The Health Breach Notification Rule
("Rule"), 16 C.F.R. Part 318, requires vendors of personal health
records and PHR related entities to provide: (1) notice to
consumers whose unsecured personally identifiable health
information has been breached; and (2) notice to the Commission.
The Rule only applies to electronic health records and does not
include recordkeeping requirements. The Rule requires third party
service providers (i.e., those companies that provide services such
as billing or data storage) to notify vendors of personal health
records and PHR related entities following the discovery of a
breach; those entities in turn must provide notification to
consumers and the Commission. To notify the FTC of a breach, the
Commission developed a form for entities subject to the Rule to
complete and return to the agency.
PL:
Pub.L. 111 - 5 13407 Name of Law: American Recovery and
Reinvestment Act of 2009
PL: Pub.L. 111 - 5 13407 Name of Law:
American Recovery and Reinvestment Act of 2009
At the time the Rule was
issued, insufficient data was available about the incidence of
breaches in the PHR industry. Accordingly, FTC staff based its
burden estimate on data pertaining to private sector breaches
across multiple industries. Staff estimated that there would be 11
breaches per year requiring notification of 232,000 consumers.
Because the Rule has now been in effect for almost three years,
staff is now able to base the burden estimate on the actual
notifications received from covered entities, which include the
number of consumers notified. As discussed above, the notifications
received indicate that an average of 2,500 consumers per year
received notifications over the years 2010 and 2011. This number is
about one percent of the figure staff had previously projected
would require notification. Staff has updated the burden estimate
based on these new figures. Further, staff's previous burden
estimate included in the cost of a toll-free number, the costs
associated with obtaining a T1 line (a specific type of telephone
line that can carry more data than traditional telephone lines) and
services such as queue messaging that are necessary when handling
large call volumes. Because staff's current estimate does not
include large projected call volumes, staff believes that affected
entities will not need these additional services and equipment and
did not include those cost estimates here.
On behalf of this Federal agency, I certify that
the collection of information encompassed by this request complies
with 5 CFR 1320.9 and the related provisions of 5 CFR
1320.8(b)(3).
The following is a summary of the topics, regarding
the proposed collection of information, that the certification
covers:
(i) Why the information is being collected;
(ii) Use of information;
(iii) Burden estimate;
(iv) Nature of response (voluntary, required for a
benefit, or mandatory);
(v) Nature and extent of confidentiality; and
(vi) Need to display currently valid OMB control
number;
If you are unable to certify compliance with any of
these provisions, identify the item by leaving the box unchecked
and explain the reason in the Supporting Statement.
Health Breach Notif. Rule '12 SS fin_mtd.pdf
Creating a toll-free line & related non-labor costs