Billing code: 4153 01
DEPARTMENT OF HEALTH AND HUMAN SERVICES
[Document Identifier: OS-0945-0003]
Agency Information Collection Request. 30-Day Public Comment Request
AGENCY: Office of the Secretary, HHS
ACTION: Notice.
SUMMARY: In compliance with the requirement of the Paperwork Reduction Act of 1995, the Office of the Secretary (OS), Department of Health and Human Services, is publishing the following summary of a proposed collection for public comment.
DATES: Comments on the Information Collection Request (ICR) must be received on or before [INSERT DATE 30 DAYS AFTER DATE OF PUBLICATION IN THE FEDERAL REGISTER].
ADDRESSES: Submit your comments to [email protected] or via facsimile to (202) 395-5806.
FOR FURTHER INFORMATION CONTACT: Sherrette Funn, [email protected] or (202) 795-7714. When submitting comments or requesting information, please include the document identifier 0945-0003-New-30D and project title for reference.
SUPPLEMENTARY INFORMATION: Interested persons are invited to send comments regarding this burden estimate or any other aspect of this collection of information, including any of the following subjects: (1) The necessity and utility of the proposed information collection for the proper performance of the agency’s functions; (2) the accuracy of the estimated burden; (3) ways to enhance the quality, utility, and clarity of the information to be collected; and (4) the use of automated collection techniques or other forms of information technology to minimize the information collection burden.
Title of the Collection: HIPAA Privacy, Security, and Breach Notification Rules, and Supporting
Regulations Contained in 45 CFR parts 160 and 164.
Type of Collection: Extension
OMB No. 0945–0003: Office for Civil Rights (OCR)—Health Information Privacy Division.
Abstract: Office for Civil Rights (OCR) requests approval to extend this existing, approved collection without changing any collection requirements while OCR obtains public comment through a Notice of Proposed Rulemaking (NPRM) proposing modifications to the HIPAA Rules that will affect the hourly burdens associated with the Rules. This notice does, however, make the following revisions to estimates provided in the 60-day public comment request, which do not change the collection requirements: (1) lower the estimated number of individuals who call an entity’s toll-free number for information after being affected by a breach requiring substitute notice to reflect a more realistic estimate of the proportion of individuals who choose to call; and (2) correct an error from the 2016 ICR notice that underestimated the average number of individuals affected per breach because it relied on older breach data. This notice also incorporates data from the 60-day public comment request which recognizes for the first time the burdens resulting from the pre-existing, ongoing requirements for business associates to report breaches of PHI to their covered entities.
We did not receive public comment on the 60-day public comment request published on July 19, 2019. We expect to receive robust public comment on existing burdens associated with compliance with the HIPAA Rules and on changes in burden that could result from the modifications proposed in the NPRM. OCR will update this ICR to reflect the input we receive.
Likely Respondents: HIPAA covered entities, business associates, individuals, and professional and trade associations of covered entities and business associates.
Estimated Annualized Burden Table
Forms (If necessary) |
Respondents (If necessary) |
Number of Respondents |
Number of Responses per Respondents |
Average Burden per Response |
Total Burden Hours |
45 CFR 160.204
Process for Requesting Exception Determinations (states or persons) |
A state’s chief elected official or designee. |
1 |
1 |
16 |
16 |
45 CFR 164.308
Risk Analysis --Documentation |
Covered entities; business associates |
1,700,000 |
1 |
10 |
17,000,000
|
45 CFR 164.308
Information System Activity Review – Documentation
|
Covered entities; business associates |
1,700,000 |
12 |
0.75 |
15,300,000
|
45 CFR 164.308
Security Reminders – Periodic Updates
|
Covered entities; business associates |
1,700,000 |
12 |
1 |
20,400,000
|
45 CFR 164.308
Security Incidents (other than breaches) – Documentation
|
Covered entities; business associates |
1,700,000 |
52 |
5 |
442,000,000
|
45 CFR 164.308
Contingency Plan – Testing and Revision
|
Covered entities; business associates |
1,700,000 |
1 |
8 |
13,600,000
|
45 CFR 164.308
Contingency Plan – Criticality Analysis
|
Covered entities; business associates |
