81 FR 14453 - Agency Information Collection Activities; Proposed Collection; Public Comment Request
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office of the Secretary Federal Register Volume 81, Issue 52 (March 17, 2016)
Office of the Secretary
Federal Register Volume 81, Issue 52 (March 17, 2016)
| Page Range | 14453-14455 | |
| FR Document | 2016-05961 |
[Federal Register Volume 81, Number 52 (Thursday, March 17, 2016)] [Notices] [Pages 14453-14455] From the Federal Register Online [www.thefederalregister.org] [FR Doc No: 2016-05961] ----------------------------------------------------------------------- DEPARTMENT OF HEALTH AND HUMAN SERVICES Office of the Secretary [Document Identifier: HHS-OS-0945-0003-60D] Agency Information Collection Activities; Proposed Collection; Public Comment Request AGENCY: Office of the Secretary, HHS. ACTION: Notice. ----------------------------------------------------------------------- SUMMARY: In compliance with section 3506(c)(2)(A) of the Paperwork Reduction Act of 1995, the Office of the Secretary (OS), Department of Health and Human Services, announces plans to submit an Information Collection Request (ICR), described below, to the Office of Management and Budget (OMB). The ICR is for revision of the approved information collection assigned OMB control number #0945-0003, which expires on January 1, 2017. Prior to submitting that ICR to OMB, OS seeks comments from the public regarding the burden estimate, below, or any other aspect of the ICR. DATES: Comments on the ICR must be received on or before May 16, 2016. ADDRESSES: Submit your comments to [email protected] or by calling (202) 690-6162. FOR FURTHER INFORMATION CONTACT: Information Collection Clearance staff, [email protected] or (202) 690-6162. SUPPLEMENTARY INFORMATION: When submitting comments or requesting information, please include the document identifier HHS-OS-0945-0003- 60D for reference. Information Collection Request Title: HIPAA Privacy, Security, and Breach Notification Rules, and Supporting Regulations Contained in 45 CFR parts 160 and 164. Abstract: This revision does not change any requirements of the HIPAA Privacy, Security, and Breach Notification Rules. Among other updates summarized below, the ICR requests to rename the information collection and incorporate into it the substance of two other information collections (#0945-0004, set to expire on May 31, 2016; and #0945-0001, expiring on September 30, 2016), which then would be discontinued. The ICR addresses the burden on regulated entities for compliance with the information collection requirements of the HIPAA Privacy, Security, and Breach Notification Rules; the voluntary burden on members of the public for obtaining information from covered entities regarding breaches of their protected health information; and the information collection burden on the Office for Civil Rights (OCR) associated with administering aspects of the HIPAA Breach Notification program. Combining the three existing information collections identified above will allow the regulated community, the public, and OCR to more easily view and track the estimated burdens associated with the HIPAA Rules that are administered and enforced by OCR. In addition to combining the ICRs, the proposed updates take into account our experience administering the Rules to more accurately reflect the burdens of compliance with the applicable regulatory requirements; remove the estimated burden of initial compliance with the Omnibus HIPAA Final Rule, because we are well past the compliance dates; and incorporate increases in wages for the job categories that we expect to be involved in compliance activities. Need and Proposed Use of the Information: The HIPAA Rules require covered entities, and in many respects their business associates, to protect the privacy and security of individually identifiable health information (called ``protected health information'' or ``PHI''); fulfill individuals' rights under HIPAA with respect to their health information; and provide notification in case of a breach of unsecured protected health information. The information collections associated with these regulatory requirements include [[Page 14454]] documenting and updating policies and procedures for ensuring the privacy and security of individuals' health information, recording compliance activities, providing individuals with a notice of privacy practices and with access to their information upon request, and notifying affected individuals, the Secretary, and in some cases the media of a breach of protected health information. Likely Respondents: HIPAA covered entities and business associates (required burden), and individual members of the public affected by breaches of their protected health information (voluntary burden). Burden Statement: Burden in this context means the time expended by persons to generate, maintain, retain, disclose or provide the information requested. This includes the time needed to review instructions, to develop, acquire, install and utilize technology and