[Federal Register Volume 81, Number 97 (Thursday, May 19, 2016)]
[Notices]
[Pages 31646-31648]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2016-11785]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of the Secretary

[Document Identifier: HHS-OS-0945-0003-30D]


Agency Information Collection Activities; Submission to OMB for 
Review and Approval; Public Comment Request

AGENCY: Office of the Secretary, HHS.

ACTION: Notice.

-----------------------------------------------------------------------

SUMMARY: In compliance with section 3507(a)(1)(D) of the Paperwork 
Reduction Act of 1995, the Office of the Secretary (OS), Department of 
Health and Human Services, has submitted an Information Collection 
Request (ICR), described below, to the Office of Management and Budget 
(OMB) for review and approval. The ICR is for revision of the approved 
information collection assigned OMB control number 0945-0003, scheduled 
to expire on January 1, 2017. Comments submitted during the first 
public review of this ICR will be provided to OMB. OMB will accept 
further comments from the public on this ICR during the review and 
approval period.

DATES: Comments on the ICR must be received on or before June 20, 2016.

ADDRESSES: Submit your comments to [email protected] or via 
facsimile to (202) 395-5806.

FOR FURTHER INFORMATION CONTACT: Information Collection Clearance 
staff, [email protected] or (202) 690-6162.

SUPPLEMENTARY INFORMATION: When submitting comments or requesting 
information, please include the OMB control number 0945-0003-30D for 
reference.
    Proposed Project: HIPAA Privacy, Security, and Breach Notification 
Rules, and Supporting Regulations Contained in 45 CFR parts 160 and 
164.
    Abstract: This revision does not change any requirements of the 
HIPAA Privacy, Security, and Breach Notification Rules. Among other 
updates summarized below, the ICR requests to rename the information 
collection and incorporate into it the substance of two other 
information collections (#0945-0004, set to expire on May 31, 2016; and 
#0945-0001, expiring on September 30, 2016), which then would be 
discontinued. The ICR addresses the burden on regulated entities for 
compliance with the

[[Page 31647]]

information collection requirements of the HIPAA Privacy, Security, and 
Breach Notification Rules; the voluntary burden on members of the 
public for obtaining information from covered entities regarding 
breaches of their protected health information; and the information 
collection burden on the Office for Civil Rights (OCR) associated with 
administering aspects of the HIPAA Breach Notification program. 
Combining the three existing information collections identified above 
will allow the regulated community, the public, and OCR to more easily 
view and track the estimated burdens associated with the HIPAA Rules 
that are administered and enforced by OCR. In addition to combining the 
ICRs, the proposed updates take into account our experience 
administering the Rules to more accurately reflect the burdens of 
compliance with the applicable regulatory requirements; remove the 
estimated burden of initial compliance with the Omnibus HIPAA Final 
Rule, because we are well past the compliance dates; and incorporate 
increases in wages for the job categories that we expect to be involved 
in compliance activities.

