Information Collection Request

Standards for Privacy of Individually Identifiable Health Information and Supporting Regulations at 45 CFR Parts 160 and 164

ICR 202509-0945-001 · OMB 0945-0003 · Active

Forms and Documents

Document	Type	Status	Availability
Justification for Non-substantive Change.pdf	Justification for No Material/Nonsubstantive Change	Uploaded 2025-11-13	Repair queued
Justification for Non-substantive Change.pdf	Justification for No Material/Nonsubstantive Change	Uploaded 2025-11-13	Repair queued
Supplemental Document HIPAA_Breach_Portal_Questions.pdf	Supplementary Document	Uploaded 2025-11-13	Repair queued
Supplemental Document HIPAA_Breach_Portal_Questions.pdf	Supplementary Document	Uploaded 2025-11-13	Repair queued
2024_04_30_HIPAA RHC Privacy FR_ICR_Supporting_Statement CLEAN.docx	Supporting Statement A	Uploaded 2024-04-30	Available
2024_04_30_HIPAA RHC Privacy FR_ICR_Supporting_Statement CLEAN.docx	Supporting Statement A	Uploaded 2024-04-30	Repair queued

IC Document Collections

IC ID	Collection	Status
264566	Attestations requiring additional action	Unchanged
264565	Attestations requiring investigation review	Unchanged
264564	Notice of Privacy Practices for Protected Health Information―Mailing notice to 10% of subscribers at a rate of 240 notices/hour	Unchanged
259737	164.509 Disclosures for which attestation is required	Unchanged
259736	164.530 Administrative Requirements―Training― 164.525 Update training content	Unchanged
259735	164.530 Administrative Requirements-Policies & Procedures (new and updated)	Unchanged
259734	164.520 Notice of Privacy Practices for Protected Health Information― Post updated notice online	Unchanged
259733	164.520 Notice of Privacy Practices for Protected Health Information―Updating	Unchanged
259731	164.504 Revising Business Associate Agreements	Unchanged
237898	Business Associate Notice to Covered Entity – Less than 500 affected individuals	Unchanged
237897	Business Associate Notice to Covered Entity – 500 or more affected individuals	Unchanged
221884	Less than 500 Affected Individuals (investigating and documenting breach) breaches affecting <10 individuals	Unchanged
221883	Less than 500 Affected Individuals (investigating and documenting breach)	Unchanged
221882	500 or More Affected Individuals (investigating and documenting breach)	Unchanged
221881	Notice to Secretary (notice for breaches affecting fewer than 500 individuals)	Unchanged
221880	Notice to Secretary (notice for breaches affecting 500 or more individuals)	Unchanged
221879	Media Notice	Unchanged
221878	Individual Notice-Substitute Notice (individuals' voluntary burden to call toll-free number for information)	Unchanged
221877	Individual Notice-Substitute Notice (staffing toll-free number)	Unchanged
221876	Individual Notice- Substitute Notice (posting or publishing)	Unchanged
221875	Individual Notice-Written and E-mail Notice(processing and sending)	Unchanged
221874	Individual Notice-Written and E-mail Notice (preparing and documenting notification)	Unchanged
221872	Individual Notice- Written and E-mail Notice (drafting)	Unchanged
221871	Documentation - Review and Update	Unchanged
221870	Security Incidents- Business Associate reporting of incidents (other than breach) to Covered Entities	Unchanged
221869	Maintenance Records	Unchanged
221868	Contingency Plan- Criticality Analysis	Unchanged
221866	Contingency Plan- Testing and Revision	Unchanged
221862	Security Incidents (other than breaches)- Documentation	Unchanged
221861	Security Reminders- Periodic Updates	Unchanged
221860	Information System Activity Review- Documentation	Unchanged
221859	Risk Analysis-Documentation	Unchanged
208573	Rights to request privacy protection for protected health information	Unchanged
190153	Accounting for Disclosures of Protected Health Information	Unchanged
190152	Amendment of Protected Health Information (denials)	Unchanged
190151	Amendment of Protected Health Information (requests)	Unchanged
190150	Access of Individuals to Protected Health Information (copies of PHI)	Unchanged
190149	Notice of Privacy Practice for Protected Health Information (Health plans- periodic distribution of NPPs by electronic mail)	Unchanged
190147	Notice of Privacy Practices for Protected Health Information (health care providers - dissemination/acknowledgement	Unchanged
190146	Notice of Privacy Practices for Protected Health Information/health plan distribution paper mail	Unchanged
190145	Uses and Disclosures for Research Purposes	Unchanged
190144	Uses and Disclosures for which Individual authorization is required	Unchanged
190143	Uses and Disclosures-Organizational Requirement	Unchanged
10428	Process for Requesting Exception Determinations (states or persons)	Unchanged

ICR Details

OMB Control No: 0945-0003	ICR Reference No: 202509-0945-001
Status: Active	Previous ICR Reference No: 202401-0945-002
Agency/Subagency: HHS/OCR	Agency Tracking No: 20296
Title: Standards for Privacy of Individually Identifiable Health Information and Supporting Regulations at 45 CFR Parts 160 and 164
Type of Information Collection: No material or nonsubstantive change to a currently approved collection	Common Form ICR: No
Type of Review Request: Regular
OIRA Conclusion Action: Approved without change	Conclusion Date: 01/15/2026
Retrieve Notice of Action (NOA)	Date Received in OIRA: 11/13/2025
Terms of Clearance:

	Inventory as of this Action	Requested	Previously Approved
Expiration Date	07/31/2027	07/31/2027	07/31/2027
Responses	1,154,350,069	0	1,154,350,069
Time Burden (Hours)	953,982,239	0	953,982,239
Cost Burden (Dollars)	163,499,411	0	163,499,411

Abstract: The individually identifiable health information collected is used by patients and by more than 700,000 covered entities affected by the HIPAA Privacy Rule. The information is routinely used by covered entities for treatment, payment, and health care operations. In addition, the information is used for specified public policy purposes, including research, public health, and as required by other laws.

