Standards for Privacy of Individually Identifiable Health Information and Supporting Regulations at 45 CFR Parts 160 and 164

ICR 201909-0945-001

OMB: 0945-0003

Federal Form Document

⚠️ Notice: This information collection may be outdated. More recent filings for OMB 0945-0003 can be found here:

Forms and Documents

Document Name	Status
published 60-FRN day 0945-0003.pdf Supplementary Document	2019-09-30
30-day FRN 0945-0003 HIPAA 2019 ICR Extension.doc Supplementary Document	2019-09-30
0945-0003 Change Request.doc Justification for No Material/Nonsubstantive Change	2017-10-12
Amended 2019 Supporting Statement HIPAA 1-15-2020.docx Supporting Statement A	2020-01-15

IC Document Collections

IC ID	Document Title	Status
237898	Business Associate Notice to Covered Entity – Less than 500 affected individuals	New
237897	Business Associate Notice to Covered Entity – 500 or more affected individuals	New
221884	Less than 500 Affected Individuals (investigating and documenting breach) breaches affecting	Unchanged
221883	Less than 500 Affected Individuals (investigating and documenting breach)	Unchanged
221882	500 or More Affected Individuals (investigating and documenting breach)	Unchanged
221881	Notice to Secretary (notice for breaches affecting fewer than 500 individuals)	Unchanged
221880	Notice to Secretary (notice for breaches affecting 500 or more individuals)	Unchanged
221879	Media Notice	Unchanged
221878	Individual Notice-Substitute Notice (individuals' voluntary burden to call toll-free number for information)	Modified
221877	Individual Notice-Substitute Notice (staffing toll-free number)	Modified
221876	Individual Notice- Substitute Notice (posting or publishing)	Unchanged
221875	Individual Notice-Written and E-mail Notice(processing and sending)	Modified
221874	Individual Notice-Written and E-mail Notice (preparing and documenting notification)	Modified
221872	Individual Notice- Written and E-mail Notice (drafting)	Modified
221871	Documentation - Review and Update	Unchanged
221870	Security Incidents- Business Associate reporting of incidents (other than breach) to Covered Entities	Modified
221869	Maintenance Records	Modified
221868	Contingency Plan- Criticality Analysis	Unchanged
221866	Contingency Plan- Testing and Revision	Unchanged
221862	Security Incidents (other than breaches)- Documentation	Modified
221861	Security Reminders- Periodic Updates	Modified
221860	Information System Activity Review- Documentation	Modified
221859	Risk Analysis-Documentation	Unchanged
208573	Rights to request privacy protection for protected health information	Unchanged
190153	Accounting for Disclosures of Protected Health Information	Unchanged
190152	Amendment of Protected Health Information (denials)	Unchanged
190151	Amendment of Protected Health Information (requests)	Unchanged
190150	Access of Individuals to Protected Health Information (disclosures)	Unchanged
190149	Notice of Privacy Practice for Protected Health Information (Health plans- periodic distribution of NPPs by electronic mail)	Unchanged
190147	Notice of Privacy Practices for Protected Health Information (health care providers - dissemination/acknowledgement	Unchanged
190146	Notice of privacy Practices for Protected Health Information/health plan distribution paper mail	Unchanged
190145	Uses and Disclosures for Research Purposes	Unchanged
190144	Uses and Disclosures for which Individual authorization is required	Unchanged
190143	Uses and Disclosures-Organizational Requirement	Unchanged
10428	Process for Requesting Exception Determinations (states or persons)	Unchanged

ICR Details

OMB Control No: 0945-0003	ICR Reference No: 201909-0945-001
Status: Active	Previous ICR Reference No: 201710-0945-002
Agency/Subagency: HHS/OCR	Agency Tracking No: 20296
Title: Standards for Privacy of Individually Identifiable Health Information and Supporting Regulations at 45 CFR Parts 160 and 164
Type of Information Collection: Extension without change of a currently approved collection	Common Form ICR: No
Type of Review Request: Regular
OIRA Conclusion Action: Approved with change	Conclusion Date: 01/21/2020
Retrieve Notice of Action (NOA)	Date Received in OIRA: 09/30/2019
Terms of Clearance:

	Inventory as of this Action	Requested	Previously Approved
Expiration Date	01/31/2023	36 Months From Approved	01/31/2020
Responses	1,097,206,223	0	1,015,548,443
Time Burden (Hours)	921,158,940	0	921,813,708
Cost Burden (Dollars)	0	0	0

Abstract: The individually identifiable health information collected is used by patients and by more than 500,000 covered entities affected by the HIPAA Privacy Rule. The information is routinely used by covered entities for treatment, payment, and health care operations. In addition, the information is used for specified public policy purposes, including research, public health, and as required by other laws.

