[Federal Register Volume 84, Number 189 (Monday, September 30, 2019)]
[Notices]
[Pages 51604-51606]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-21031]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

[Document Identifier: OS-0945-0003]


Agency Information Collection Request. 30-Day Public Comment 
Request

AGENCY: Office of the Secretary, HHS.

ACTION: Notice.

-----------------------------------------------------------------------

SUMMARY: In compliance with the requirement of the Paperwork Reduction 
Act of 1995, the Office of the Secretary (OS), Department of Health and 
Human Services, is publishing the following summary of a proposed 
collection for public comment.

DATES: Comments on the Information Collection Request (ICR) must be 
received on or before October 30, 2019.

ADDRESSES: Submit your comments to [email protected] or via 
facsimile to (202) 395-5806.

FOR FURTHER INFORMATION CONTACT: Sherrette Funn, [email protected] 
or (202) 795-7714. When submitting comments or requesting information, 
please include the document identifier 0945-0003-New-30D and project 
title for reference.

SUPPLEMENTARY INFORMATION: Interested persons are invited to send 
comments regarding this burden estimate or any other aspect of this 
collection of information, including any of the following subjects: (1) 
The necessity and utility of the proposed information collection for 
the proper performance of the agency's functions; (2) the accuracy of 
the estimated burden; (3) ways to enhance the quality, utility, and 
clarity of the information to be collected; and (4) the use of 
automated collection techniques or other forms of information 
technology to minimize the information collection burden.
    Title of the Collection: HIPAA Privacy, Security, and Breach 
Notification Rules, and Supporting Regulations Contained in 45 CFR 
parts 160 and 164.
    Type of Collection: Extension.
    OMB No. 0945-0003: Office for Civil Rights (OCR)--Health 
Information Privacy Division.
    Abstract: Office for Civil Rights (OCR) requests approval to extend 
this existing, approved collection without changing any collection 
requirements while OCR obtains public comment through a Notice of 
Proposed Rulemaking (NPRM) proposing modifications to the HIPAA Rules 
that will affect the hourly burdens associated with the Rules. This 
notice does, however, make the following revisions to estimates 
provided in the 60-day public comment request, which do not change the 
collection requirements: (1) Lower the estimated number of individuals 
who call an entity's toll-free number for information after being 
affected by a breach requiring substitute notice to reflect a more 
realistic estimate of the proportion of individuals who choose to call; 
and (2) correct an error from the 2016 ICR notice that underestimated 
the average number of individuals affected per breach because it relied 
on older breach data. This notice also incorporates data from the 60-
day public comment request which recognizes for the first time the 
burdens resulting from the pre-existing, ongoing requirements for 
business associates to report breaches of PHI to their covered 
entities.
    We did not receive public comment on the 60-day public comment 
request published on July 19, 2019. We expect to receive robust public 
comment on existing burdens associated with compliance with the HIPAA 
Rules and on changes in burden that could result from the modifications 
proposed in the NPRM. OCR will update this ICR to reflect the input we 
receive.
    Likely Respondents: HIPAA covered entities, business associates, 
individuals, and professional and trade associations of covered 
entities and business associates.

[[Page 51605]]



