[Federal Register Volume 81, Number 97 (Thursday, May 19, 2016)] [Notices] [Pages 31646-31648] From the Federal Register Online via the Government Publishing Office [www.gpo.gov] [FR Doc No: 2016-11785] ----------------------------------------------------------------------- DEPARTMENT OF HEALTH AND HUMAN SERVICES Office of the Secretary [Document Identifier: HHS-OS-0945-0003-30D] Agency Information Collection Activities; Submission to OMB for Review and Approval; Public Comment Request AGENCY: Office of the Secretary, HHS. ACTION: Notice. ----------------------------------------------------------------------- SUMMARY: In compliance with section 3507(a)(1)(D) of the Paperwork Reduction Act of 1995, the Office of the Secretary (OS), Department of Health and Human Services, has submitted an Information Collection Request (ICR), described below, to the Office of Management and Budget (OMB) for review and approval. The ICR is for revision of the approved information collection assigned OMB control number 0945-0003, scheduled to expire on January 1, 2017. Comments submitted during the first public review of this ICR will be provided to OMB. OMB will accept further comments from the public on this ICR during the review and approval period. DATES: Comments on the ICR must be received on or before June 20, 2016. ADDRESSES: Submit your comments to [email protected] or via facsimile to (202) 395-5806. FOR FURTHER INFORMATION CONTACT: Information Collection Clearance staff, [email protected] or (202) 690-6162. SUPPLEMENTARY INFORMATION: When submitting comments or requesting information, please include the OMB control number 0945-0003-30D for reference. Proposed Project: HIPAA Privacy, Security, and Breach Notification Rules, and Supporting Regulations Contained in 45 CFR parts 160 and 164. Abstract: This revision does not change any requirements of the HIPAA Privacy, Security, and Breach Notification Rules. Among other updates summarized below, the ICR requests to rename the information collection and incorporate into it the substance of two other information collections (#0945-0004, set to expire on May 31, 2016; and #0945-0001, expiring on September 30, 2016), which then would be discontinued. The ICR addresses the burden on regulated entities for compliance with the [[Page 31647]] information collection requirements of the HIPAA Privacy, Security, and Breach Notification Rules; the voluntary burden on members of the public for obtaining information from covered entities regarding breaches of their protected health information; and the information collection burden on the Office for Civil Rights (OCR) associated with administering aspects of the HIPAA Breach Notification program. Combining the three existing information collections identified above will allow the regulated community, the public, and OCR to more easily view and track the estimated burdens associated with the HIPAA Rules that are administered and enforced by OCR. In addition to combining the ICRs, the proposed updates take into account our experience administering the Rules to more accurately reflect the burdens of compliance with the applicable regulatory requirements; remove the estimated burden of initial compliance with the Omnibus HIPAA Final Rule, because we are well past the compliance dates; and incorporate increases in wages for the job categories that we expect to be involved in compliance activities. Estimated Annualized Burden Table ---------------------------------------------------------------------------------------------------------------- Number of Average burden Section Type of respondent Number of responses per hours per Total burden respondents respondent response hours ---------------------------------------------------------------------------------------------------------------- 160.204.............. Process for 1............... 1 16.............. 16 Requesting Exception Determinations (states or persons). 164.308.............. Risk Analysis-- 1,700,000....... 1 10.............. 17,000,000 Documentation. 164.308.............. Information System 1,700,000....... 12 .75............. 15,300,000 Activity Review-- Documentation. 164.308.............. Security Reminders-- 1,700,000....... 12 1............... 20,400,000 Periodic Updates. 164.308.............. Security Incidents 1,700,000....... 52 5............... 442,000,000 (other than breaches)--Documenta tion. 164.308.............. Contingency Plan-- 1,700,000....... 1 8............... 13,600,000 Testing and Revision. 164.308.............. Contingency Plan-- 1,700,000....... 1 4............... 6,800,000 Criticality Analysis. 164.310.............. Maintenance Records.. 1,700,000....... 12 6............... 122,400,000 164.314.............. Security Incidents-- 1,000,000....... 12 20.............. 240,000,000 Business Associate reporting of incidents (other than breach) to Covered Entities. 164.316.............. Documentation--Review 1,700,000....... 1 6............... 10,200,000 and Update. 164.404.............. Individual Notice-- 58,481.......... 1 .5.............. 29,240 Written and Email Notice (drafting). 164.404.............. Individual Notice-- 58,481.......... 1 .5.............. 29,240 Written and Email Notice (preparing and documenting notification). 164.404.............. Individual Notice-- 58,481.......... 353 .008............ 165,150 Written and Email Notice (processing and sending). 164.404.............. Individual Notice-- 2,746........... 1 1............... 2,746 Substitute Notice (posting or publishing). 164.404.............. Individual Notice-- 2,746........... 1 5.75............ 15,789 Substitute Notice (staffing toll-free number). 164.404.............. Individual Notice-- 11,326,440...... 1 .125............ 1,415,805 Substitute Notice (individuals' voluntary burden to call toll-free number for information). 164.406.............. Media Notice......... 267............. 1 1.25............ 333 164.408.............. Notice to Secretary 267............. 1 1.25............ 333 (notice for breaches affecting 500 or more individuals). 164.408.............. Notice to Secretary 58,215.......... 1 1............... 58,215 (notice for breaches affecting fewer than 500 individuals). 164.414.............. 500 or More Affected 267............. 1 50.............. 13,350 Individuals (investigating and documenting breach). 164.414.............. Less than 500 2,479 (breaches 1 8............... 19,832 Affected Individuals affecting 10- (investigating and 499 documenting breach). individuals). 55,736 (breaches 1 4............... 222,944 affecting <10 individuals). 164.504.............. Uses and Disclosures-- 700,000......... 1 5/60............ 58,333 Organizational Requirements. 164.508.............. Uses and Disclosures 700,000......... 1 1............... 700,000 for Which Individual authorization is required. 164.512.............. Uses and Disclosures 113,524......... 1 5/60............ 9,460 for Research Purposes. 164.520.............. Notice of Privacy 100,000,000..... 1 0.25 minutes [1 416,667 Practices for hour per 240 Protected Health notices]. Information (health plans--periodic distribution of NPPs by paper mail). 164.520.............. Notice of Privacy 100,000,000..... 1 0.167 minutes [1 278,333 Practices for hour per 360 Protected Health notices]. Information (health plans--periodic distribution of NPPs by electronic mail). [[Page 31648]] 164.520.............. Notice of Privacy 613,000,000..... 1 3/60............ 30,650,000 Practices for Protected Health Information (health care providers-- dissemination and acknowledgement). 164.522.............. Rights to Request 20,000.......... 1 3/60............ 1,000 Privacy Protection for Protected Health Information. 164.524.............. Access of Individuals 200,000......... 1 3/60............ 10,000 to Protected Health Information (disclosures). 164.526.............. Amendment of 150,000......... 1 5/60............ 12,500 Protected Health Information (requests). 164.526.............. Amendment of 50,000.......... 1 5/60............ 4,166 Protected Health Information (denials). 164.528.............. Accounting for 5,000........... 1 3/60............ 250 Disclosures of Protected Health Information. ------------------------------------------------------------------- Total............ ..................... ................ .............. ................ 921,813,702 ---------------------------------------------------------------------------------------------------------------- Terry S. Clark, Asst Information Collection Clearance Officer. [FR Doc. 2016-11785 Filed 5-18-16; 8:45 am] BILLING CODE 4153-01-P