[Federal Register Volume 81, Number 52 (Thursday, March 17, 2016)]
[Notices]
[Pages 14453-14455]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2016-05961]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of the Secretary

[Document Identifier: HHS-OS-0945-0003-60D]


Agency Information Collection Activities; Proposed Collection; 
Public Comment Request

AGENCY: Office of the Secretary, HHS.

ACTION: Notice.

-----------------------------------------------------------------------

SUMMARY: In compliance with section 3506(c)(2)(A) of the Paperwork 
Reduction Act of 1995, the Office of the Secretary (OS), Department of 
Health and Human Services, announces plans to submit an Information 
Collection Request (ICR), described below, to the Office of Management 
and Budget (OMB). The ICR is for revision of the approved information 
collection assigned OMB control number #0945-0003, which expires on 
January 1, 2017. Prior to submitting that ICR to OMB, OS seeks comments 
from the public regarding the burden estimate, below, or any other 
aspect of the ICR.

DATES: Comments on the ICR must be received on or before May 16, 2016.

ADDRESSES: Submit your comments to 
[email protected] or by calling (202) 690-6162.

FOR FURTHER INFORMATION CONTACT: Information Collection Clearance 
staff, [email protected] or (202) 690-6162.

SUPPLEMENTARY INFORMATION: When submitting comments or requesting 
information, please include the document identifier HHS-OS-0945-0003-
60D for reference.
    Information Collection Request Title: HIPAA Privacy, Security, and 
Breach Notification Rules, and Supporting Regulations Contained in 45 
CFR parts 160 and 164.
    Abstract: This revision does not change any requirements of the 
HIPAA Privacy, Security, and Breach Notification Rules. Among other 
updates summarized below, the ICR requests to rename the information 
collection and incorporate into it the substance of two other 
information collections (#0945-0004, set to expire on May 31, 2016; and 
#0945-0001, expiring on September 30, 2016), which then would be 
discontinued. The ICR addresses the burden on regulated entities for 
compliance with the information collection requirements of the HIPAA 
Privacy, Security, and Breach Notification Rules; the voluntary burden 
on members of the public for obtaining information from covered 
entities regarding breaches of their protected health information; and 
the information collection burden on the Office for Civil Rights (OCR) 
associated with administering aspects of the HIPAA Breach Notification 
program. Combining the three existing information collections 
identified above will allow the regulated community, the public, and 
OCR to more easily view and track the estimated burdens associated with 
the HIPAA Rules that are administered and enforced by OCR. In addition 
to combining the ICRs, the proposed updates take into account our 
experience administering the Rules to more accurately reflect the 
burdens of compliance with the applicable regulatory requirements; 
remove the estimated burden of initial compliance with the Omnibus 
HIPAA Final Rule, because we are well past the compliance dates; and 
incorporate increases in wages for the job categories that we expect to 
be involved in compliance activities.
    Need and Proposed Use of the Information: The HIPAA Rules require 
covered entities, and in many respects their business associates, to 
protect the privacy and security of individually identifiable health 
information (called ``protected health information'' or ``PHI''); 
fulfill individuals' rights under HIPAA with respect to their health 
information; and provide notification in case of a breach of unsecured 
protected health information. The information collections associated 
with these regulatory requirements include

[[Page 14454]]

documenting and updating policies and procedures for ensuring the 
privacy and security of individuals' health information, recording 
compliance activities, providing individuals with a notice of privacy 
practices and with access to their information upon request, and 
notifying affected individuals, the Secretary, and in some cases the 
media of a breach of protected health information.
    Likely Respondents: HIPAA covered entities and business associates 
(required burden), and individual members of the public affected by 
breaches of their protected health information (voluntary burden).
    Burden Statement: Burden in this context means the time expended by 
persons to generate, maintain, retain, disclose or provide the 
information requested. This includes the time needed to review 
instructions, to develop, acquire, install and utilize technology and 
systems for the purpose of collecting, validating and verifying 
information, processing and maintaining information, and disclosing and 
providing information, to train personnel and to be able to respond to 
a collection of information, to search data sources, to complete and 
review the collection of information, and to transmit or otherwise 
disclose the information. The total annual burden hours estimated for 
this ICR are summarized in the table below.

