2016-05961. Agency Information Collection Activities; Proposed Collection; Public Comment Request  

  • Start Preamble

    AGENCY:

    Office of the Secretary, HHS.

    ACTION:

    Notice.

    SUMMARY:

    In compliance with section 3506(c)(2)(A) of the Paperwork Reduction Act of 1995, the Office of the Secretary (OS), Department of Health and Human Services, announces plans to submit an Information Collection Request (ICR), described below, to the Office of Management and Budget (OMB). The ICR is for revision of the approved information collection assigned OMB control number #0945-0003, which expires on January 1, 2017. Prior to submitting that ICR to OMB, OS seeks comments from the public regarding the burden estimate, below, or any other aspect of the ICR.

    DATES:

    Comments on the ICR must be received on or before May 16, 2016.

    ADDRESSES:

    Submit your comments to Information.CollectionClearance@hhs.gov or by calling (202) 690-6162.

    Start Further Info

    FOR FURTHER INFORMATION CONTACT:

    Information Collection Clearance staff, Information.CollectionClearance@hhs.gov or (202) 690-6162.

    End Further Info End Preamble Start Supplemental Information

    SUPPLEMENTARY INFORMATION:

    When submitting comments or requesting information, please include the document identifier HHS-OS-0945-0003-60D for reference.

    Information Collection Request Title: HIPAA Privacy, Security, and Breach Notification Rules, and Supporting Regulations Contained in 45 CFR parts 160 and 164.

    Abstract: This revision does not change any requirements of the HIPAA Privacy, Security, and Breach Notification Rules. Among other updates summarized below, the ICR requests to rename the information collection and incorporate into it the substance of two other information collections (#0945-0004, set to expire on May 31, 2016; and #0945-0001, expiring on September 30, 2016), which then would be discontinued. The ICR addresses the burden on regulated entities for compliance with the information collection requirements of the HIPAA Privacy, Security, and Breach Notification Rules; the voluntary burden on members of the public for obtaining information from covered entities regarding breaches of their protected health information; and the information collection burden on the Office for Civil Rights (OCR) associated with administering aspects of the HIPAA Breach Notification program. Combining the three existing information collections identified above will allow the regulated community, the public, and OCR to more easily view and track the estimated burdens associated with the HIPAA Rules that are administered and enforced by OCR. In addition to combining the ICRs, the proposed updates take into account our experience administering the Rules to more accurately reflect the burdens of compliance with the applicable regulatory requirements; remove the estimated burden of initial compliance with the Omnibus HIPAA Final Rule, because we are well past the compliance dates; and incorporate increases in wages for the job categories that we expect to be involved in compliance activities.

    Need and Proposed Use of the Information: The HIPAA Rules require covered entities, and in many respects their business associates, to protect the privacy and security of individually identifiable health information (called “protected health information” or “PHI”); fulfill individuals' rights under HIPAA with respect to their health information; and provide notification in case of a breach of unsecured protected health information. The information collections associated with these regulatory requirements include Start Printed Page 14454documenting and updating policies and procedures for ensuring the privacy and security of individuals' health information, recording compliance activities, providing individuals with a notice of privacy practices and with access to their information upon request, and notifying affected individuals, the Secretary, and in some cases the media of a breach of protected health information.

    Likely Respondents: HIPAA covered entities and business associates (required burden), and individual members of the public affected by breaches of their protected health information (voluntary burden).

    Burden Statement: Burden in this context means the time expended by persons to generate, maintain, retain, disclose or provide the information requested. This includes the time needed to review instructions, to develop, acquire, install and utilize technology and systems for the purpose of collecting, validating and verifying information, processing and maintaining information, and disclosing and providing information, to train personnel and to be able to respond to a collection of information, to search data sources, to complete and review the collection of information, and to transmit or otherwise disclose the information. The total annual burden hours estimated for this ICR are summarized in the table below.

