[Federal Register Volume 84, Number 85 (Thursday, May 2, 2019)]
[Notices]
[Pages 18845-18846]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-08909]


=======================================================================
-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION


Agency Information Collection Activities; Submission for OMB 
Review; Comment Request

AGENCY: Federal Trade Commission (FTC).

ACTION: Notice and request for comment.

-----------------------------------------------------------------------

SUMMARY: The FTC requests that the Office of Management and Budget 
(OMB) extend for three years the current PRA clearance for information 
collection requirements contained in the agency's Health Breach 
Notification Rule. The existing clearance expires on May 31, 2019. The 
public should address comments to this notice to the OMB.

DATES: Comments must be received by June 3, 2019.

ADDRESSES: Comments in response to this notice should be submitted to 
the OMB Desk Officer for the Federal Trade Commission within 30 days of 
this notice. You may submit comments using any of the following 
methods:
    Electronic: Write ``Health Breach Notification Rule: PRA Comment, 
P072108,'' on your comment and file your comment online at https://www.regulations.gov, by following the instructions on the web-based 
form.
    Email: [email protected].
    Fax: (202) 395-5806.
    Mail: Office of Information and Regulatory Affairs, Office of 
Management and Budget, Attention: Desk Officer for the Federal Trade 
Commission, New Executive Office Building, Docket Library, Room 10102, 
725 17th Street NW, Washington, DC 20503.

FOR FURTHER INFORMATION CONTACT: Robin Wetherill, 202-326-2220, 
Attorney, Privacy & Identity Protection, Bureau of Consumer Protection, 
600 Pennsylvania Ave. NW, Washington, DC 20580.

SUPPLEMENTARY INFORMATION:
    Title: Health Breach Notification Rule.
    OMB Control Number: 3084-0150.
    Type of Review: Extension of a currently approved collection.
    Abstract: The Health Breach Notification Rule (Rule), 16 CFR part 
318, requires vendors of personal health records and PHR related 
entities to

[[Page 18846]]

provide: (1) Notice to consumers whose unsecured personally 
identifiable health information has been breached; and (2) notice to 
the Commission. The Rule only applies to electronic health records and 
does not include recordkeeping requirements. The Rule requires third 
party service providers (i.e., those companies that provide services 
such as billing or data storage) to vendors of personal health records 
and PHR related entities to provide notification to such vendors and 
PHR related entities following the discovery of a breach. To notify the 
FTC of a breach, the Commission developed a simple, two-page form 
requesting minimal information and consisting mainly of check boxes, 
which is posted at www.ftc.gov/healthbreach.
    On February 8, 2019, the FTC sought comment on the information 
collection requirements associated with the Rule. 84 FR 2868. The FTC 
received seven non-germane comments that did not address either the 
burden associated with the Rule or any of the other issues raised by 
the public comment request. Pursuant to OMB regulations, 5 CFR part 
1320, that implement the PRA, 44 U.S.C. 3501 et seq., the FTC is 
providing this second opportunity for public comment while seeking OMB 
approval to renew the pre-existing clearance for the Rule. For more 
details about the Rule requirements and the basis for the calculations 
summarized below, see 84 FR 2868.
    Likely Respondents: Vendors of personal health records, PHR related 
entities and third party service providers.
    Estimated Annual Hours Burden: 4,779.
    Estimated Frequency: 25,000 single-person breaches per year and 
0.33 major breaches per year.
    Total Annual Labor Cost: $96,656.\1\
---------------------------------------------------------------------------

    \1\ Hourly wages throughout this document are updated from the 
60-Day Federal Register notice and are based on mean hourly wages 
found at http://www.bls.gov/news.release/ocwage.htm (``Occupational 
Employment and Wages-May 2018,'' U.S. Department of Labor, released 
March 2019, Table 1 (``National employment and wage data from the 
Occupational Employment Statistics survey by occupation, May 
2018'').
    The breakdown of labor hours and costs is as follows: 50 hours 
of computer and information systems managerial time at approximately 
$73 per hour; 12 hours of marketing manager time at $71 per hour; 33 
hours of computer programmer time at $43 per hour; and 5 hours of 
legal staff time at $69 per hour. The cost of telephone operators is 
estimated at $19/hour.
---------------------------------------------------------------------------

    Total Annual Capital or Other Non-Labor Cost: $29,952.\2\
---------------------------------------------------------------------------

    \2\ Average wages for information security analysts are 
estimated at $49/hour.
---------------------------------------------------------------------------

Request for Comment

    Your comment--including your name and your state--will be placed on 
the public record of this proceeding at the https://www.regulations.gov 
website. Because your comment will be made public, you are solely 
responsible for making sure that your comment does not include any 
sensitive personal information, such as anyone's Social Security 
number; date of birth; driver's license number or other state 
identification number, or foreign country equivalent; passport number; 
financial account number; or credit or debit card number. You are also 
solely responsible for making sure that your comment does not include 
any sensitive health information, such as medical records or other 
individually identifiable health information. In addition, your comment 
should not include any ``trade secret or any commercial or financial 
information which . . . is privileged or confidential''--as provided by 
Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 
16 CFR 4.10(a)(2)--including in particular competitively sensitive 
information such as costs, sales statistics, inventories, formulas, 
patterns, devices, manufacturing processes, or customer names.

Heather Hippsley,
Deputy General Counsel.
[FR Doc. 2019-08909 Filed 5-1-19; 8:45 am]
BILLING CODE 6750-01-P