systems for the purpose of collecting, validating and verifying information, processing and maintaining information, and disclosing and providing information, to train personnel and to be able to respond to a collection of information, to search data sources, to complete and review the collection of information, and to transmit or otherwise disclose the information. The total annual burden hours estimated for this ICR are summarized in the table below. Total Estimated Annualized Burden--Hours ---------------------------------------------------------------------------------------------------------------- Number of Average burden Section Type of respondent Number of responses per hours per Total burden respondents respondent response \1\ hours ---------------------------------------------------------------------------------------------------------------- 160.204............. Process for Requesting 1............... 1 16.............. 16 Exception Determinations (states or persons). 164.308............. Risk Analysis-- 1,700,000 \2\... 1 10.............. 17,000,000 Documentation. 164.308............. Information System 1,700,000....... 12 .75............. 15,300,000 Activity Review-- Documentation. 164.308............. Security Reminders-- 1,700,000....... 12 1............... 20,400,000 Periodic Updates. 164.308............. Security Incidents 1,700,000....... 52 5............... 442,000,000 (other than breaches)--Documentat ion. 164.308............. Contingency Plan-- 1,700,000....... 1 8............... 13,600,000 Testing and Revision. 164.308............. Contingency Plan-- 1,700,000....... 1 4............... 6,800,000 Criticality Analysis. 164.310............. Maintenance Records... 1,700,000....... 12 6............... 122,400,000 164.314............. Security Incidents-- 1,000,000....... 12 20.............. 240,000,000 Business Associate reporting of incidents (other than breach) to Covered Entities. 164.316............. Documentation--Review 1,700,000....... 1 6............... 10,200,000 and Update \3\. 164.404............. Individual Notice-- 58,481 \4\...... 1 .5.............. 29,240 Written and E-mail Notice (drafting). 164.404............. Individual Notice-- 58,481.......... 1 .5.............. 29,240 Written and E-mail Notice (preparing and documenting notification). 164.404............. Individual Notice-- 58,481.......... \5\ 353 .008............ 165,150 Written and E-mail Notice (processing and sending). 164.404............. Individual Notice-- 2,746 \6\....... 1 1............... 2,746 Substitute Notice (posting or publishing). 164.404............. Individual Notice-- 2,746........... 1 5.75 \7\........ 15,789 Substitute Notice (staffing toll-free number). 164.404............. Individual Notice-- 11,326,440 \8\.. 1 .125 \9\........ 1,415,805 Substitute Notice (individuals' voluntary burden to call toll-free number for information). 164.406............. Media Notice.......... 267 \10\........ 1 1.25............ 333 164.408............. Notice to Secretary 267............. 1 1.25............ 333 (notice for breaches affecting 500 or more individuals). 164.408............. Notice to Secretary 58,215 \11\..... 1 1............... 58,215 (notice for breaches affecting fewer than 500 individuals). 164.414............. 500 or More Affected 267............. 1 50.............. 13,350 Individuals (investigating and documenting breach). 164.414............. Less than 500 Affected 2,479 (breaches 1 8............... 19,832 Individuals affecting 10- (investigating and 499 documenting breach). individuals). ...................... 55,736 (breaches 1 4............... 222,944 affecting <10 individuals). 164.504............. Uses and Disclosures-- 700,000......... 1 5/60............ 58,333 Organizational Requirements. 164.508............. Uses and Disclosures 700,000......... 1 1............... 700,000 for Which Individual authorization is required. 164.512............. Uses and Disclosures 113,524 \12\.... 1 5/60............ 9,460 for Research Purposes. 164.520............. Notice of Privacy 100,000,000 \13\ 1 0.25 minutes [1 416,667 Practices for hour per 240 Protected Health notices]. Information (health plans--periodic distribution of NPPs by paper mail). 164.520............. Notice of Privacy 100,000,000..... 1 0.167 minutes [1 278,333 Practices for hour per 360 Protected Health notices]. Information (health plans--periodic distribution of NPPs by electronic mail). [[Page 14455]] 164.520............. Notice of Privacy 613,000,000 \14\ 1 3/60............ 30,650,000 Practices for Protected Health Information (health care providers-- dissemination and acknowledgement). 164.522............. Rights to Request 20,000 \15\..... 1 3/60............ 1,000 Privacy Protection for Protected Health Information. 164.524............. Access of Individuals 200,000 \16\.... 1 3/60............ 10,000 to Protected Health Information (disclosures). 164.526............. Amendment of Protected 150,000......... 1 5/60............ 12,500 Health Information (requests). 164.526............. Amendment of Protected 50,000.......... 