0990-BreachAttachment A 092409

Attachment A

Estimated Total Burden Hours

(Please note that all calculations have been rounded to the nearest hour)

We have estimated that it would take a covered entity approximately 30 minutes to draft a notice and another 30 minutes to prepare and document the notice pursuant to § 164.530(j)(1)(iv). Additionally, we have estimated that approximately half the notices will be sent by first-class mail and half by e-mail. A covered entity can prepare 100 notices for mailing per hour and can send 200 e-mail notices per hour. Therefore, because we estimate 2,888,804 will be affected by all 106 breaches, we estimate that 27,253 individuals, on average, will be affected by each breach. Therefore, we estimate it will take slightly over 204 hours per breach to send or email these notices. The total burden hours for the drafting, preparing, sending, as well as documenting notification is, rounding up, 206 hours per breach and 21,836 total hours for all 106 breaches. We have estimated that it will take 8 hours for covered entities to investigate breaches that affect fewer than 500 individuals. We estimate that it will take somewhere between 8 and 100 hours to investigate the larger breaches (50x8=400) and have estimated that it will take approximately 44 hours to investigate the larger breaches (56x44=2,640). This time for investigation includes the time it takes to document risk assessments and comply with the burden of proof in § 164.414.

For the 70 breaches for which substitute notice under § 164.404(d)(2) is required, covered entities must either post the notice on the home page of their web site or publish the notice in major print or broadcast media where the affected individuals likely reside. Both of these notifications must include a toll-free number for individuals to contact the covered entity to determine if their information has been breached. We have estimated that it will take approximately 1 hour to either post or publish this information, as the information required to be in the notification has already been compiled by the covered entity. Additionally, we expect the covered entity to spend time responding to phone calls received through the toll-free number from individuals inquiring whether or not they are affected by the breach. We expect that approximately 2,888,804 individuals will call the toll-free lines. We estimate that a covered entity could handle 12 calls per hour. Therefore, substitute notice would yield a total of 240,730 burden hours (or (3,438 + 1) = 3,439 hours per breach).

The media notice under § 164.406 need only be provided one time per breach, and must be provided to a prominent media outlet serving the particular State or jurisdiction. We estimated that it will take covered entities approximately one hour to identify and contact an appropriate media outlet and to provide them the required information. Therefore, the total burden for this requirement is 56 hours.

Following a breach of unsecured protected health information, covered entities must also notify the Secretary under § 164.408. Covered entities must also maintain an annual log of all breaches. We have estimated that it will take, on average, approximately 2.3 hours per breach for a covered entity to compile the information necessary to report to the Secretary, provide the notification to the Secretary through the HHS website, and maintain the annual log of breaches. We also note that these burden hour estimates include the time it would take for a covered entity to comply with § 164.530(j)(1)(iv). Therefore, we estimate it will take covered entities a total of 247 hours to report all 106 breaches to the Secretary.

Totaling these burden hour estimates, we estimate the total burden hours upon covered entities for this information collection to be 265,733 hours.