Authorizing Statute(s): PL: Pub.L. 104 - 191 1 Name of Law: Health Insurance Portability and Accountability Act of 1996

Citations for New Statutory Requirements: None

Associated Rulemaking Information
RIN:	Stage of Rulemaking:	Federal Register Citation:	Date:
	Not associated with rulemaking

Federal Register Notices & Comments
60-day Notice:	Federal Register Citation:	Citation Date:
	84 FR 34905	07/19/2019
30-day Notice:	Federal Register Citation:	Citation Date:
	84 FR 51604	09/30/2019
Did the Agency receive public comments on this ICR? No

Number of Information Collection (IC) in this ICR: 35

IC Title	Form No.	Form Name
Business Associate Notice to Covered Entity – Less than 500 affected individuals
Media Notice
Amendment of Protected Health Information (requests)
Amendment of Protected Health Information (denials)
Accounting for Disclosures of Protected Health Information
Contingency Plan- Criticality Analysis
Maintenance Records
Individual Notice-Substitute Notice (staffing toll-free number)
Individual Notice-Substitute Notice (individuals' voluntary burden to call toll-free number for information)
Less than 500 Affected Individuals (investigating and documenting breach)
Risk Analysis-Documentation
Security Reminders- Periodic Updates
Security Incidents (other than breaches)- Documentation
Contingency Plan- Testing and Revision
Information System Activity Review- Documentation
Individual Notice- Written and E-mail Notice (drafting)
Individual Notice- Substitute Notice (posting or publishing)
Security Incidents- Business Associate reporting of incidents (other than breach) to Covered Entities
Documentation - Review and Update
Individual Notice-Written and E-mail Notice (preparing and documenting notification)
Individual Notice-Written and E-mail Notice(processing and sending)
Notice to Secretary (notice for breaches affecting fewer than 500 individuals)
500 or More Affected Individuals (investigating and documenting breach)
Business Associate Notice to Covered Entity – 500 or more affected individuals
Less than 500 Affected Individuals (investigating and documenting breach) breaches affecting <10 individuals
Rights to request privacy protection for protected health information
Notice to Secretary (notice for breaches affecting 500 or more individuals)
Process for Requesting Exception Determinations (states or persons)
Uses and Disclosures-Organizational Requirement
Uses and Disclosures for which Individual authorization is required
Uses and Disclosures for Research Purposes
Notice of privacy Practices for Protected Health Information/health plan distribution paper mail
Notice of Privacy Practices for Protected Health Information (health care providers - dissemination/acknowledgement
Notice of Privacy Practice for Protected Health Information (Health plans- periodic distribution of NPPs by electronic mail)
Access of Individuals to Protected Health Information (disclosures)

ICR Summary of Burden

	Total Approved	Previously Approved	Change Due to Agency Discretion	Change Due to Adjustment in Estimate
Annual Number of Responses	1,097,206,223	1,015,548,443	12,672,468	68,985,312
Annual Time Burden (Hours)	921,158,940	921,813,708	-654,768	0
Annual Cost Burden (Dollars)	0	0	0	0

Burden increases because of Program Change due to Agency Discretion: Yes

Burden Increase Due to: Miscellaneous Actions

Burden decreases because of Program Change due to Agency Discretion: Yes

Burden Reduction Due to: Miscellaneous Actions

Short Statement: We have adjusted the estimated annual burdens of compliance to (1) lower the estimated number of individuals who call an entity’s toll-free number for information after being affected by a breach requiring substitute notice to reflect a more realistic estimate about the proportion of individuals who choose to call; (2) correct an error in the 2016 ICR that underestimated the average number of individuals affected per breach incident because it relied on older breach data, and thus have increased the estimate from 353 individuals to 1,941 individuals per breach; (3) recognize for the first time the burdens resulting from the pre-existing, ongoing requirement for business associates to report breaches of PHI to their covered entities; and (4) reflect increases in average wages using 2018 BLS data for the applicable labor categories.

Annual Cost to Federal Government: $35,600

Does this IC contain surveys, censuses, or employ statistical methods? No

Does this ICR request any personally identifiable information (see OMB Circular No. A-130 for an explanation of this term)? Please consult with your agency's privacy program when making this determination. No

Does this ICR include a form that requires a Privacy Act Statement (see 5 U.S.C. §552a(e)(3))? Please consult with your agency's privacy program when making this determination. No

Is this ICR related to the Affordable Care Act [Pub. L. 111-148 & 111-152]? No

Is this ICR related to the Dodd-Frank Wall Street Reform and Consumer Protection Act, [Pub. L. 111-203]? No

Is this ICR related to the American Recovery and Reinvestment Act of 2009 (ARRA)? No

Is this ICR related to the Pandemic Response? Uncollected

Agency Contact: Sherri Morgan 202 774-3042 [email protected]

Common Form ICR: No