                                        Estimated Annualized Burden Table
----------------------------------------------------------------------------------------------------------------
                                                                     Number of        Average
     Forms (if necessary)        Respondents (if     Number of     responses per    burden per     Total  burden
                                   necessary)       respondents     respondents      response          hours
----------------------------------------------------------------------------------------------------------------
45 CFR 160.204 Process for      A state's chief                1               1              16              16
 Requesting Exception            elected
 Determinations (states or       official or
 persons).                       designee.
45 CFR 164.308 Risk Analysis--  Covered                1,700,000               1              10      17,000,000
 Documentation.                  entities;
                                 business
                                 associates.
45 CFR 164.308 Information      Covered                1,700,000              12            0.75      15,300,000
 System Activity Review--        entities;
 Documentation.                  business
                                 associates.
45 CFR 164.308 Security         Covered                1,700,000              12               1      20,400,000
 Reminders--Periodic Updates.    entities;
                                 business
                                 associates.
45 CFR 164.308 Security         Covered                1,700,000              52               5     442,000,000
 Incidents (other than           entities;
 breaches)--Documentation.       business
                                 associates.
45 CFR 164.308 Contingency      Covered                1,700,000               1               8      13,600,000
 Plan--Testing and Revision.     entities;
                                 business
                                 associates.
45 CFR 164.308 Contingency      Covered                1,700,000               1               4       6,800,000
 Plan--Criticality Analysis.     entities;
                                 business
                                 associates.
45 CFR 164.310 Maintenance      Covered                1,700,000              12               6     122,400,000
 Records.                        entities;
                                 business
                                 associates.
45 CFR 164.314 Security         Business               1,000,000              12              20     240,000,000
 Incidents--Business Associate   associates.
 reporting of incidents (other
 than breach) to Covered
 Entities.
45 CFR 164.316 Documentation--  Covered                1,700,000               1               6      10,200,000
 Review and Update.              entities;
                                 business
                                 associates.
45 CFR 164.404 Individual       Covered entities          58,482               1             0.5          29,241
 Notice--Written and Email
 Notice (drafting).
45 CFR 164.404 Individual       Covered entities          58,482               1             0.5          29,241
 Notice--Written and Email
 Notice (preparing and
 documenting notification).
45 CFR 164.404 Individual       Covered entities          58,482           1,941           0.008         908,108
 Notice--Written and Email
 Notice (processing and
 sending).
45 CFR 164.404 Individual       Covered entities           2,746               1               1           2,746
 Notice--Substitute Notice
 (posting or publishing).
45 CFR 164.404 Individual       Covered entities           2,746               1            3.42           9,391
 Notice--Substitute Notice
 (staffing toll-free number).
45 CFR 164.404 Individual       Covered entities         113,264               1           0.125          14,158
 Notice--Substitute Notice
 (individuals' voluntary
 burden to call toll-free
 number for information).
45 CFR 164.406 Media Notice...  Covered entities             267               1            1.25             334
45 CFR 164.408 Notice to        Covered entities             267               1            1.25             334
 Secretary (notice for
 breaches affecting 500 or
 more individuals).
45 CFR 164.408 Notice to        Covered entities          58,215               1               1          58,215
 Secretary (notice for
 breaches affecting less than
 500 individuals).
45 CFR 164.410 Business         Business                      20               1              50           1,000
 associate notice to covered     Associates.
 entity--500 or more affected
 individuals.
45 CFR 164.410 Business         Business                   1,165               1               8           9,320
 associate notice to covered     Associates.
 entity--Less than 500
 affected individuals.
45 CFR 164.414 500 or More      Covered entities             267               1              50          13,350
 Affected Individuals
 (investigating and
 documenting breach).
45 CFR 164.414 Less than 500    Covered entities           2,479               1               8          19,832
 Affected Individuals
 (investigating and
 documenting breach)--
 affecting 10-499.
45 CFR 164.414 Less than 500    Covered entities          55,736               1               4         222,944
 Affected Individuals
 (investigating and
 documenting breach)--
 affecting <10.
45 CFR 164.504 Uses and         Covered entities         700,000               1     0.083333333          58,333
 Disclosures--Organizational
 Requirements.
45 CFR 164.508 Uses and         Covered entities         700,000               1               1         700,000
 Disclosures for Which
 Individual authorization is
 required.
45 CFR 165.512 Uses and         Covered entities         113,524               1     0.083333333           9,460
 Disclosures for Research
 Purposes.

[[Page 51606]]

 
45 CFR 164.520 Notice of        Covered              100,000,000               1     0.004166667         416,667
 Privacy Practices for           entities--healt
 Protected Health Information    h plans.
 (health plans--periodic
 distribution of NPPs by paper
 mail).
45 CFR 164.520 Notice of        Covered              100,000,000               1     0.002783333         278,333
 Privacy Practices for           entities--healt
 Protected Health Information    h plans.
 (health plans--periodic
 distribution of NPPs by
 electronic mail).
45 CFR 164.520 Notice of        Covered              613,000,000               1            0.05      30,650,000
 Privacy Practices for           entities--healt
 Protected Health Information    h care
 (health care providers--        providers.
 dissemination and
 acknowledgement).
45 CFR 164.522 Rights to        Covered                   20,000               1            0.05           1,000
 Request Privacy Protection      entities--healt
 for Protected Health            h care
 Information.                    providers,
                                 health plans.
45 CFR 164.524 Access of        Covered                  200,000               1            0.05          10,000
 Individuals to Protected        entities--healt
 Health Information              h care
 (disclosures).                  providers,
                                 health plans,
                                 clearinghouses.
45 CFR 164.526 Amendment of     Covered                  150,000               1     0.083333333          12,500
 Protected Health Information    entities--healt
 (requests).                     h care
                                 providers,
                                 health plans,
                                 clearinghouses.
45 CFR 164.526 Amendment of     Covered                   50,000               1     0.083333333           4,167
 Protected Health Information    entities--healt
 (denials).                      h care
                                 providers,
                                 health plans,
                                 clearinghouses.
45 CFR 164.528 Accounting for   Covered                    5,000               1            0.05             250
 Disclosures of Protected        entities--healt
 Health Information.             h care
                                 providers,
                                 health plans,
                                 clearinghouses.
                               ---------------------------------------------------------------------------------
    Total.....................  ................  ..............  ..............  ..............     921,158,941
----------------------------------------------------------------------------------------------------------------


Debbie Kramer,
HHS Information Collection Reports Clearance Officer.
[FR Doc. 2019-21031 Filed 9-27-19; 8:45 am]
BILLING CODE 4153-01-P