The Health Breach Notification Rule
("Rule"), 16 C.F.R. Part 318, requires vendors of personal health
records and PHR related entities to provide: (1) notice to
consumers whose unsecured personally identifiable health
information has been breached; and (2) notice to the Commission.
The Rule only applies to electronic health records and does not
include recordkeeping requirements. The Rule requires third party
service providers (i.e., those companies that provide services such
as billing or data storage) to notify vendors of personal health
records and PHR related entities following the discovery of a
breach; those entities in turn must provide notification to
consumers and the Commission. To notify the FTC of a breach, the
Commission developed a form for entities subject to the Rule to
complete and return to the agency.
PL:
Pub.L. 111 - 5 13407 Name of Law: American Recovery and
Reinvestment Act of 2009
PL: Pub.L. 111 - 5 13407 Name of Law:
American Recovery and Reinvestment Act of 2009
The annual time and cost burden
have been adjusted upward from 3,267 annual hours in 2016 to 4,779
annual hours in 2019 and from $111,724 in annual labor and
non-labor costs in 2016 to $126,608 annual labor and non-labor
costs in 2019. For 2016, the FTC estimated two major breach
incidents per year that, together, require the notification of
approximately 40,000 consumers. There were no available estimates
at that time for single breach responses. For 2019, the FTC has
more comprehensive data on enforcing this rule which has been in
effect since 2010. The FTC now estimates two primary categories of
breaches reported: (1) single-person breaches, incidents in which a
single individual’s information is potentially compromised; and (2)
what are hereafter described as major breaches, in which
multiple—and typically, many—individuals are affected. On average,
staff now estimates 25,000 single-person breaches per year and that
covered firms will require approximately 20 seconds of employee
labor per single-person breach. Staff also estimates that 0.4 major
breaches occur per year and the annual average hourly burden for
major breaches is 4,640 hours. Taking the requirements relating to
responding to single-person and major breaches, the reporting and
third-party disclosure estimates have been adjusted upward since
the most recent PRA submission.
On behalf of this Federal agency, I certify that
the collection of information encompassed by this request complies
with 5 CFR 1320.9 and the related provisions of 5 CFR
1320.8(b)(3).
The following is a summary of the topics, regarding
the proposed collection of information, that the certification
covers:
(i) Why the information is being collected;
(ii) Use of information;
(iii) Burden estimate;
(iv) Nature of response (voluntary, required for a
benefit, or mandatory);
(v) Nature and extent of confidentiality; and
(vi) Need to display currently valid OMB control
number;
If you are unable to certify compliance with any of
these provisions, identify the item by leaving the box unchecked
and explain the reason in the Supporting Statement.
Form Not Applicable Major Breaches
Health Breach Notification Rule - SS - 2019 - FINAL.pdf
Major Breaches