Authorizing Statute(s): PL: Pub.L. 104 - 191 1 Name of Law: Health Insurance Portability and Accountability Act of 1996
PL: Pub.L. 116 - 136 3221 Name of Law: Coronavirus Aid, Relief, and Economic Security Act

Citations for New Statutory Requirements: PL: Pub.L. 116 - 136 3221 Name of Law: Coronavirus Aid, Relief, and Economic Security Act

Associated Rulemaking Information
RIN:	Stage of Rulemaking:	Federal Register Citation:	Date:
0945-AA20	Final or interim final rulemaking	89 FR 32976	04/26/2024

Federal Register Notices & Comments
Did the Agency receive public comments on this ICR? Yes

Number of Information Collection (IC) in this ICR: 44

IC Title	Form No.	Form Name
164.504 Revising Business Associate Agreements
164.509 Disclosures for which attestation is required
164.520 Notice of Privacy Practices for Protected Health Informationâ Post updated notice online
164.520 Notice of Privacy Practices for Protected Health InformationâUpdating
164.530 Administrative Requirements-Policies & Procedures (new and updated)
164.530 Administrative RequirementsâTrainingâ 164.525 Update training content
500 or More Affected Individuals (investigating and documenting breach)
Access of Individuals to Protected Health Information (copies of PHI)
Accounting for Disclosures of Protected Health Information
Amendment of Protected Health Information (denials)
Amendment of Protected Health Information (requests)
Attestations requiring additional action
Attestations requiring investigation review
Business Associate Notice to Covered Entity â 500 or more affected individuals
Business Associate Notice to Covered Entity â Less than 500 affected individuals
Contingency Plan- Criticality Analysis
Contingency Plan- Testing and Revision
Documentation - Review and Update
Individual Notice- Substitute Notice (posting or publishing)
Individual Notice- Written and E-mail Notice (drafting)
Individual Notice-Substitute Notice (individuals' voluntary burden to call toll-free number for information)
Individual Notice-Substitute Notice (staffing toll-free number)
Individual Notice-Written and E-mail Notice (preparing and documenting notification)
Individual Notice-Written and E-mail Notice(processing and sending)
Information System Activity Review- Documentation
Less than 500 Affected Individuals (investigating and documenting breach)
Less than 500 Affected Individuals (investigating and documenting breach) breaches affecting <10 individuals
Maintenance Records
Media Notice
Notice of Privacy Practice for Protected Health Information (Health plans- periodic distribution of NPPs by electronic mail)
Notice of Privacy Practices for Protected Health Information (health care providers - dissemination/acknowledgement
Notice of Privacy Practices for Protected Health Information/health plan distribution paper mail
Notice of Privacy Practices for Protected Health InformationâMailing notice to 10% of subscribers at a rate of 240 notices/hour
Notice to Secretary (notice for breaches affecting 500 or more individuals)
Notice to Secretary (notice for breaches affecting fewer than 500 individuals)
Process for Requesting Exception Determinations (states or persons)
Rights to request privacy protection for protected health information
Risk Analysis-Documentation
Security Incidents (other than breaches)- Documentation
Security Incidents- Business Associate reporting of incidents (other than breach) to Covered Entities
Security Reminders- Periodic Updates
Uses and Disclosures for Research Purposes
Uses and Disclosures for which Individual authorization is required
Uses and Disclosures-Organizational Requirement

ICR Summary of Burden

	Total Approved	Previously Approved
Annual Number of Responses	1,154,350,069	1,154,350,069
Annual Time Burden (Hours)	953,982,239	953,982,239
Annual Cost Burden (Dollars)	163,499,411	163,499,411

Burden increases because of Program Change due to Agency Discretion: No

Burden Increase Due to:

Burden decreases because of Program Change due to Agency Discretion: No

Burden Reduction Due to:

Short Statement: Burdens increased due to updated estimates for the number of covered entities, costs of postage, wage rates, number of breaches, and number of individuals requesting access to copies of their protected health information. Burdens increased for the one-time activities of updating policies and procedures, updating employee training, revising business associate agreements, and revising the NPP, and the recurring activity of obtaining an attestation for certain requests for copies of protected health information. Hourly burdens decreased for providing individual breach notification due to a drop in the number of affected individuals per breach in the most recent published reports.

Annual Cost to Federal Government: $216,000

Does this IC contain surveys, censuses, or employ statistical methods? No

Does this ICR request any personally identifiable information (see OMB Circular No. A-130 for an explanation of this term)? Please consult with your agency's privacy program when making this determination. No

Does this ICR include a form that requires a Privacy Act Statement (see 5 U.S.C. §552a(e)(3))? Please consult with your agency's privacy program when making this determination. No

Is this ICR related to the Affordable Care Act [Pub. L. 111-148 & 111-152]? No

Is this ICR related to the Dodd-Frank Wall Street Reform and Consumer Protection Act, [Pub. L. 111-203]? No

Is this ICR related to the American Recovery and Reinvestment Act of 2009 (ARRA)? No

Is this ICR related to the Pandemic Response? No

Agency Contact: Sherri Morgan 202 774-3042 [email protected]

Common Form ICR: No