1 5/60............ 4,166 Health Information (denials). 164.528............. Accounting for 5,000 \17\...... 1 3/60............ 250 Disclosures of Protected Health Information. rrrrrrrrrrrrrrrrrrrrr Total........... ...................... ................ .............. ................ 921,813,702 ---------------------------------------------------------------------------------------------------------------- \1\ The figures in this column are averages based on a range. Small entities may require fewer hours to conduct certain compliance activities, particularly with respect to Security Rule requirements, while large entities may spend more hours than those provided here. \2\ This estimate includes 700,000 estimated covered entities and 1 million estimated business associates. The Omnibus HIPAA Final Rule burden analysis estimated that there were 1-2 million business associates. However, because many business associates have business associate relationships with multiple covered entities, we believe the lower end of this range is more accurate. \3\ This element includes the burden of updating documentation in accordance with the evaluation required by 45 CFR 164.306. Therefore, we do not separately address the burden associated with the evaluation. \4\ Total number of breach incidents in 2015. \5\ Average number of individuals affected per breach incident in 2015. \6\ This number includes all 267 large breaches and all 2,479 breaches affecting 10-499 individuals. As we stated in the preamble to the Omnibus HIPAA Final Rule, although some breaches involving fewer than 10 individuals may require substitute notice, we believe the costs of providing such notice through alternative written means or by telephone is negligible. \7\ We again assume that call center staff will spend 5 minutes per call, but now with an average of 4,124 individuals affected by breaches requiring substitute notice. Multiplying these figures results in 5.75 hours per breach. This estimate is much lower than the 46.26 hours per breach requiring substitute notice in our previous estimate, which we believe was the result of an arithmetic error. The estimate of 4,124 individuals being affected by breaches requiring substitute notice results from the assumption that the number of callers to the toll-free number will equal 10% of the sum of all individuals affected by large breaches (113,250,136) and 5% of individuals affected by small breaches (.05 x 285,413 = 14,270). We calculate .10 * (113,250,136 + 14,270) = 11,326,440. \8\ As noted in the previous footnote, this number equals 10% of the sum of all individuals affected by large breaches and 5% of individuals affected by small breaches. \9\ This number includes 7.5 minutes for each individual who calls: an average of 2.5 minutes to wait on the line/decide to call back and 5 minutes for the call itself. \10\ The total number of breaches affecting 500 or more individuals in 2015. \11\ The total number of breaches affecting fewer than 500 individuals in 2015. \12\ The number of entities who use and disclose protected health information for research purposes. \13\ As in our previous submission, we assume that half of the approximately 200,000,000 individuals insured by covered health plans will receive the plan's NPP by paper mail, and half will receive the NPP by electronic mail. \14\ We estimate that each year covered health care providers will have first-time visits with 613 million individuals, to whom the providers must give a NPP. \15\ We assume covered entities address 20,000 requests for confidential communications or restrictions on disclosures per year. \16\ We estimate that covered entities annually fulfill 200,000 requests from individuals for access to their protected health information. \17\ We estimate that covered entities annually fulfill 5,000 requests from individuals for an accounting of disclosures of their protected health information. OS specifically requests comments on (1) the necessity and utility of the proposed information collection for the proper performance of the agency's functions, (2) the accuracy of the estimated burden, (3) ways to enhance the quality, utility, and clarity of the information to be collected, and (4) the use of automated collection techniques or other forms of information technology to minimize the information collection burden. Terry S. Clark, Assistant Information Collection Clearance Officer. [FR Doc. 2016-05961 Filed 3-16-16; 8:45 am] BILLING CODE 4153-01-P
![Federal Register / Vol. 81, No. 52 / Thursday, March 17, 2016 / Notices 14453
DATES: To ensure consideration, or temporary, narrowly or broadly SUPPLEMENTARY INFORMATION: When
comments must be received by July 1, focused (examining one topic or issue or submitting comments or requesting
2016. Comments received after this date a variety of issues); information, please include the
will be considered as time permits. • The lessons we can learn from document identifier HHS–OS–0945–
ADDRESSES: Individuals, groups, and national bodies in other countries to 0003–60D for reference.
