Information Collection Request

Standards for Privacy of Individually Identifiable Health Information and Supporting Regulations at 45 CFR Parts 160 and 164

ICR 202411-0945-001 · OMB 0945-0003 · Received in OIRA

⚠️ Notice: This information collection may be outdated. More recent filings for OMB 0945-0003 can be found here:

2025-11-13 - No material or nonsubstantive change to a currently approved collection

Forms and Documents

Document	Type	Status	Availability
2024_12_18_HIPAA Security Rule NPRM_ICR_Supporting_Statement.docx	Supporting Statement A	Uploaded 2024-12-18	Repair queued

IC Document Collections

IC ID	Collection	Status
272168	Notification of Contingency Plan Activation - Health Plan Sponsors	New
272166	Penetration Testing - Health Plan Sponsors	New
272165	Configuration Management - Health Plan Sponsors	New
272164	Multi-factor Authentication - Health Plan Sponsors	New
272163	Maintenance Records - Health Plan Sponsors	New
272162	Notification of Termination of ePHI Access - Health Plan Sponsors	New
272161	Contingency Plan - Criticality Analysis - Health Plan Sponsors	New
272160	Contingency Plan - Testing and Revision - Health Plan Sponsors	New
272159	Security Incidents (Other than Breaches) - Documentation - Health Plan Sponsors	New
272158	Ongoing Education - Health Plan Sponsors	New
272157	Information System Activity Review - Documentation - Health Plan Sponsors	New
272156	Risk Analysis - Documentation - Health Plan Sponsors	New
272155	Revise Policies and Procedures - Regulated Entities	New
272154	Update Workforce Training - Regulated Entities	New
272153	Revise Health Plan Documents - Health Plans	New
272152	Notification of Contingency Plan Activation - Regulated Entities	New
272151	Penetration Testing - Regulated Entities	New
272150	Configuration Management - Regulated Entities	New
272149	Network Segmentation - Regulated Entities	New
272148	Multi-factor Authentication - Regulated Entities	New
272147	Notification of Termination of Access to ePHI - Regulated Entities	New
272146	Business Associate's Obtain Subcontractors' Compliance Verification	New
272145	Covered Entities Obtain Business Associates' Compliance Verification	New
272082	Verification of Technical Safeguards by Business Associates	New
272081	Security Rule Compliance Audit - Regulated Entities	New
264566	Attestations requiring additional action	Unchanged
264565	Attestations requiring investigation review	Unchanged
264564	Notice of Privacy Practices for Protected Health Information―Mailing notice to 10% of subscribers at a rate of 240 notices/hour	Removed
259737	164.509 Disclosures for which attestation is required	Unchanged
259736	164.530 Administrative Requirements―Training― 164.525 Update training content	Removed
259735	164.530 Administrative Requirements-Policies & Procedures (new and updated)	Removed
259734	164.520 Notice of Privacy Practices for Protected Health Information― Post updated notice online	Removed
259733	164.520 Notice of Privacy Practices for Protected Health Information―Updating	Removed
259731	Revising Business Associate Agreements	Modified
237898	Business Associate Notice to Covered Entity – Less than 500 affected individuals	Unchanged
237897	Business Associate Notice to Covered Entity – 500 or more affected individuals	Unchanged
221884	Less than 500 Affected Individuals (investigating and documenting breach) breaches affecting	Unchanged
221883	Less than 500 Affected Individuals (investigating and documenting breach)	Unchanged
221882	500 or More Affected Individuals (investigating and documenting breach)	Unchanged
221881	Notice to Secretary (notice for breaches affecting fewer than 500 individuals)	Unchanged
221880	Notice to Secretary (notice for breaches affecting 500 or more individuals)	Unchanged
221879	Media Notice	Unchanged
221878	Individual Notice-Substitute Notice (individuals' voluntary burden to call toll-free number for information)	Unchanged
221877	Individual Notice-Substitute Notice (staffing toll-free number)	Unchanged
221876	Individual Notice- Substitute Notice (posting or publishing)	Unchanged
221875	Individual Notice-Written and E-mail Notice(processing and sending)	Unchanged
221874	Individual Notice-Written and E-mail Notice (preparing and documenting notification)	Unchanged
221872	Individual Notice- Written and E-mail Notice (drafting)	Unchanged
221871	Documentation - Review and Update	Modified
221870	Security Incidents- Business Associate reporting of incidents (other than breach) to Covered Entities	Modified
221869	Maintenance Records - Regulated Entities	Modified
221868	Contingency Plan- Criticality Analysis - Regulated Entities	Modified
221866	Contingency Plan- Testing and Revision - Regulated Entities	Modified
221862	Security Incidents (other than breaches)- Documentation - Regulated Entities	Modified
221861	Ongoing Education - Regulated Entities	Modified
221860	Information System Activity Review- Documentation - Regulated Entities	Modified
221859	Risk Analysis-Documentation - Regulated Entities	Modified
208573	Rights to request privacy protection for protected health information	Unchanged
190153	Accounting for Disclosures of Protected Health Information	Unchanged
190152	Amendment of Protected Health Information (denials)	Unchanged
190151	Amendment of Protected Health Information (requests)	Unchanged
190150	Access of Individuals to Protected Health Information (copies of PHI)	Unchanged
190149	Notice of Privacy Practice for Protected Health Information (Health plans- periodic distribution of NPPs by electronic mail)	Unchanged
190147	Notice of Privacy Practices for Protected Health Information (health care providers - dissemination/acknowledgement	Unchanged
190146	Notice of Privacy Practices for Protected Health Information/health plan distribution paper mail	Unchanged
190145	Uses and Disclosures for Research Purposes	Modified
190144	Uses and Disclosures for which Individual authorization is required	Modified
190143	Uses and Disclosures-Organizational Requirement	Modified
10428	Process for Requesting Exception Determinations (states or persons)	Modified

