instructions on the web-
based form. If you prefer to file your comment on paper, mail or 
deliver your comment to the following address: Federal Trade 
Commission, Office of the Secretary, 600 Pennsylvania Avenue NW., Suite 
CC-5610 (Annex J), Washington, DC 20580, or deliver your comment to the 
following address: Federal Trade Commission, Office of the Secretary, 
Constitution Center, 400 7th Street SW., 5th Floor, Suite 5610 (Annex 
J), Washington, DC 20024.

FOR FURTHER INFORMATION CONTACT: Requests for additional information or 
copies of the proposed information requirements should be addressed to 
Cora Tung Han, 202-326-2441, Attorney, Privacy & Identity Protection, 
Bureau of Consumer Protection, 600 Pennsylvania Ave. NW., Washington, 
DC 20580.

SUPPLEMENTARY INFORMATION: 
    Title: Health Breach Notification Rule.
    OMB Control Number: 3084-0150.
    Type of Review: Extension of a currently approved collection.
    Abstract: The Health Breach Notification Rule (Rule), 16 CFR part 
318, requires vendors of personal health records and PHR related 
entities \1\ to provide: (1) Notice to consumers whose unsecured 
personally identifiable health information has been breached; and (2) 
notice to the Commission. The Rule only applies to electronic health 
records and does not include recordkeeping requirements. The Rule 
requires third party service providers (i.e., those companies that 
provide services such as billing or data storage) to vendors of 
personal health records and PHR related entities to provide 
notification to such vendors and PHR related entities following the 
discovery of a breach. To notify the FTC of a breach, the Commission 
developed a form, which is posted at www.ftc.gov/healthbreach, for 
entities subject to the rule to complete and return to the agency.
---------------------------------------------------------------------------

    \1\ ``PHR related entity'' means an entity, other than a HIPAA-
covered entity or an entity to the extent that it engages in 
activities as a business associate of a HIPAA-covered entity, that: 
(1) Offers products or services through the Web site of a vendor of 
personal health records; (2) offers products or services through the 
Web sites of HIPAA-covered entities that offer individuals personal 
health records; or (3) accesses information in a personal health 
record or sends information to a personal health record. 16 CFR 
318.2(f).
---------------------------------------------------------------------------

    On October 16, 2015, the FTC sought comment on the information 
collection requirements associated with the Rule. 80 FR 62530. The FTC 
received three comments. None of these however addressed either the 
burden associated with the Rule or any of the other issues raised by 
the public comment request. Pursuant to the OMB regulations, 5 CFR part 
1320, that implement the PRA, 44 U.S.C. 3501 et seq., the FTC is 
providing this second opportunity for public comment while seeking OMB 
approval to renew the pre-existing clearance for the Rule. For more 
details about the Rule requirements and the basis for the calculations 
summarized below, see 80 FR 62530.
    Likely Respondents: Vendors of personal health records, PHR related 
entities and third party service providers.
    Estimated Annual Hours Burden: 3,267.
    Estimated Frequency: 2 breach incidents per year.
    Total Annual Labor Cost: $61,764.
    Total Annual Capital or Other Non-Labor Cost: $49,960.
    Request for Comment: You can file a comment online or on paper. For 
the Commission to consider your comment, we must receive it on or 
before March 4, 2016. Write ``Health Breach Notification Rule, PRA 
Comments, P-125402'' on your comment. Your comment--including your name 
and your state--will be placed on the public record of this proceeding, 
including, to the extent practicable, on the public Commission Web 
site, at http://www.ftc.gov/os/publiccomments.shtm. As a matter of 
discretion, the Commission tries to remove individuals' home contact 
information from comments before placing them on the Commission Web 
site.
    Because your comment will be made public, you are solely 
responsible for making sure that your comment does not include any 
sensitive personal information, such as anyone's Social Security 
number, date of birth, driver's license number or other state 
identification number or foreign country equivalent, passport number, 
financial account number, or credit or debit card number. You are also 
solely responsible for making sure that your comment does not include 
any sensitive health information, like medical records or other 
individually identifiable health information. In addition, do not 
include any ``[t]rade secret or any commercial or financial information 
which is . . . privileged or confidential,'' as discussed in Section 
6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 
4.10(a)(2). In particular, do not include competitively sensitive 
information such as costs, sales statistics, inventories, formulas, 
patterns, devices, manufacturing processes, or customer names.

[[Page 5751]]

    If you want the Commission to give your comment confidential 
treatment, you must file it in paper form, with a request for 
confidential treatment, and you are required to follow the procedure 
explained in FTC Rule 4.9(c), 16 CFR 4.9(c). Your comment will be kept 
confidential only if the FTC General Counsel grants your request in 
accordance with the law and the public interest.
    Postal mail addressed to the Commission is subject to delay due to 
heightened security screening. As a result, we encourage you to submit 
your comment online, or to send it to the Commission by courier or 
overnight service. To make sure that the Commission considers your 
online comment, you must file it at https://ftcpublic.commentworks.com/ftc/healthbreachnotificationpra2, by following the instructions on the 
web-based form. If this Notice appears at http://www.regulations.gov, 
you also may file a comment through that Web site.
    If you file your comment on paper, write ``Health Breach 
Notification Rule, PRA Comments, P-125402'' on your comment and on the 
envelope, and mail or deliver it to the following address: Federal 
Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW., 
Suite CC-5610 (Annex J), Washington, DC 20580, or deliver your comment 
to the following address: Federal Trade Commission, Office of the 
Secretary, Constitution Center, 400 7th Street SW., 5th Floor, Suite 
5610 (Annex J), Washington, DC 20024. If possible, submit your paper 
comment to the Commission by courier or overnight service.
    The FTC Act and other laws that the Commission administers permit 
the collection of public comments to consider and use in this 
proceeding as appropriate. The Commission will consider all timely and 
responsive public comments that it receives on or before March 4, 2016. 
You can find more information, including routine uses permitted by the 
Privacy Act, in the Commission's privacy policy, at http://www.ftc.gov/ftc/privacy.shtm.
    Comments on the information collection requirements subject to 
review under the PRA should also be submitted to OMB. If sent by U.S. 
mail, address comments to: Office of Information and Regulatory 
Affairs, Office of Management and Budget, Attention: Desk Officer for 
the Federal Trade Commission, New Executive Office Building, Docket 
Library, Room 10102, 725 17th Street NW., Washington, DC 20503. 
Comments sent to OMB by U.S. postal mail, however, are subject to 
delays due to heightened security precautions. Thus, comments instead 
should be sent by facsimile to (202) 395-5167.

Christian S. White,
Deputy General Counsel.
[FR Doc. 2016-01975 Filed 2-2-16; 8:45 am]
BILLING CODE 6750-01-P