organizations interested in commenting inform how U.S. bodies might work; Information Collection Request Title:
on this topic may submit comments by • The influence of national bioethics HIPAA Privacy, Security, and Breach
email to info@bioethics.gov or by mail to bodies on bioethics as a field; other Notification Rules, and Supporting
the following address: Public academic fields, such as science, Regulations Contained in 45 CFR parts
Commentary, Presidential Commission medicine, and technology; and public 160 and 164.
for the Study of Bioethical Issues, 1425 policy; Abstract: This revision does not
New York Ave. NW., Suite C–100, • The future of national bioethics change any requirements of the HIPAA
Washington, DC 20005. advisory groups in the United States. Privacy, Security, and Breach
To this end, the Commission is Notification Rules. Among other
FOR FURTHER INFORMATION CONTACT: Lisa
inviting interested parties to provide updates summarized below, the ICR
M. Lee, Executive Director, Presidential requests to rename the information
Commission for the Study of Bioethical input and advice through written
comments. Comments will be publicly collection and incorporate into it the
Issues. Telephone: 202–233–3960. substance of two other information
Email: Lisa.Lee@bioethics.gov. available, including any personally
identifiable or confidential business collections (#0945–0004, set to expire
Additional information may be obtained on May 31, 2016; and #0945–0001,
at http://www.bioethics.gov. information that they contain. Trade
secrets should not be submitted. expiring on September 30, 2016), which
SUPPLEMENTARY INFORMATION: On then would be discontinued. The ICR
November 24, 2009, the President Dated: March 1, 2016.
addresses the burden on regulated
established the Presidential Commission Lisa M. Lee, entities for compliance with the
for the Study of Bioethical Issues (the Executive Director, Presidential Commission information collection requirements of
Commission) to advise him on for the Study of Bioethical Issues. the HIPAA Privacy, Security, and
bioethical issues generated by novel and [FR Doc. 2016–06015 Filed 3–16–16; 8:45 am] Breach Notification Rules; the voluntary
emerging research in biomedicine and BILLING CODE 4150–06–P burden on members of the public for
related areas of science and technology. obtaining information from covered
The Commission is charged with entities regarding breaches of their
identifying and promoting policies and DEPARTMENT OF HEALTH AND protected health information; and the
practices that ensure ethically HUMAN SERVICES information collection burden on the
responsible conduct of scientific Office for Civil Rights (OCR) associated
research and health care delivery. Office of the Secretary with administering aspects of the
Undertaking these duties, the [Document Identifier: HHS–OS–0945–0003– HIPAA Breach Notification program.
Commission seeks to identify and 60D] Combining the three existing
examine specific bioethical, legal, and information collections identified above
social issues related to potential Agency Information Collection will allow the regulated community, the
scientific and technological advances; Activities; Proposed Collection; Public public, and OCR to more easily view
examine diverse perspectives and Comment Request and track the estimated burdens
possibilities for international AGENCY: Office of the Secretary, HHS. associated with the HIPAA Rules that
collaboration on these issues; and are administered and enforced by OCR.
recommend legal, regulatory, or policy ACTION: Notice. In addition to combining the ICRs, the
actions as appropriate. SUMMARY: In compliance with section proposed updates take into account our
The Commission will conclude at the 3506(c)(2)(A) of the Paperwork experience administering the Rules to
end of the Presidential administration, Reduction Act of 1995, the Office of the more accurately reflect the burdens of
and in its two final meetings will reflect Secretary (OS), Department of Health compliance with the applicable
on the past, present, and future of and Human Services, announces plans regulatory requirements; remove the
national bioethics advisory bodies. to submit an Information Collection estimated burden of initial compliance
These meetings will include discussion Request (ICR), described below, to the with the Omnibus HIPAA Final Rule,
of the role of national advisory bodies Office of Management and Budget because we are well past the compliance
in the developing public policy in the (OMB). The ICR is for revision of the dates; and incorporate increases in
United States and elsewhere, and approved information collection wages for the job categories that we
consideration of the future of U.S. assigned OMB control number #0945– expect to be involved in compliance
national bioethics advisory bodies that 0003, which expires on January 1, 2017. activities.
