Standards for Privacy of
Individually Identifiable Health Information and Supporting
Regulations at 45 CFR Parts 160 and 164
Revision of a currently approved collection
No
Regular
01/06/2025
Requested
Previously Approved
36 Months From Approved
07/31/2027
1,202,562,864
1,154,350,069
925,144,026
953,982,239
163,499,411
163,499,411
The individually identifiable health
information collected is used by patients and by more than 800,000
covered entities and 1,000,000 business associates affected by the
HIPAA Privacy, Security, and Breach Notification Rules. The
information is routinely used by covered entities and business
associates for treatment, payment, and health care operations. In
addition, the information is used for specified public policy
purposes, including research, public health, and as required by
other laws.
PL:
Pub.L. 104 - 191 1 Name of Law: Health Insurance Portability
and Accountability Act of 1996
PL: Pub.L. 116 - 136 3221 Name of Law:
Coronavirus Aid, Relief, and Economic Security Act
As a result of proposed program
changes that would establish new requirements, the Department added
new estimated burdens, as follows: (1) For each regulated entity to
conduct a Security Rule compliance audit. (2) For each business
associate (including each subcontractor) to provide verification of
compliance with technical safeguards. (3) For each regulated entity
to obtain verification of business associates’ and subcontractors’
compliance with technical safeguards. (5) For each regulated entity
to provide notification to other regulated entities of workforce
members' termination of access to ePHI. (6) For each regulated
entity to deploy multi-factor authentication. (7) For each
regulated entity to perform network segmentation. (8) For
approximately 75 percent of regulated entities to disable unused
ports and remove extraneous software. (9) For each regulated entity
to conduct penetration testing. (10) For each regulated entity to
notify covered entities or business associates, as applicable, upon
activation of a contingency plan. (11) For each insurer and
third-party administrator to update health plan documents. (12) For
each regulated entity to update the content of its cybersecurity
awareness and Security Rule training program. (13) For each
regulated entity to update its policies and procedures. (14) For
each regulated entity to update business associate agreements. (15)
For each health plan sponsor that has access to ePHI to implement
the Security Rule’s administrative, physical, and technical
safeguards in their relevant electronic information systems. In
addition, the Department is making updates and adjustments to
certain estimates. The Department has revised the estimated annual
burdens of compliance by: (1) Increasing the number of covered
entities from 774,331 to 822,600. (2) Updating hourly wage rates
from 2022 to 2023 rates. (3) Decreasing the number of respondents
requesting exceptions to state law preemption under 45 CFR 160.204
from 27 to 1 to return to the previous baseline of 1 request per
year. (4) Decreasing the estimated hourly burden for a business
associate to report security incidents (other than breaches) to a
covered entity from 20 hours per monthly report to 10 hours per
monthly report. (5) Increasing the estimated number of disclosures
for research from approximately 147,000 to 153,857.
On behalf of this Federal agency, I certify that
the collection of information encompassed by this request complies
with 5 CFR 1320.9 and the related provisions of 5 CFR
1320.8(b)(3).
The following is a summary of the topics, regarding
the proposed collection of information, that the certification
covers:
(i) Why the information is being collected;
(ii) Use of information;
(iii) Burden estimate;
(iv) Nature of response (voluntary, required for a
benefit, or mandatory);
(v) Nature and extent of confidentiality; and
(vi) Need to display currently valid OMB control
number;
If you are unable to certify compliance with any of
these provisions, identify the item by leaving the box unchecked
and explain the reason in the Supporting Statement.