[Federal Register Volume 84, Number 189 (Monday, September 30, 2019)] [Notices] [Pages 51604-51606] From the Federal Register Online via the Government Publishing Office [www.gpo.gov] [FR Doc No: 2019-21031] ----------------------------------------------------------------------- DEPARTMENT OF HEALTH AND HUMAN SERVICES [Document Identifier: OS-0945-0003] Agency Information Collection Request. 30-Day Public Comment Request AGENCY: Office of the Secretary, HHS. ACTION: Notice. ----------------------------------------------------------------------- SUMMARY: In compliance with the requirement of the Paperwork Reduction Act of 1995, the Office of the Secretary (OS), Department of Health and Human Services, is publishing the following summary of a proposed collection for public comment. DATES: Comments on the Information Collection Request (ICR) must be received on or before October 30, 2019. ADDRESSES: Submit your comments to [email protected] or via facsimile to (202) 395-5806. FOR FURTHER INFORMATION CONTACT: Sherrette Funn, [email protected] or (202) 795-7714. When submitting comments or requesting information, please include the document identifier 0945-0003-New-30D and project title for reference. SUPPLEMENTARY INFORMATION: Interested persons are invited to send comments regarding this burden estimate or any other aspect of this collection of information, including any of the following subjects: (1) The necessity and utility of the proposed information collection for the proper performance of the agency's functions; (2) the accuracy of the estimated burden; (3) ways to enhance the quality, utility, and clarity of the information to be collected; and (4) the use of automated collection techniques or other forms of information technology to minimize the information collection burden. Title of the Collection: HIPAA Privacy, Security, and Breach Notification Rules, and Supporting Regulations Contained in 45 CFR parts 160 and 164. Type of Collection: Extension. OMB No. 0945-0003: Office for Civil Rights (OCR)--Health Information Privacy Division. Abstract: Office for Civil Rights (OCR) requests approval to extend this existing, approved collection without changing any collection requirements while OCR obtains public comment through a Notice of Proposed Rulemaking (NPRM) proposing modifications to the HIPAA Rules that will affect the hourly burdens associated with the Rules. This notice does, however, make the following revisions to estimates provided in the 60-day public comment request, which do not change the collection requirements: (1) Lower the estimated number of individuals who call an entity's toll-free number for information after being affected by a breach requiring substitute notice to reflect a more realistic estimate of the proportion of individuals who choose to call; and (2) correct an error from the 2016 ICR notice that underestimated the average number of individuals affected per breach because it relied on older breach data. This notice also incorporates data from the 60- day public comment request which recognizes for the first time the burdens resulting from the pre-existing, ongoing requirements for business associates to report breaches of PHI to their covered entities. We did not receive public comment on the 60-day public comment request published on July 19, 2019. We expect to receive robust public comment on existing burdens associated with compliance with the HIPAA Rules and on changes in burden that could result from the modifications proposed in the NPRM. OCR will update this ICR to reflect the input we receive. Likely Respondents: HIPAA covered entities, business associates, individuals, and professional and trade associations of covered entities and business associates. [[Page 51605]] Estimated Annualized Burden Table ---------------------------------------------------------------------------------------------------------------- Number of Average Forms (if necessary) Respondents (if Number of responses per burden per Total burden necessary) respondents respondents response hours ---------------------------------------------------------------------------------------------------------------- 45 CFR 160.204 Process for A state's chief 1 1 16 16 Requesting Exception elected Determinations (states or official or persons). designee. 45 CFR 164.308 Risk Analysis-- Covered 1,700,000 1 10 17,000,000 Documentation. entities; business associates. 45 CFR 164.308 Information Covered 1,700,000 12 0.75 15,300,000 System Activity Review-- entities; Documentation. business associates. 45 CFR 164.308 Security Covered 1,700,000 12 1 20,400,000 Reminders--Periodic Updates. entities; business associates. 