Standards for Privacy of
Individually Identifiable Health Information and Supporting
Regulations at 45 CFR Parts 160 and 164
Revision of a currently approved collection
No
Regular
03/01/2021
Requested
Previously Approved
36 Months From Approved
01/31/2023
1,122,777,231
1,097,206,223
952,089,673
921,158,940
0
0
The individually identifiable health
information collected is used by patients and by more than 700,000
covered entities affected by the HIPAA Privacy Rule. The
information is routinely used by covered entities for treatment,
payment, and health care operations. In addition, the information
is used for specified public policy purposes, including research,
public health, and as required by other laws.
PL:
Pub.L. 104 - 191 1 Name of Law: Health Insurance Portability
and Accountability Act of 1996
HHS is: (1) Adjusting the
number of covered entities (CEs) from 700,000 to 774,331 due to
more recent data. (2) Adjusting the number of access requests for
copies of protected health information (PHI) from 200,000 to
2,460,000 annually based on a review of available data. (3)
Increasing the estimated burden hours for responding to access
requests from 3 to 5 minutes per request and allocating 1 minute as
uncompensated due to changes in technology and reassessment of the
types of access requests. (4) Increasing the burden hours by a
factor of 2 for responding to individuals’ requests for
restrictions on disclosures of their PHI because easing the minimum
necessary requirements for disclosures for care coordination by
health plans may cause some individuals to seek to narrow the scope
of some permitted disclosures; (5) Newly estimating the burdens
resulting from the pre-existing, ongoing requirement for CEs to
make minimum necessary evaluations before using or disclosing PHI
for payment and health care operations purposes (and before using
PHI for treatment) in the amount of 18 hours annually per CE, and
decreasing the annual minimum necessary burden by 4 hours per CE
due to easing the minimum necessary requirement for care
coordination disclosures, resulting in a total ongoing annual
burden of 14 hours per CE; (6) Recognizing for the first time
burdens associated with providing electronic copies of PHI to third
parties designated by individuals in the amount of 2 minutes per
request for 25 percent of 615,000 such requests received annually
based on reassessment of CEs’ burdens due to the Ciox v. Azar court
decision; (7) Recognizing for the first time burdens associated
with providing electronic copies of PHI to health plans and health
care providers as third parties designated by individuals in the
amount of 4 minutes per request for 25 percent of 615,000 such
requests received annually based on a reassessment of CEs’ burdens
following the Ciox v. Azar decision; and (8) Decreasing the
estimated burden for disseminating the Notice of Privacy Practices
(NPP) and obtaining an acknowledgement of receipt, from 3 minutes
to 1 minute and 15 seconds due to the proposal to eliminate the
requirements relating to the acknowledgement of receipt. New
Burdens Resulting from Program Changes In addition to these changes
above, HHS is proposing to add new burdens as a result of program
changes: (1) An annualized burden of 10 minutes per CE for posting
an updated NPP due to changes to the required content; (2) An
annualized burden of 3.5 minutes per request for submitting an
access request for an individual to another provider for an
estimated 92,250 annual requests, a proposed new individual right;
(3) An annualized 10-minute burden per CE for posting an access and
authorization fee schedule online, a proposed new regulatory
requirement; (4) An annualized 7-minute burden for each of an
estimated 6,130,000 annual requests from individuals to discuss
their direct treating health care provider’s NPP, a proposed new
individual right; (5) An annualized 3-minute burden for each of an
estimated 73,800 annual requests from individuals for an
individualized estimate of the fees to provide copies of requested
PHI, a proposed new individual right; (6) An annualized 1-minute
burden for each of an estimated 24,600 annual requests from
individuals for an itemized list of charges for copies of PHI, a
proposed new individual right; (7) A 1-time burden of 6 hours and
55 minutes for each CE to update its policies and procedures due to
multiple proposed changes to the Privacy Rule access and disclosure
requirements; and; (8) A 1-time burden of 4 hours and 40 minutes
for each CE to update the content of its HIPAA training program and
a 1-time burden of 7 additional minutes of time spent in training
on the right of access per CE due to proposed changes to the right
of access and fees for copies of PHI.
On behalf of this Federal agency, I certify that
the collection of information encompassed by this request complies
with 5 CFR 1320.9 and the related provisions of 5 CFR
1320.8(b)(3).
The following is a summary of the topics, regarding
the proposed collection of information, that the certification
covers:
(i) Why the information is being collected;
(ii) Use of information;
(iii) Burden estimate;
(iv) Nature of response (voluntary, required for a
benefit, or mandatory);
(v) Nature and extent of confidentiality; and
(vi) Need to display currently valid OMB control
number;
If you are unable to certify compliance with any of
these provisions, identify the item by leaving the box unchecked
and explain the reason in the Supporting Statement.
HIPAA NPRM ICR Supporting Statement Submitted to ROCIS.docx
published 60-FRN day 0945-0003.pdf
30-day FRN 0945-0003 HIPAA 2019 ICR Extension.doc
Notice of Privacy Practices for Protected Health Information – Post updated notice online