AGENCY:

Office of the Secretary, HHS.

ACTION:

Notice.

SUMMARY:

In compliance with the requirement of the Paperwork Reduction Act of 1995, the Office of the Secretary (OS), Department of Health and Human Services, is publishing the following summary of a proposed collection for public comment.

DATES:

Comments on the Information Collection Request (ICR) must be received on or before October 30, 2019.

ADDRESSES:

Submit your comments to OIRA_submission@omb.eop.gov or via facsimile to (202) 395-5806.

FOR FURTHER INFORMATION CONTACT:

Sherrette Funn, Sherrette.Funn@hhs.gov or (202) 795-7714. When submitting comments or requesting information, please include the document identifier 0945-0003-New-30D and project title for reference.

SUPPLEMENTARY INFORMATION:

Interested persons are invited to send comments regarding this burden estimate or any other aspect of this collection of information, including any of the following subjects: (1) The necessity and utility of the proposed information collection for the proper performance of the agency's functions; (2) the accuracy of the estimated burden; (3) ways to enhance the quality, utility, and clarity of the information to be collected; and (4) the use of automated collection techniques or other forms of information technology to minimize the information collection burden.

Title of the Collection: HIPAA Privacy, Security, and Breach Notification Rules, and Supporting Regulations Contained in 45 CFR parts 160 and 164.

Type of Collection: Extension.

OMB No. 0945-0003: Office for Civil Rights (OCR)—Health Information Privacy Division.

Abstract: Office for Civil Rights (OCR) requests approval to extend this existing, approved collection without changing any collection requirements while OCR obtains public comment through a Notice of Proposed Rulemaking (NPRM) proposing modifications to the HIPAA Rules that will affect the hourly burdens associated with the Rules. This notice does, however, make the following revisions to estimates provided in the 60-day public comment request, which do not change the collection requirements: (1) Lower the estimated number of individuals who call an entity's toll-free number for information after being affected by a breach requiring substitute notice to reflect a more realistic estimate of the proportion of individuals who choose to call; and (2) correct an error from the 2016 ICR notice that underestimated the average number of individuals affected per breach because it relied on older breach data. This notice also incorporates data from the 60-day public comment request which recognizes for the first time the burdens resulting from the pre-existing, ongoing requirements for business associates to report breaches of PHI to their covered entities.

We did not receive public comment on the 60-day public comment request published on July 19, 2019. We expect to receive robust public comment on existing burdens associated with compliance with the HIPAA Rules and on changes in burden that could result from the modifications proposed in the NPRM. OCR will update this ICR to reflect the input we receive.

Likely Respondents: HIPAA covered entities, business associates, individuals, and professional and trade associations of covered entities and business associates.Start Printed Page 51605