might follow. Prior to submitting that ICR to OMB, OS Need and Proposed Use of the
The Commission is interested in Information: The HIPAA Rules require
seeks comments from the public
receiving comments from individuals, covered entities, and in many respects
regarding the burden estimate, below, or
groups, and professional communities their business associates, to protect the
any other aspect of the ICR.
who wish to join the Commission in privacy and security of individually
DATES: Comments on the ICR must be identifiable health information (called
reflecting on the past, present, and
asabaliauskas on DSK3SPTVN1PROD with NOTICES
future of national bioethics advisory received on or before May 16, 2016. ‘‘protected health information’’ or
bodies in the United States and ADDRESSES: Submit your comments to ‘‘PHI’’); fulfill individuals’ rights under
elsewhere. The Commission is Information.CollectionClearance@ HIPAA with respect to their health
particularly interested in receiving hhs.gov or by calling (202) 690–6162. information; and provide notification in
public commentary regarding: FOR FURTHER INFORMATION CONTACT: case of a breach of unsecured protected
• The advantages and disadvantages Information Collection Clearance staff, health information. The information
of different models for national Information.CollectionClearance@ collections associated with these
bioethics advisory bodies, e.g., standing hhs.gov or (202) 690–6162. regulatory requirements include
VerDate Sep<11>2014 17:03 Mar 16, 2016 Jkt 238001 PO 00000 Frm 00044 Fmt 4703 Sfmt 4703 E:\FR\FM\17MRN1.SGM 17MRN1](https://thefederalregister.org/doc/81_FR_14505/page/1.svg)
![14454 Federal Register / Vol. 81, No. 52 / Thursday, March 17, 2016 / Notices
documenting and updating policies and (required burden), and individual information, processing and
procedures for ensuring the privacy and members of the public affected by maintaining information, and disclosing
security of individuals’ health breaches of their protected health and providing information, to train
information, recording compliance information (voluntary burden). personnel and to be able to respond to
activities, providing individuals with a Burden Statement: Burden in this a collection of information, to search
notice of privacy practices and with context means the time expended by data sources, to complete and review
access to their information upon persons to generate, maintain, retain, the collection of information, and to
request, and notifying affected disclose or provide the information transmit or otherwise disclose the
individuals, the Secretary, and in some requested. This includes the time information. The total annual burden
cases the media of a breach of protected needed to review instructions, to
hours estimated for this ICR are
health information. develop, acquire, install and utilize
summarized in the table below.
Likely Respondents: HIPAA covered technology and systems for the purpose
entities and business associates of collecting, validating and verifying
TOTAL ESTIMATED ANNUALIZED BURDEN—HOURS
Number of
Number of Average burden Total burden
Section Type of respondent responses per
respondents hours per response 1 hours
respondent
160.204 .......... Process for Requesting Exception Deter- 1 ................................ 1 16 .............................. 16
minations (states or persons).
164.308 .......... Risk Analysis—Documentation .................... 1,700,000 2 ................ 1 10 .............................. 17,000,000
164.308 .......... Information System Activity Review—Docu- 1,700,000 .................. 12 .75 ............................. 15,300,000
mentation.
164.308 .......... Security Reminders—Periodic Updates ....... 1,700,000 .................. 12 1 ................................ 20,400,000
164.308 .......... Security Incidents (other than breaches)— 1,700,000 .................. 52 5 ................................ 442,000,000
Documentation.
164.308 .......... Contingency Plan—Testing and Revision .... 1,700,000 .................. 1 8 ................................ 13,600,000
164.308 .......... Contingency Plan—Criticality Analysis ........ 1,700,000 .................. 1 4 ................................ 6,800,000
164.310 .......... Maintenance Records .................................. 1,700,000 .................. 12 6 ................................ 122,400,000
164.314 .......... Security Incidents—Business Associate re- 1,000,000 .................. 12 20 .............................. 240,000,000
porting of incidents (other than breach) to
Covered Entities.
164.316 .......... Documentation—Review and Update 3 ........ 1,700,000 .................. 1 6 ................................ 10,200,000
164.404 .......... Individual Notice—Written and E-mail No- 58,481 4 ..................... 1 .5 ............................... 29,240
tice (drafting).
