AGENCY:

Federal Trade Commission (FTC).

ACTION:

Notice and request for comment.

SUMMARY:

The FTC requests that the Office of Management and Budget (OMB) extend for three years the current PRA clearance for information collection requirements contained in the agency's Health Breach Notification Rule. The existing clearance expires on May 31, 2019. The public should address comments to this notice to the OMB.

DATES:

Comments must be received by June 3, 2019.

ADDRESSES:

Comments in response to this notice should be submitted to the OMB Desk Officer for the Federal Trade Commission within 30 days of this notice. You may submit comments using any of the following methods:

Electronic: Write “Health Breach Notification Rule: PRA Comment, P072108,” on your comment and file your comment online at https://www.regulations.gov,, by following the instructions on the web-based form.

Email: Wendy_L._Liberante@omb.eop.gov.

Fax: (202) 395-5806.

Mail: Office of Information and Regulatory Affairs, Office of Management and Budget, Attention: Desk Officer for the Federal Trade Commission, New Executive Office Building, Docket Library, Room 10102, 725 17th Street NW, Washington, DC 20503.

FOR FURTHER INFORMATION CONTACT:

Robin Wetherill, 202-326-2220, Attorney, Privacy & Identity Protection, Bureau of Consumer Protection, 600 Pennsylvania Ave. NW, Washington, DC 20580.

SUPPLEMENTARY INFORMATION:

Title: Health Breach Notification Rule.

OMB Control Number: 3084-0150.

Type of Review: Extension of a currently approved collection.

Abstract: The Health Breach Notification Rule (Rule), 16 CFR part 318, requires vendors of personal health records and PHR related entities to Start Printed Page 18846provide: (1) Notice to consumers whose unsecured personally identifiable health information has been breached; and (2) notice to the Commission. The Rule only applies to electronic health records and does not include recordkeeping requirements. The Rule requires third party service providers (i.e., those companies that provide services such as billing or data storage) to vendors of personal health records and PHR related entities to provide notification to such vendors and PHR related entities following the discovery of a breach. To notify the FTC of a breach, the Commission developed a simple, two-page form requesting minimal information and consisting mainly of check boxes, which is posted at www.ftc.gov/​healthbreach.

On February 8, 2019, the FTC sought comment on the information collection requirements associated with the Rule. 84 FR 2868. The FTC received seven non-germane comments that did not address either the burden associated with the Rule or any of the other issues raised by the public comment request. Pursuant to OMB regulations, 5 CFR part 1320, that implement the PRA, 44 U.S.C. 3501 et seq., the FTC is providing this second opportunity for public comment while seeking OMB approval to renew the pre-existing clearance for the Rule. For more details about the Rule requirements and the basis for the calculations summarized below, see 84 FR 2868.

Likely Respondents: Vendors of personal health records, PHR related entities and third party service providers.

Estimated Annual Hours Burden: 4,779.

Estimated Frequency: 25,000 single-person breaches per year and 0.33 major breaches per year.

Total Annual Labor Cost: $96,656.^[1]

Total Annual Capital or Other Non-Labor Cost: $29,952.^[2]

Request for Comment

Your comment—including your name and your state—will be placed on the public record of this proceeding at the https://www.regulations.gov website. Because your comment will be made public, you are solely responsible for making sure that your comment does not include any sensitive personal information, such as anyone's Social Security number; date of birth; driver's license number or other state identification number, or foreign country equivalent; passport number; financial account number; or credit or debit card number. You are also solely responsible for making sure that your comment does not include any sensitive health information, such as medical records or other individually identifiable health information. In addition, your comment should not include any “trade secret or any commercial or financial information which . . . is privileged or confidential”—as provided by Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2)—including in particular competitively sensitive information such as costs, sales statistics, inventories, formulas, patterns, devices, manufacturing processes, or customer names.

Footnotes