                                    Total Estimated Annualized Burden--Hours
----------------------------------------------------------------------------------------------------------------
                                                                   Number of     Average burden
       Section          Type of respondent        Number of      responses per      hours per      Total burden
                                                 respondents      respondent      response \1\         hours
----------------------------------------------------------------------------------------------------------------
160.204.............  Process for Requesting  1...............               1  16..............              16
                       Exception
                       Determinations
                       (states or persons).
164.308.............  Risk Analysis--         1,700,000 \2\...               1  10..............      17,000,000
                       Documentation.
164.308.............  Information System      1,700,000.......              12  .75.............      15,300,000
                       Activity Review--
                       Documentation.
164.308.............  Security Reminders--    1,700,000.......              12  1...............      20,400,000
                       Periodic Updates.
164.308.............  Security Incidents      1,700,000.......              52  5...............     442,000,000
                       (other than
                       breaches)--Documentat
                       ion.
164.308.............  Contingency Plan--      1,700,000.......               1  8...............      13,600,000
                       Testing and Revision.
164.308.............  Contingency Plan--      1,700,000.......               1  4...............       6,800,000
                       Criticality Analysis.
164.310.............  Maintenance Records...  1,700,000.......              12  6...............     122,400,000
164.314.............  Security Incidents--    1,000,000.......              12  20..............     240,000,000
                       Business Associate
                       reporting of
                       incidents (other than
                       breach) to Covered
                       Entities.
164.316.............  Documentation--Review   1,700,000.......               1  6...............      10,200,000
                       and Update \3\.
164.404.............  Individual Notice--     58,481 \4\......               1  .5..............          29,240
                       Written and E-mail
                       Notice (drafting).
164.404.............  Individual Notice--     58,481..........               1  .5..............          29,240
                       Written and E-mail
                       Notice (preparing and
                       documenting
                       notification).
164.404.............  Individual Notice--     58,481..........         \5\ 353  .008............         165,150
                       Written and E-mail
                       Notice (processing
                       and sending).
164.404.............  Individual Notice--     2,746 \6\.......               1  1...............           2,746
                       Substitute Notice
                       (posting or
                       publishing).
164.404.............  Individual Notice--     2,746...........               1  5.75 \7\........          15,789
                       Substitute Notice
                       (staffing toll-free
                       number).
164.404.............  Individual Notice--     11,326,440 \8\..               1  .125 \9\........       1,415,805
                       Substitute Notice
                       (individuals'
                       voluntary burden to
                       call toll-free number
                       for information).
164.406.............  Media Notice..........  267 \10\........               1  1.25............             333
164.408.............  Notice to Secretary     267.............               1  1.25............             333
                       (notice for breaches
                       affecting 500 or more
                       individuals).
164.408.............  Notice to Secretary     58,215 \11\.....               1  1...............          58,215
                       (notice for breaches
                       affecting fewer than
                       500 individuals).
164.414.............  500 or More Affected    267.............               1  50..............          13,350
                       Individuals
                       (investigating and
                       documenting breach).
164.414.............  Less than 500 Affected  2,479 (breaches                1  8...............          19,832
                       Individuals             affecting 10-
                       (investigating and      499
                       documenting breach).    individuals).
                      ......................  55,736 (breaches               1  4...............         222,944
                                               affecting <10
                                               individuals).
164.504.............  Uses and Disclosures--  700,000.........               1  5/60............          58,333
                       Organizational
                       Requirements.
164.508.............  Uses and Disclosures    700,000.........               1  1...............         700,000
                       for Which Individual
                       authorization is
                       required.
164.512.............  Uses and Disclosures    113,524 \12\....               1  5/60............           9,460
                       for Research Purposes.
164.520.............  Notice of Privacy       100,000,000 \13\               1  0.25 minutes [1          416,667
                       Practices for                                             hour per 240
                       Protected Health                                          notices].
                       Information (health
                       plans--periodic
                       distribution of NPPs
                       by paper mail).
164.520.............  Notice of Privacy       100,000,000.....               1  0.167 minutes [1         278,333
                       Practices for                                             hour per 360
                       Protected Health                                          notices].
                       Information (health
                       plans--periodic
                       distribution of NPPs
                       by electronic mail).

