[Federal Register Volume 78, Number 171 (Wednesday, September 4, 2013)] [Notices] [Pages 54467-54469] From the Federal Register Online via the Government Publishing Office [www.gpo.gov] [FR Doc No: 2013-21398] ======================================================================= ----------------------------------------------------------------------- DEPARTMENT OF HEALTH AND HUMAN SERVICES Office of the Secretary [Document Identifier: HHS-OS-20296-30D] Agency Information Collection Activities; Submission to OMB for Review and Approval; Public Comment Request AGENCY: Office of the Secretary, HHS. ACTION: Notice. ----------------------------------------------------------------------- SUMMARY: In compliance with section 3507(a)(1)(D) of the Paperwork Reduction Act of 1995, the Office of the Secretary (OS), Department of Health and Human Services, has submitted an Information Collection Request (ICR), described below, to the Office of Management and Budget (OMB) for review and approval. The ICR is for revision of the approved information collection assigned OMB control number 0945-0003 scheduled to expire on 12/31/2015. Comments submitted during the first public review of this ICR will be provided to OMB. OMB will accept further comments from the public on this ICR during the review and approval period. DATES: Comments on the ICR must be received on or before October 4, 2013. ADDRESSES: Submit your comments to [email protected] or via facsimile to (202) 395-5806. FOR FURTHER INFORMATION CONTACT: Information Collection Clearance staff, [email protected] or (202) 690-6162. SUPPLEMENTARY INFORMATION: When submitting comments or requesting information, please include the OMB control number 0945-0003 and document identifier HHS-OS-20296-30D for reference. Information Collection Request Title: Standards for Privacy of Individually Identifiable Health Information, Security Standards for the Protection of Electronic Protected Health Information, and Supporting Regulations Contained in 45 CFR Parts 160 and 164 OMB No.: 0945-0003. Abstract: The Office for Civil Rights (OCR) is notifying the public of revisions to a previously approved OCR data collection. The revisions reflect certain regulatory modifications to the HIPAA Privacy and Security Rules, pursuant to the Health Information for Economic and Clinical Health (HITECH) Act and the Genetic Information Nondiscrimination Act (GINA), that were finalized in the Omnibus HIPAA Final Rule published on January 25, 2013 (78 FR 5566). These modifications strengthen privacy and security protections for individually identifiable health information used or disclosed by business associates and enhance the rights of individuals with respect to their identifiable health information. Need and Proposed Use of the Information: The information collection addresses HIPAA requirements related to the use, disclosure, and safeguarding of individually identifiable health information by covered entities affected by the HIPAA Rules. The information is routinely used by covered entities and business associates for treatment, payment, and health care operations. In addition, the information is used for specified public policy purposes, including research, public health, and as required by other laws. The Privacy Rule also ensures that the individuals are able to exercise certain rights with respect to their information, including the rights to access and seek amendments to their health records and to receive a Notice of Privacy Practices (NPP) from their direct treatment providers and health plans. Likely Respondents: Respondents include HIPAA covered entities and their business associates, as well as members of the public. Burden Statement: Burden in this context means the time expended by persons to generate, maintain, retain, disclose or provide the information requested. This includes the time needed to review instructions, to develop, acquire, install and utilize technology and systems for the purpose of collecting, validating and verifying information, processing and maintaining information, and disclosing and providing information, to train personnel and to be able to respond to a collection of information, to search data sources, to complete and review the collection of information, and to transmit or otherwise disclose the information. The total annual burden hours estimated for this ICR are summarized in the tables below. [[Page 54468]] Total Estimated Annualized Burden--Hours ---------------------------------------------------------------------------------------------------------------- Average number Average burden Section Type of Number of of responses hours per Total burden respondent respondents per respondent response hours ---------------------------------------------------------------------------------------------------------------- New Burdens Associated With the Final Rule ---------------------------------------------------------------------------------------------------------------- 164.316....................... Documentation of 300,000 1 70/60 350,000 Security Rule Policies and Procedures and Administrative Safeguards (business associates). 164.504....................... Business 375,000 1 20/60 125,000 Associates Needing to Establish or Modify Business Associate Agreements with Subcontractors. 164.520....................... Revision of 1,500 1 .111 167 Notice of Privacy Practices for Protected Health Information (drafting revised language) (health plans). 164.520....................... Dissemination of 20,000,000 1 .00333335 66,667 Notice of Privacy Practices for Protected Health Information (health plans). 164.520....................... Revision of 697,000 1 .11111 77,444 Notice of Privacy Practices (providers). --------------------------------------------------------------------------------- Total..................... ................ .............. .............. .............. 619,278 ---------------------------------------------------------------------------------------------------------------- Ongoing Annual Burdens of Compliance with the Rules ---------------------------------------------------------------------------------------------------------------- 160.204....................... Process for 1 1 16 16 Requesting Exception Determinations (states or persons). 164.504....................... Uses and 700,000 1 5/60 58,333 Disclosures--Or ganizational Requirements. 164.508....................... Uses and 700,000 1 1 700,000 Disclosures for Which Individual authorization is required. 164.512....................... Uses and 113,524 1 5/60 9,460 Disclosures for Research Purposes. 164.520....................... Notice of 100,000,000 1 0.25 416,667 Privacy Practices for Protected Health Information (health plans-- periodic distribution of NPPs by paper mail). 164.520....................... Notice of 100,000,000 1 0.167 278,333 Privacy Practices for Protected Health Information (health plans-- periodic distribution of NPPs by electronic mail). 164.520....................... Notice of 613,000,000 1 3/60 30,650,000 Privacy Practices for Protected Health Information (health care providers--diss emination and acknowledgement ). 164.522....................... Rights to 150,000 1 3/60 7,500 Request Privacy Protection for Protected Health Information. 164.524....................... Access of 150,000 1 3/60 7,500 Individuals to Protected Health Information (disclosures). 164.526....................... Amendment of 150,000 1 3/60 7,500 Protected Health Information (requests). 164.526....................... Amendment of 50,000 1 3/60 2,500 Protected Health Information (denials). 164.528....................... Accounting for 70,000 1 3/60 5,833 Disclosures of Protected Health Information. --------------------------------------------------------------------------------- Total..................... ................ .............. .............. .............. 32,143,642 ---------------------------------------------------------------------------------------------------------------- TOTAL HOURS ---------------------------------------------------------------------------------------------------------------- 32,762,920 ---------------------------------------------------------------------------------------------------------------- [[Page 54469]] Keith A. Tucker, Information Collection Clearance Officer. [FR Doc. 2013-21398 Filed 9-3-13; 8:45 am] BILLING CODE 4153-01-P