1,700,000 |
1 |
4 |
6,800,000
|
45 CFR 164.310
Maintenance Records
|
Covered entities; business associates |
1,700,000 |
12 |
6 |
122,400,000
|
45 CFR 164.314
Security Incidents – Business Associate reporting of incidents (other than breach) to Covered Entities
|
Business associates |
1,000,000 |
12 |
20 |
240,000,000
|
45 CFR 164.316
Documentation – Review and Update |
Covered entities; business associates |
1,700,000 |
1 |
6 |
10,200,000
|
45 CFR 164.404 Individual Notice—Written and E-mail Notice (drafting)
|
Covered entities |
58,482
|
1 |
0.5 |
29,241
|
45 CFR 164.404
Individual Notice—Written and E-mail Notice (preparing and documenting notification)
|
Covered entities |
58,482 |
1 |
0.5 |
29,241 |
45 CFR 164.404
Individual Notice—Written and E-mail Notice (processing and sending) |
Covered entities |
58,482 |
1,941 |
0.008 |
908,108
|
45 CFR 164.404
Individual Notice—Substitute Notice (posting or publishing) |
Covered entities |
2,746 |
1 |
1 |
2,746
|
45 CFR 164.404
Individual Notice—Substitute Notice (staffing toll-free number) |
Covered entities |
2,746 |
1 |
3.42 |
9,391
|
45 CFR 164.404
Individual Notice—Substitute Notice (individuals’ voluntary burden to call toll-free number for information) |
Covered entities |
113,264 |
1 |
0.125 |
14,158 |
45 CFR 164.406
Media Notice |
Covered entities |
267 |
1 |
1.25 |
334 |
45 CFR 164.408
Notice to Secretary (notice for breaches affecting 500 or more individuals) |
Covered entities |
267 |
1 |
1.25 |
334 |
45 CFR 164.408
Notice to Secretary (notice for breaches affecting less than 500 individuals) |
Covered entities |
58,215 |
1 |
1 |
58,215 |
45 CFR 164.410
Business associate notice to covered entity – 500 or more affected individuals |
Business Associates |
20 |
1 |
50 |
1,000 |
45 CFR 164.410
Business associate notice to covered entity – Less than 500 affected individuals |
Business Associates |
1,165 |
1 |
8 |
9,320 |
45 CFR 164.414
500 or More Affected Individuals (investigating and documenting breach) |
Covered entities |
267 |
1 |
50 |
13,350 |
45 CFR 164.414
Less than 500 Affected Individuals (investigating and documenting breach) -- affecting 10-499 |
Covered entities |
2,479 |
1 |
8 |
19,832
|
45 CFR 164.414
Less than 500 Affected Individuals (investigating and documenting breach) -- affecting <10 |
Covered entities |
55,736 |
1 |
4 |
222,944
|
45 CFR 164.504
Uses and Disclosures – Organizational Requirements
|
Covered entities |
700,000 |
1 |
0.083333333
|
58,333 |
45 CFR 164.508
Uses and Disclosures for Which Individual authorization is required
|
Covered entities |
700,000 |
1 |
1 |
700,000 |
45 CFR 165.512
Uses and Disclosures for Research Purposes |
Covered entities |
113,524 |
1 |
0.083333333
|
9,460 |
45 CFR 164.520
Notice of Privacy Practices for Protected Health Information (health plans – periodic distribution of NPPs by paper mail) |
Covered entities – health plans |
100,000,000 |
1 |
0.004166667
|
416,667 |
45 CFR 164.520
Notice of Privacy Practices for Protected Health Information (health plans – periodic distribution of NPPs by electronic mail) |
Covered entities – health plans |
100,000,000 |
1 |
0.002783333
|
278,333 |
45 CFR 164.520
Notice of Privacy Practices for Protected Health Information (health care providers – dissemination and acknowledgement) |
Covered entities – health care providers |
613,000,000 |
1 |
0.05 |
30,650,000 |
45 CFR 164.522
Rights to Request Privacy Protection for Protected Health Information |
Covered entities – health care providers, health plans |
20,000 |
1 |
0.05 |
1,000 |
45 CFR 164.524
Access of Individuals to Protected Health Information (disclosures) |
Covered entities – health care providers, health plans, clearinghouses |
200,000 |
1 |
0.05 |
10,000 |
45 CFR 164.526
Amendment of Protected Health Information (requests) |
Covered entities - health care providers, health plans, clearinghouses |
150,000 |
1 |
0.083333333
|
12,500 |
45 CFR 164.526
Amendment of Protected Health Information (denials) |
Covered entities - health care providers, health plans, clearinghouses |
50,000 |
1 |
0.083333333
|
4,167 |
45 CFR 164.528
Accounting for Disclosures of Protected Health Information |
Covered entities - health care providers, health plans, clearinghouses |
5,000 |
1 |
0.05 |
250
|
Total |
|
|
|
|
921,158,941 |
____________________________________
Insert Name
Office of the Secretary
Paperwork Reduction Act Reports Clearance Officer
| File Type | application/msword |
| File Title | Billing Code: |
| Author | HCFA Software Control |
| Last Modified By | SYSTEM |
| File Modified | 2019-09-30 |
| File Created | 2019-09-30 |