[Federal Register Volume 87, Number 197 (Thursday, October 13, 2022)]
[Notices]
[Pages 62107-62109]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2022-22204]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

[Document Identifier: OS-0945-0003-60D]


Agency Information Collection Request; 60-Day Public Comment 
Request

AGENCY: Office of the Secretary, HHS.

ACTION: Notice.

-----------------------------------------------------------------------

SUMMARY: In compliance with the requirement of the Paperwork Reduction 
Act of 1995, the Office of the Secretary (OS), Department of Health

[[Page 62108]]

and Human Services, is publishing the following summary of a proposed 
collection for public comment.

DATES: Comments on the ICR must be received on or before December 12, 
2022.

ADDRESSES: Submit your comments to [email protected] or by calling 
(202) 264-0041.

FOR FURTHER INFORMATION CONTACT: When submitting comments or requesting 
information, please include the document identifier OS-0945-0003-60D 
and project title for reference, to Sherrette A. Funn, email: 
[email protected], or call (202) 264-0041 the Reports Clearance 
Officer.

SUPPLEMENTARY INFORMATION: Interested persons are invited to send 
comments regarding this burden estimate or any other aspect of this 
collection of information, including any of the following subjects: (1) 
The necessity and utility of the proposed information collection for 
the proper performance of the agency's functions; (2) the accuracy of 
the estimated burden; (3) ways to enhance the quality, utility, and 
clarity of the information to be collected; and (4) the use of 
automated collection techniques or other forms of information 
technology to minimize the information collection burden.
    Title of the Collection: HIPAA Privacy, Security, and Breach 
Notification Rules, and Supporting Regulations Contained in 45 CFR 
parts 160 and 164.
    Type of Collection: Extension.
    OMB No. 0945-0003: Office for Civil Rights (OCR)--Health 
Information Privacy Division.
    Abstract: Office for Civil Rights (OCR) requests approval to extend 
this existing, approved collection without changing any collection 
requirements. In 2021, OCR published a Notice of Proposed Rulemaking 
(NPRM) proposing modifications to the HIPAA Rules that would affect the 
hourly burdens associated with the HIPAA Rules. 86 FR 6446. OCR is 
reviewing public comment received on the NPRM about existing burdens 
associated with compliance with the HIPAA Rules, available at https://www.reginfo.gov/public/do/PRAViewICR?ref_nbr=202011-0945-001, and on 
changes in burden that could result from the modifications proposed in 
the NPRM. OCR will update this ICR to reflect the input we receive on 
this notice and through the rulemaking process.
    Likely Respondents: HIPAA covered entities, business associates, 
individuals, and professional and trade associations of covered 
entities and business associates.