                                        Estimated Annualized Burden Table
----------------------------------------------------------------------------------------------------------------
                                                                   Number of     Average burden
       Section           Type of respondent       Number of      responses per      hours per      Total burden
                                                 respondents      respondent        response           hours
----------------------------------------------------------------------------------------------------------------
160.204..............  Process for            1...............               1  16..............              16
                        Requesting Exception
                        Determinations
                        (states or persons).
164.308..............  Risk Analysis--        1,700,000.......               1  10..............      17,000,000
                        Documentation.
164.308..............  Information System     1,700,000.......              12  .75.............      15,300,000
                        Activity Review--
                        Documentation.
164.308..............  Security Reminders--   1,700,000.......              12  1...............      20,400,000
                        Periodic Updates.
164.308..............  Security Incidents     1,700,000.......              52  5...............     442,000,000
                        (other than
                        breaches)--Documenta
                        tion.
164.308..............  Contingency Plan--     1,700,000.......               1  8...............      13,600,000
                        Testing and Revision.
164.308..............  Contingency Plan--     1,700,000.......               1  4...............       6,800,000
                        Criticality Analysis.
164.310..............  Maintenance Records..  1,700,000.......              12  6...............     122,400,000
164.314..............  Security Incidents--   1,000,000.......              12  20..............     240,000,000
                        Business Associate
                        reporting of
                        incidents (other
                        than breach) to
                        Covered Entities.
164.316..............  Documentation--Review  1,700,000.......               1  6...............      10,200,000
                        and Update.
164.404..............  Individual Notice--    58,481..........               1  .5..............          29,240
                        Written and Email
                        Notice (drafting).
164.404..............  Individual Notice--    58,481..........               1  .5..............          29,240
                        Written and Email
                        Notice (preparing
                        and documenting
                        notification).
164.404..............  Individual Notice--    58,481..........             353  .008............         165,150
                        Written and Email
                        Notice (processing
                        and sending).
164.404..............  Individual Notice--    2,746...........               1  1...............           2,746
                        Substitute Notice
                        (posting or
                        publishing).
164.404..............  Individual Notice--    2,746...........               1  5.75............          15,789
                        Substitute Notice
                        (staffing toll-free
                        number).
164.404..............  Individual Notice--    11,326,440......               1  .125............       1,415,805
                        Substitute Notice
                        (individuals'
                        voluntary burden to
                        call toll-free
                        number for
                        information).
164.406..............  Media Notice.........  267.............               1  1.25............             333
164.408..............  Notice to Secretary    267.............               1  1.25............             333
                        (notice for breaches
                        affecting 500 or
                        more individuals).
164.408..............  Notice to Secretary    58,215..........               1  1...............          58,215
                        (notice for breaches
                        affecting fewer than
                        500 individuals).
164.414..............  500 or More Affected   267.............               1  50..............          13,350
                        Individuals
                        (investigating and
                        documenting breach).
164.414..............  Less than 500          2,479 (breaches                1  8...............          19,832
                        Affected Individuals   affecting 10-
                        (investigating and     499
                        documenting breach).   individuals).
                                              55,736 (breaches               1  4...............         222,944
                                               affecting <10
                                               individuals).
164.504..............  Uses and Disclosures-- 700,000.........               1  5/60............          58,333
                        Organizational
                        Requirements.
164.508..............  Uses and Disclosures   700,000.........               1  1...............         700,000
                        for Which Individual
                        authorization is
                        required.
164.512..............  Uses and Disclosures   113,524.........               1  5/60............           9,460
                        for Research
                        Purposes.
164.520..............  Notice of Privacy      100,000,000.....               1  0.25 minutes [1          416,667
                        Practices for                                            hour per 240
                        Protected Health                                         notices].
                        Information (health
                        plans--periodic
                        distribution of NPPs
                        by paper mail).
164.520..............  Notice of Privacy      100,000,000.....               1  0.167 minutes [1         278,333
                        Practices for                                            hour per 360
                        Protected Health                                         notices].
                        Information (health
                        plans--periodic
                        distribution of NPPs
                        by electronic mail).

[[Page 31648]]

 
164.520..............  Notice of Privacy      613,000,000.....               1  3/60............      30,650,000
                        Practices for
                        Protected Health
                        Information (health
                        care providers--
                        dissemination and
                        acknowledgement).
164.522..............  Rights to Request      20,000..........               1  3/60............           1,000
                        Privacy Protection
                        for Protected Health
                        Information.
164.524..............  Access of Individuals  200,000.........               1  3/60............          10,000
                        to Protected Health
                        Information
                        (disclosures).
164.526..............  Amendment of           150,000.........               1  5/60............          12,500
                        Protected Health
                        Information
                        (requests).
164.526..............  Amendment of           50,000..........               1  5/60............           4,166
                        Protected Health
                        Information
                        (denials).
164.528..............  Accounting for         5,000...........               1  3/60............             250
                        Disclosures of
                        Protected Health
                        Information.
                                             -------------------------------------------------------------------
    Total............  .....................  ................  ..............  ................     921,813,702
----------------------------------------------------------------------------------------------------------------


Terry S. Clark,
Asst Information Collection Clearance Officer.
[FR Doc. 2016-11785 Filed 5-18-16; 8:45 am]
 BILLING CODE 4153-01-P