[[Page 14455]]

 
164.520.............  Notice of Privacy       613,000,000 \14\               1  3/60............      30,650,000
                       Practices for
                       Protected Health
                       Information (health
                       care providers--
                       dissemination and
                       acknowledgement).
164.522.............  Rights to Request       20,000 \15\.....               1  3/60............           1,000
                       Privacy Protection
                       for Protected Health
                       Information.
164.524.............  Access of Individuals   200,000 \16\....               1  3/60............          10,000
                       to Protected Health
                       Information
                       (disclosures).
164.526.............  Amendment of Protected  150,000.........               1  5/60............          12,500
                       Health Information
                       (requests).
164.526.............  Amendment of Protected  50,000..........               1  5/60............           4,166
                       Health Information
                       (denials).
164.528.............  Accounting for          5,000 \17\......               1  3/60............             250
                       Disclosures of
                       Protected Health
                       Information.
rrrrrrrrrrrrrrrrrrrrr
    Total...........  ......................  ................  ..............  ................     921,813,702
----------------------------------------------------------------------------------------------------------------
\1\ The figures in this column are averages based on a range. Small entities may require fewer hours to conduct
  certain compliance activities, particularly with respect to Security Rule requirements, while large entities
  may spend more hours than those provided here.
\2\ This estimate includes 700,000 estimated covered entities and 1 million estimated business associates. The
  Omnibus HIPAA Final Rule burden analysis estimated that there were 1-2 million business associates. However,
  because many business associates have business associate relationships with multiple covered entities, we
  believe the lower end of this range is more accurate.
\3\ This element includes the burden of updating documentation in accordance with the evaluation required by 45
  CFR 164.306. Therefore, we do not separately address the burden associated with the evaluation.
\4\ Total number of breach incidents in 2015.
\5\ Average number of individuals affected per breach incident in 2015.
\6\ This number includes all 267 large breaches and all 2,479 breaches affecting 10-499 individuals. As we
  stated in the preamble to the Omnibus HIPAA Final Rule, although some breaches involving fewer than 10
  individuals may require substitute notice, we believe the costs of providing such notice through alternative
  written means or by telephone is negligible.
\7\ We again assume that call center staff will spend 5 minutes per call, but now with an average of 4,124
  individuals affected by breaches requiring substitute notice. Multiplying these figures results in 5.75 hours
  per breach. This estimate is much lower than the 46.26 hours per breach requiring substitute notice in our
  previous estimate, which we believe was the result of an arithmetic error. The estimate of 4,124 individuals
  being affected by breaches requiring substitute notice results from the assumption that the number of callers
  to the toll-free number will equal 10% of the sum of all individuals affected by large breaches (113,250,136)
  and 5% of individuals affected by small breaches (.05 x 285,413 = 14,270). We calculate .10 * (113,250,136 +
  14,270) = 11,326,440.
\8\ As noted in the previous footnote, this number equals 10% of the sum of all individuals affected by large
  breaches and 5% of individuals affected by small breaches.
\9\ This number includes 7.5 minutes for each individual who calls: an average of 2.5 minutes to wait on the
  line/decide to call back and 5 minutes for the call itself.
\10\ The total number of breaches affecting 500 or more individuals in 2015.
\11\ The total number of breaches affecting fewer than 500 individuals in 2015.
\12\ The number of entities who use and disclose protected health information for research purposes.
\13\ As in our previous submission, we assume that half of the approximately 200,000,000 individuals insured by
  covered health plans will receive the plan's NPP by paper mail, and half will receive the NPP by electronic
  mail.
\14\ We estimate that each year covered health care providers will have first-time visits with 613 million
  individuals, to whom the providers must give a NPP.
\15\ We assume covered entities address 20,000 requests for confidential communications or restrictions on
  disclosures per year.
\16\ We estimate that covered entities annually fulfill 200,000 requests from individuals for access to their
  protected health information.
\17\ We estimate that covered entities annually fulfill 5,000 requests from individuals for an accounting of
  disclosures of their protected health information.

    OS specifically requests comments on (1) the necessity and utility 
of the proposed information collection for the proper performance of 
the agency's functions, (2) the accuracy of the estimated burden, (3) 
ways to enhance the quality, utility, and clarity of the information to 
be collected, and (4) the use of automated collection techniques or 
other forms of information technology to minimize the information 
collection burden.

Terry S. Clark,
Assistant Information Collection Clearance Officer.
[FR Doc. 2016-05961 Filed 3-16-16; 8:45 am]
 BILLING CODE 4153-01-P