ICR Details

OMB Control No: 0945-0003	ICR Reference No: 202411-0945-001
Status: Received in OIRA	Previous ICR Reference No: 202401-0945-002
Agency/Subagency: HHS/OCR	Agency Tracking No: 20296
Title: Standards for Privacy of Individually Identifiable Health Information and Supporting Regulations at 45 CFR Parts 160 and 164
Type of Information Collection: Revision of a currently approved collection	Common Form ICR: No
Type of Review Request: Regular	Date Submitted to OIRA: 01/06/2025

	Requested	Previously Approved
Expiration Date	36 Months From Approved	07/31/2027
Responses	1,202,562,864	1,154,350,069
Time Burden (Hours)	925,144,026	953,982,239
Cost Burden (Dollars)	163,499,411	163,499,411

Abstract: The individually identifiable health information collected is used by patients and by more than 800,000 covered entities and 1,000,000 business associates affected by the HIPAA Privacy, Security, and Breach Notification Rules. The information is routinely used by covered entities and business associates for treatment, payment, and health care operations. In addition, the information is used for specified public policy purposes, including research, public health, and as required by other laws.

Authorizing Statute(s): PL: Pub.L. 104 - 191 1 Name of Law: Health Insurance Portability and Accountability Act of 1996

Citations for New Statutory Requirements: PL: Pub.L. 116 - 136 3221 Name of Law: Coronavirus Aid, Relief, and Economic Security Act

Associated Rulemaking Information
RIN:	Stage of Rulemaking:	Federal Register Citation:	Date:
0945-AA22	Proposed rulemaking	90 FR 898	01/06/2025

Federal Register Notices & Comments
Did the Agency receive public comments on this ICR? No

Number of Information Collection (IC) in this ICR: 64

IC Title	Form No.	Form Name
164.509 Disclosures for which attestation is required
164.520 Notice of Privacy Practices for Protected Health Informationâ Post updated notice online
164.520 Notice of Privacy Practices for Protected Health InformationâUpdating
164.530 Administrative Requirements-Policies & Procedures (new and updated)
164.530 Administrative RequirementsâTrainingâ 164.525 Update training content
500 or More Affected Individuals (investigating and documenting breach)
Access of Individuals to Protected Health Information (copies of PHI)
Accounting for Disclosures of Protected Health Information
Amendment of Protected Health Information (denials)
Amendment of Protected Health Information (requests)
Attestations requiring additional action
Attestations requiring investigation review
Business Associate Notice to Covered Entity â 500 or more affected individuals
Business Associate Notice to Covered Entity â Less than 500 affected individuals
Business Associate's Obtain Subcontractors' Compliance Verification
Configuration Management - Health Plan Sponsors
Configuration Management - Regulated Entities
Contingency Plan - Criticality Analysis - Health Plan Sponsors
Contingency Plan - Testing and Revision - Health Plan Sponsors
Contingency Plan- Criticality Analysis - Regulated Entities
Contingency Plan- Testing and Revision - Regulated Entities
Covered Entities Obtain Business Associates' Compliance Verification
Documentation - Review and Update
Individual Notice- Substitute Notice (posting or publishing)
Individual Notice- Written and E-mail Notice (drafting)
Individual Notice-Substitute Notice (individuals' voluntary burden to call toll-free number for information)
Individual Notice-Substitute Notice (staffing toll-free number)
Individual Notice-Written and E-mail Notice (preparing and documenting notification)
Individual Notice-Written and E-mail Notice(processing and sending)
Information System Activity Review - Documentation - Health Plan Sponsors
Information System Activity Review- Documentation - Regulated Entities
Less than 500 Affected Individuals (investigating and documenting breach)
Less than 500 Affected Individuals (investigating and documenting breach) breaches affecting <10 individuals
Maintenance Records - Health Plan Sponsors
Maintenance Records - Regulated Entities
Media Notice
Multi-factor Authentication - Health Plan Sponsors
Multi-factor Authentication - Regulated Entities
Network Segmentation - Regulated Entities
Notice of Privacy Practice for Protected Health Information (Health plans- periodic distribution of NPPs by electronic mail)
Notice of Privacy Practices for Protected Health Information (health care providers - dissemination/acknowledgement
Notice of Privacy Practices for Protected Health Information/health plan distribution paper mail
Notice of Privacy Practices for Protected Health InformationâMailing notice to 10% of subscribers at a rate of 240 notices/hour
Notice to Secretary (notice for breaches affecting 500 or more individuals)
Notice to Secretary (notice for breaches affecting fewer than 500 individuals)
Notification of Contingency Plan Activation - Health Plan Sponsors
Notification of Contingency Plan Activation - Regulated Entities
Notification of Termination of Access to ePHI - Regulated Entities
Notification of Termination of ePHI Access - Health Plan Sponsors
Ongoing Education - Health Plan Sponsors
Ongoing Education - Regulated Entities
Penetration Testing - Health Plan Sponsors
Penetration Testing - Regulated Entities
Process for Requesting Exception Determinations (states or persons)
Revise Health Plan Documents - Health Plans
Revise Policies and Procedures - Regulated Entities
Revising Business Associate Agreements
Rights to request privacy protection for protected health information
Risk Analysis - Documentation - Health Plan Sponsors
Risk Analysis-Documentation - Regulated Entities
Security Incidents (Other than Breaches) - Documentation - Health Plan Sponsors
Security Incidents (other than breaches)- Documentation - Regulated Entities
Security Incidents- Business Associate reporting of incidents (other than breach) to Covered Entities
Security Rule Compliance Audit - Regulated Entities
Update Workforce Training - Regulated Entities
Uses and Disclosures for Research Purposes
Uses and Disclosures for which Individual authorization is required
Uses and Disclosures-Organizational Requirement
Verification of Technical Safeguards by Business Associates