164.404 .......... Individual Notice—Written and E-mail No- 58,481 ....................... 1 .5 ............................... 29,240
tice (preparing and documenting notifica-
tion).
164.404 .......... Individual Notice—Written and E-mail No- 58,481 ....................... 5 353 .008 ........................... 165,150
tice (processing and sending).
164.404 .......... Individual Notice—Substitute Notice (post- 2,746 6 ....................... 1 1 ................................ 2,746
ing or publishing).
164.404 .......... Individual Notice—Substitute Notice (staff- 2,746 ......................... 1 5.75 7 ......................... 15,789
ing toll-free number).
164.404 .......... Individual Notice—Substitute Notice (indi- 11,326,440 8 .............. 1 .125 9 ......................... 1,415,805
viduals’ voluntary burden to call toll-free
number for information).
164.406 .......... Media Notice ................................................ 267 10 ........................ 1 1.25 ........................... 333
164.408 .......... Notice to Secretary (notice for breaches af- 267 ............................ 1 1.25 ........................... 333
fecting 500 or more individuals).
164.408 .......... Notice to Secretary (notice for breaches af- 58,215 11 ................... 1 1 ................................ 58,215
fecting fewer than 500 individuals).
164.414 .......... 500 or More Affected Individuals (inves- 267 ............................ 1 50 .............................. 13,350
tigating and documenting breach).
164.414 .......... Less than 500 Affected Individuals (inves- 2,479 (breaches af- 1 8 ................................ 19,832
tigating and documenting breach). fecting 10–499 indi-
viduals).
....................................................................... 55,736 (breaches af- 1 4 ................................ 222,944
fecting <10 individ-
uals).
164.504 .......... Uses and Disclosures—Organizational Re- 700,000 ..................... 1 5/60 ........................... 58,333
quirements.
164.508 .......... Uses and Disclosures for Which Individual 700,000 ..................... 1 1 ................................ 700,000
authorization is required.
asabaliauskas on DSK3SPTVN1PROD with NOTICES
164.512 .......... Uses and Disclosures for Research Pur- 113,524 12 ................. 1 5/60 ........................... 9,460
poses.
164.520 .......... Notice of Privacy Practices for Protected 100,000,000 13 .......... 1 0.25 minutes [1 hour 416,667
Health Information (health plans—peri- per 240 notices].
odic distribution of NPPs by paper mail).
164.520 .......... Notice of Privacy Practices for Protected 100,000,000 .............. 1 0.167 minutes [1 hour 278,333
Health Information (health plans—peri- per 360 notices].
odic distribution of NPPs by electronic
mail).
VerDate Sep<11>2014 17:03 Mar 16, 2016 Jkt 238001 PO 00000 Frm 00045 Fmt 4703 Sfmt 4703 E:\FR\FM\17MRN1.SGM 17MRN1](https://thefederalregister.org/doc/81_FR_14505/page/2.svg)
![Federal Register / Vol. 81, No. 52 / Thursday, March 17, 2016 / Notices 14455
TOTAL ESTIMATED ANNUALIZED BURDEN—HOURS—Continued
Number of
Number of Average burden Total burden
Section Type of respondent responses per
respondents hours per response 1 hours
respondent
164.520 .......... Notice of Privacy Practices for Protected 613,000,000 14 .......... 1 3/60 ........................... 30,650,000
Health Information (health care pro-
viders—dissemination and acknowledge-
ment).
164.522 .......... Rights to Request Privacy Protection for 20,000 15 ................... 1 3/60 ........................... 1,000
Protected Health Information.
164.524 .......... Access of Individuals to Protected Health 200,000 16 ................. 1 3/60 ........................... 10,000
Information (disclosures).
164.526 .......... Amendment of Protected Health Information 150,000 ..................... 1 5/60 ........................... 12,500
(requests).
164.526 .......... Amendment of Protected Health Information 50,000 ....................... 1 5/60 ........................... 4,166
(denials).
164.528 .......... Accounting for Disclosures of Protected 5,000 17 ..................... 1 3/60 ........................... 250
Health Information.