    Total Estimated Annualized Burden—Hours

    SectionType of respondentNumber of respondentsNumber of responses per respondentAverage burden hours per response 1Total burden hours
    160.204Process for Requesting Exception Determinations (states or persons)111616
    164.308Risk Analysis—Documentation1,700,000 211017,000,000
    164.308Information System Activity Review—Documentation1,700,00012.7515,300,000
    164.308Security Reminders—Periodic Updates1,700,00012120,400,000
    164.308Security Incidents (other than breaches)—Documentation1,700,000525442,000,000
    164.308Contingency Plan—Testing and Revision1,700,0001813,600,000
    164.308Contingency Plan—Criticality Analysis1,700,000146,800,000
    164.310Maintenance Records1,700,000126122,400,000
    164.314Security Incidents—Business Associate reporting of incidents (other than breach) to Covered Entities1,000,0001220240,000,000
    164.316Documentation—Review and Update 31,700,0001610,200,000
    164.404Individual Notice—Written and E-mail Notice (drafting)58,481 41.529,240
    164.404Individual Notice—Written and E-mail Notice (preparing and documenting notification)58,4811.529,240
    164.404Individual Notice—Written and E-mail Notice (processing and sending)58,4815 353.008165,150
    164.404Individual Notice—Substitute Notice (posting or publishing)2,746 6112,746
    164.404Individual Notice—Substitute Notice (staffing toll-free number)2,74615.75 715,789
    164.404Individual Notice—Substitute Notice (individuals' voluntary burden to call toll-free number for information)11,326,440 81.125 91,415,805
    164.406Media Notice267 1011.25333
    164.408Notice to Secretary (notice for breaches affecting 500 or more individuals)26711.25333
    164.408Notice to Secretary (notice for breaches affecting fewer than 500 individuals)58,215 111158,215
    164.414500 or More Affected Individuals (investigating and documenting breach)26715013,350
    164.414Less than 500 Affected Individuals (investigating and documenting breach)2,479 (breaches affecting 10-499 individuals)1819,832
    55,736 (breaches affecting <10 individuals)14222,944
    164.504Uses and Disclosures—Organizational Requirements700,00015/6058,333
    164.508Uses and Disclosures for Which Individual authorization is required700,00011700,000
    164.512Uses and Disclosures for Research Purposes113,524 1215/609,460
    164.520Notice of Privacy Practices for Protected Health Information (health plans—periodic distribution of NPPs by paper mail)100,000,000 1310.25 minutes [1 hour per 240 notices]416,667
    164.520Notice of Privacy Practices for Protected Health Information (health plans—periodic distribution of NPPs by electronic mail)100,000,00010.167 minutes [1 hour per 360 notices]278,333
    Start Printed Page 14455
    164.520Notice of Privacy Practices for Protected Health Information (health care providers—dissemination and acknowledgement)613,000,000 1413/6030,650,000
    164.522Rights to Request Privacy Protection for Protected Health Information20,000 1513/601,000
    164.524Access of Individuals to Protected Health Information (disclosures)200,000 1613/6010,000
    164.526Amendment of Protected Health Information (requests)150,00015/6012,500
    164.526Amendment of Protected Health Information (denials)50,00015/604,166
    164.528Accounting for Disclosures of Protected Health Information5,000 1713/60250
    Total921,813,702
    1 The figures in this column are averages based on a range. Small entities may require fewer hours to conduct certain compliance activities, particularly with respect to Security Rule requirements, while large entities may spend more hours than those provided here.
    2 This estimate includes 700,000 estimated covered entities and 1 million estimated business associates. The Omnibus HIPAA Final Rule burden analysis estimated that there were 1-2 million business associates. However, because many business associates have business associate relationships with multiple covered entities, we believe the lower end of this range is more accurate.
    3 This element includes the burden of updating documentation in accordance with the evaluation required by 45 CFR 164.306. Therefore, we do not separately address the burden associated with the evaluation.
    4 Total number of breach incidents in 2015.
    5 Average number of individuals affected per breach incident in 2015.
    6 This number includes all 267 large breaches and all 2,479 breaches affecting 10-499 individuals. As we stated in the preamble to the Omnibus HIPAA Final Rule, although some breaches involving fewer than 10 individuals may require substitute notice, we believe the costs of providing such notice through alternative written means or by telephone is negligible.
    7 We again assume that call center staff will spend 5 minutes per call, but now with an average of 4,124 individuals affected by breaches requiring substitute notice. Multiplying these figures results in 5.75 hours per breach. This estimate is much lower than the 46.26 hours per breach requiring substitute notice in our previous estimate, which we believe was the result of an arithmetic error. The estimate of 4,124 individuals being affected by breaches requiring substitute notice results from the assumption that the number of callers to the toll-free number will equal 10% of the sum of all individuals affected by large breaches (113,250,136) and 5% of individuals affected by small breaches (.05 × 285,413 = 14,270). We calculate .10 * (113,250,136 + 14,270) = 11,326,440.
    8 As noted in the previous footnote, this number equals 10% of the sum of all individuals affected by large breaches and 5% of individuals affected by small breaches.
    9 This number includes 7.5 minutes for each individual who calls: an average of 2.5 minutes to wait on the line/decide to call back and 5 minutes for the call itself.
    10 The total number of breaches affecting 500 or more individuals in 2015.
    11 The total number of breaches affecting fewer than 500 individuals in 2015.
    12 The number of entities who use and disclose protected health information for research purposes.
    13 As in our previous submission, we assume that half of the approximately 200,000,000 individuals insured by covered health plans will receive the plan's NPP by paper mail, and half will receive the NPP by electronic mail.
    14 We estimate that each year covered health care providers will have first-time visits with 613 million individuals, to whom the providers must give a NPP.
    15 We assume covered entities address 20,000 requests for confidential communications or restrictions on disclosures per year.
    16 We estimate that covered entities annually fulfill 200,000 requests from individuals for access to their protected health information.
    17 We estimate that covered entities annually fulfill 5,000 requests from individuals for an accounting of disclosures of their protected health information.

    OS specifically requests comments on (1) the necessity and utility of the proposed information collection for the proper performance of the agency's functions, (2) the accuracy of the estimated burden, (3) ways to enhance the quality, utility, and clarity of the information to be collected, and (4) the use of automated collection techniques or other forms of information technology to minimize the information collection burden.

    Start Signature

    Terry S. Clark,

    Assistant Information Collection Clearance Officer.

    End Signature End Supplemental Information

    [FR Doc. 2016-05961 Filed 3-16-16; 8:45 am]

    BILLING CODE 4153-01-P

Document Information

Published:
03/17/2016
Department:
Health and Human Services Department
Entry Type:
Notice
Action:
Notice.
Document Number:
2016-05961
Dates:
Comments on the ICR must be received on or before May 16, 2016.
Pages:
14453-14455 (3 pages)
Docket Numbers:
Document Identifier: HHS-OS-0945-0003-60D
PDF File:
2016-05961.pdf