ICR Summary of Burden

	Total Request	Previously Approved	Change Due to Agency Discretion
Annual Number of Responses	1,202,562,864	1,154,350,069	48,212,795
Annual Time Burden (Hours)	925,144,026	953,982,239	-28,838,213
Annual Cost Burden (Dollars)	163,499,411	163,499,411	0

Burden increases because of Program Change due to Agency Discretion: Yes

Burden Increase Due to: Changing Regulations

Burden decreases because of Program Change due to Agency Discretion: Yes

Burden Reduction Due to: Miscellaneous Actions

Short Statement: As a result of proposed program changes that would establish new requirements, the Department added new estimated burdens, as follows: (1) For each regulated entity to conduct a Security Rule compliance audit. (2) For each business associate (including each subcontractor) to provide verification of compliance with technical safeguards. (3) For each regulated entity to obtain verification of business associatesâ and subcontractorsâ compliance with technical safeguards. (5) For each regulated entity to provide notification to other regulated entities of workforce members' termination of access to ePHI. (6) For each regulated entity to deploy multi-factor authentication. (7) For each regulated entity to perform network segmentation. (8) For approximately 75 percent of regulated entities to disable unused ports and remove extraneous software. (9) For each regulated entity to conduct penetration testing. (10) For each regulated entity to notify covered entities or business associates, as applicable, upon activation of a contingency plan. (11) For each insurer and third-party administrator to update health plan documents. (12) For each regulated entity to update the content of its cybersecurity awareness and Security Rule training program. (13) For each regulated entity to update its policies and procedures. (14) For each regulated entity to update business associate agreements. (15) For each health plan sponsor that has access to ePHI to implement the Security Ruleâs administrative, physical, and technical safeguards in their relevant electronic information systems. In addition, the Department is making updates and adjustments to certain estimates. The Department has revised the estimated annual burdens of compliance by: (1) Increasing the number of covered entities from 774,331 to 822,600. (2) Updating hourly wage rates from 2022 to 2023 rates. (3) Decreasing the number of respondents requesting exceptions to state law preemption under 45 CFR 160.204 from 27 to 1 to return to the previous baseline of 1 request per year. (4) Decreasing the estimated hourly burden for a business associate to report security incidents (other than breaches) to a covered entity from 20 hours per monthly report to 10 hours per monthly report. (5) Increasing the estimated number of disclosures for research from approximately 147,000 to 153,857.

Annual Cost to Federal Government: $216,000

Does this IC contain surveys, censuses, or employ statistical methods? No

Does this ICR request any personally identifiable information (see OMB Circular No. A-130 for an explanation of this term)? Please consult with your agency's privacy program when making this determination. No

Does this ICR include a form that requires a Privacy Act Statement (see 5 U.S.C. §552a(e)(3))? Please consult with your agency's privacy program when making this determination. No

Is this ICR related to the Affordable Care Act [Pub. L. 111-148 & 111-152]? No

Is this ICR related to the Dodd-Frank Wall Street Reform and Consumer Protection Act, [Pub. L. 111-203]? No

Is this ICR related to the American Recovery and Reinvestment Act of 2009 (ARRA)? No

Is this ICR related to the Pandemic Response? No

Agency Contact: Sherri Morgan 202 774-3042 [email protected]

Common Form ICR: No