45 CFR 164.308 Security Covered 1,700,000 52 5 442,000,000 Incidents (other than entities; breaches)--Documentation. business associates. 45 CFR 164.308 Contingency Covered 1,700,000 1 8 13,600,000 Plan--Testing and Revision. entities; business associates. 45 CFR 164.308 Contingency Covered 1,700,000 1 4 6,800,000 Plan--Criticality Analysis. entities; business associates. 45 CFR 164.310 Maintenance Covered 1,700,000 12 6 122,400,000 Records. entities; business associates. 45 CFR 164.314 Security Business 1,000,000 12 20 240,000,000 Incidents--Business Associate associates. reporting of incidents (other than breach) to Covered Entities. 45 CFR 164.316 Documentation-- Covered 1,700,000 1 6 10,200,000 Review and Update. entities; business associates. 45 CFR 164.404 Individual Covered entities 58,482 1 0.5 29,241 Notice--Written and Email Notice (drafting). 45 CFR 164.404 Individual Covered entities 58,482 1 0.5 29,241 Notice--Written and Email Notice (preparing and documenting notification). 45 CFR 164.404 Individual Covered entities 58,482 1,941 0.008 908,108 Notice--Written and Email Notice (processing and sending). 45 CFR 164.404 Individual Covered entities 2,746 1 1 2,746 Notice--Substitute Notice (posting or publishing). 45 CFR 164.404 Individual Covered entities 2,746 1 3.42 9,391 Notice--Substitute Notice (staffing toll-free number). 45 CFR 164.404 Individual Covered entities 113,264 1 0.125 14,158 Notice--Substitute Notice (individuals' voluntary burden to call toll-free number for information). 45 CFR 164.406 Media Notice... Covered entities 267 1 1.25 334 45 CFR 164.408 Notice to Covered entities 267 1 1.25 334 Secretary (notice for breaches affecting 500 or more individuals). 45 CFR 164.408 Notice to Covered entities 58,215 1 1 58,215 Secretary (notice for breaches affecting less than 500 individuals). 45 CFR 164.410 Business Business 20 1 50 1,000 associate notice to covered Associates. entity--500 or more affected individuals. 45 CFR 164.410 Business Business 1,165 1 8 9,320 associate notice to covered Associates. entity--Less than 500 affected individuals. 45 CFR 164.414 500 or More Covered entities 267 1 50 13,350 Affected Individuals (investigating and documenting breach). 45 CFR 164.414 Less than 500 Covered entities 2,479 1 8 19,832 Affected Individuals (investigating and documenting breach)-- affecting 10-499. 45 CFR 164.414 Less than 500 Covered entities 55,736 1 4 222,944 Affected Individuals (investigating and documenting breach)-- affecting <10. 45 CFR 164.504 Uses and Covered entities 700,000 1 0.083333333 58,333 Disclosures--Organizational Requirements. 45 CFR 164.508 Uses and Covered entities 700,000 1 1 700,000 Disclosures for Which Individual authorization is required. 45 CFR 165.512 Uses and Covered entities 113,524 1 0.083333333 9,460 Disclosures for Research Purposes. [[Page 51606]] 45 CFR 164.520 Notice of Covered 100,000,000 1 0.004166667 416,667 Privacy Practices for entities--healt Protected Health Information h plans. (health plans--periodic distribution of NPPs by paper mail). 45 CFR 164.520 Notice of Covered 100,000,000 1 0.002783333 278,333 Privacy Practices for entities--healt Protected Health Information h plans. (health plans--periodic distribution of NPPs by electronic mail). 45 CFR 164.520 Notice of Covered 613,000,000 1 0.05 30,650,000 Privacy Practices for entities--healt Protected Health Information h care (health care providers-- providers. dissemination and acknowledgement). 45 CFR 164.522 Rights to Covered 20,000 1 0.05 1,000 Request Privacy Protection entities--healt for Protected Health h care Information. providers, health plans. 45 CFR 164.524 Access of Covered 200,000 1 0.05 10,000 Individuals to Protected entities--healt Health Information h care (disclosures). providers, health plans, clearinghouses. 45 CFR 164.526 Amendment of Covered 150,000 1 0.083333333 12,500 Protected Health Information entities--healt (requests). h care providers, health plans, clearinghouses. 45 CFR 164.526 Amendment of Covered 50,000 1 0.083333333 4,167 Protected Health Information entities--healt (denials). h care providers, health plans, clearinghouses. 45 CFR 164.528 Accounting for Covered 5,000 1 0.05 250 Disclosures of Protected entities--healt Health Information. h care providers, health plans, clearinghouses. --------------------------------------------------------------------------------- Total..................... ................ .............. .............. .............. 921,158,941 ---------------------------------------------------------------------------------------------------------------- Debbie Kramer, HHS Information Collection Reports Clearance Officer. [FR Doc. 2019-21031 Filed 9-27-19; 8:45 am] BILLING CODE 4153-01-P