                                                              Annualized Burden Hour Table
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                                                     Number of       Average  burden
                Section                           Type of respondent              Number of        responses per        hours per         Total burden
                                                                                 respondents         respondent        response [1]          hours
--------------------------------------------------------------------------------------------------------------------------------------------------------
160.204................................  Process for Requesting Exception                     1                  1                 16                 16
                                          Determinations (states or persons).
164.308................................  Risk Analysis--Documentation [2]...          1,700,000                  1                 10         17,000,000
164.308................................  Information System Activity Review--         1,700,000                 12               0.75         15,300,000
                                          Documentation.
164.308................................  Security Reminders--Periodic                 1,700,000                 12                  1         20,400,000
                                          Updates.
164.308................................  Security Incidents (other than               1,700,000                 52                  5        442,000,000
                                          breaches)--Documentation.
164.308................................  Contingency Plan--Testing and                1,700,000                  1                  8         13,600,000
                                          Revision.
164.308................................  Contingency Plan--Criticality                1,700,000                  1                  4          6,800,000
                                          Analysis.
164.310................................  Maintenance Records................          1,700,000                 12                  6        122,400,000
164.314................................  Security Incidents--Business                 1,000,000                 12                 20        240,000,000
                                          Associate reporting of incidents
                                          (other than breach) to Covered
                                          Entities.
164.316................................  Documentation--Review and Update             1,700,000                  1                  6         10,200,000
                                          [3].
164.404................................  Individual Notice--Written and                  58,482                  1                0.5             29,241
                                          Email Notice (drafting) [4].
164.404................................  Individual Notice--Written and                  58,482                  1                0.5             29,241
                                          Email Notice (preparing and
                                          documenting notification).
164.404................................  Individual Notice--Written and                  58,482              1,941              0.008            908,108
                                          Email Notice (processing and
                                          sending) [5].
164.404................................  Individual Notice--Substitute                    2,746                  1                  1              2,746
                                          Notice (posting or publishing) [6].
164.404................................  Individual Notice--Substitute                    2,746                  1               3.42              9,391
                                          Notice (staffing toll-free number)
                                          [7].
164.404................................  Individual Notice--Substitute                  113,264                  1              0.125             14,158
                                          Notice (individuals' voluntary
                                          burden to call toll-free number
                                          for information) [8], [9].
164.406................................  Media Notice [10]..................                267                  1               1.25                334
164.408................................  Notice to Secretary (notice for                    267                  1               1.25                334
                                          breaches affecting 500 or more
                                          individuals).
164.408................................  Notice to Secretary (notice for                 58,215                  1                  1             58,215
                                          breaches affecting fewer than 500
                                          individuals) [11].
164.410................................  Business Associate notice to                        20                  1                 50              1,000
                                          Covered Entity--500 or more
                                          individuals affected.
164.410................................  Business Associate notice to                     1,165                  1                  8              9,320
                                          Covered Entity--Less than 500
                                          individuals affected.
164.414................................  500 or More Affected Individuals                   267                  1                 50             13,350
                                          (investigating and documenting
                                          breach).
164.414................................  Less than 500 Affected Individuals               2,479                  1                  8             19,832
                                          (investigating and documenting
                                          breach)--affecting 10-499.
164.414................................  Less than 500 Affected Individuals              55,736                  1                  4            222,944
                                          (investigating and documenting
                                          breach)--affecting <10.

[[Page 62109]]

 
164.504................................  Uses and Disclosures--                         700,000                  1        0.083333333             58,333
                                          Organizational Requirements.
164.508................................  Uses and Disclosures for Which                 700,000                  1                  1            700,000
                                          Individual authorization is
                                          required.
164.512................................  Uses and Disclosures for Research              113,524                  1        0.083333333              9,460
                                          Purposes [12].
164.520................................  Notice of Privacy Practices for            100,000,000                  1        0.004166667            416,667
                                          Protected Health Information
                                          (health plans--periodic
                                          distribution of NPPs by paper
                                          mail) [13], [18].
164.520................................  Notice of Privacy Practices for            100,000,000                  1        0.002783333            278,333
                                          Protected Health Information
                                          (health plans--periodic
                                          distribution of NPPs by electronic
                                          mail) [19].
164.520................................  Notice of Privacy Practices for            613,000,000                  1               0.05         30,650,000
                                          Protected Health Information
                                          (health care providers--
                                          dissemination and acknowledgement)
                                          [14].
164.522................................  Rights to Request Privacy                       20,000                  1               0.05              1,000
                                          Protection for Protected Health
                                          Information [15].
164.524................................  Access of Individuals to Protected             200,000                  1               0.05             10,000
                                          Health Information (disclosures)
                                          [16].
164.526................................  Amendment of Protected Health                  150,000                  1        0.083333333             12,500
                                          Information (requests).
164.526................................  Amendment of Protected Health                   50,000                  1        0.083333333              4,167
                                          Information (denials).
164.528................................  Accounting for Disclosures of                    5,000                  1               0.05                250
                                          Protected Health Information [17].
                                                                             ---------------------------------------------------------------------------
                                         Total..............................  .................              2,070  .................        921,158,940
--------------------------------------------------------------------------------------------------------------------------------------------------------


Sherrette A. Funn,
Paperwork Reduction Act Reports Clearance Officer, Office of the 
Secretary.
[FR Doc. 2022-22204 Filed 10-12-22; 8:45 am]
BILLING CODE 4150-28-P