Total ........ ....................................................................... ................................... ........................ ................................... 921,813,702
1 The figures in this column are averages based on a range. Small entities may require fewer hours to conduct certain compliance activities,
particularly with respect to Security Rule requirements, while large entities may spend more hours than those provided here.
2 This estimate includes 700,000 estimated covered entities and 1 million estimated business associates. The Omnibus HIPAA Final Rule bur-
den analysis estimated that there were 1–2 million business associates. However, because many business associates have business associate
relationships with multiple covered entities, we believe the lower end of this range is more accurate.
3 This element includes the burden of updating documentation in accordance with the evaluation required by 45 CFR 164.306. Therefore, we
do not separately address the burden associated with the evaluation.
4 Total number of breach incidents in 2015.
5 Average number of individuals affected per breach incident in 2015.
6 This number includes all 267 large breaches and all 2,479 breaches affecting 10–499 individuals. As we stated in the preamble to the Omni-
bus HIPAA Final Rule, although some breaches involving fewer than 10 individuals may require substitute notice, we believe the costs of pro-
viding such notice through alternative written means or by telephone is negligible.
7 We again assume that call center staff will spend 5 minutes per call, but now with an average of 4,124 individuals affected by breaches re-
quiring substitute notice. Multiplying these figures results in 5.75 hours per breach. This estimate is much lower than the 46.26 hours per breach
requiring substitute notice in our previous estimate, which we believe was the result of an arithmetic error. The estimate of 4,124 individuals
being affected by breaches requiring substitute notice results from the assumption that the number of callers to the toll-free number will equal
10% of the sum of all individuals affected by large breaches (113,250,136) and 5% of individuals affected by small breaches (.05 × 285,413 =
14,270). We calculate .10 * (113,250,136 + 14,270) = 11,326,440.
8 As noted in the previous footnote, this number equals 10% of the sum of all individuals affected by large breaches and 5% of individuals af-
fected by small breaches.
9 This number includes 7.5 minutes for each individual who calls: an average of 2.5 minutes to wait on the line/decide to call back and 5 min-
utes for the call itself.
10 The total number of breaches affecting 500 or more individuals in 2015.
11 The total number of breaches affecting fewer than 500 individuals in 2015.
12 The number of entities who use and disclose protected health information for research purposes.
13 As in our previous submission, we assume that half of the approximately 200,000,000 individuals insured by covered health plans will re-
ceive the plan’s NPP by paper mail, and half will receive the NPP by electronic mail.
14 We estimate that each year covered health care providers will have first-time visits with 613 million individuals, to whom the providers must
give a NPP.
15 We assume covered entities address 20,000 requests for confidential communications or restrictions on disclosures per year.
16 We estimate that covered entities annually fulfill 200,000 requests from individuals for access to their protected health information.
17 We estimate that covered entities annually fulfill 5,000 requests from individuals for an accounting of disclosures of their protected health
information.
OS specifically requests comments on DEPARTMENT OF HEALTH AND for 2030 is governed by provisions of the
(1) the necessity and utility of the HUMAN SERVICES Federal Advisory Committee Act (FACA),
proposed information collection for the Public Law 92–463, as amended (5 U.S.C.,
Announcement of Establishment of the App.), which sets forth standards for the
proper performance of the agency’s formation and use of federal advisory
functions, (2) the accuracy of the Secretary’s Advisory Committee on
committees.
estimated burden, (3) ways to enhance National Health Promotion and Disease
the quality, utility, and clarity of the Prevention Objectives for 2030 and SUMMARY: The U.S. Department of
information to be collected, and (4) the Solicitation of Nominations for Health and Human Services (HHS)
use of automated collection techniques Membership announces the establishment of the
or other forms of information Secretary’s Advisory Committee on
AGENCY: Office of Disease Prevention National Health Promotion and Disease
technology to minimize the information and Health Promotion, Office of the
asabaliauskas on DSK3SPTVN1PROD with NOTICES
Prevention Objectives for 2030
collection burden. Assistant Secretary for Health, Office of (Committee) and invites nominations for
the Secretary, U.S. Department of Health membership.
Terry S. Clark,
and Human Services.
Assistant Information Collection Clearance DATES: Nominations for membership to
ACTION: Notice.
Officer. the Committee must be submitted by
[FR Doc. 2016–05961 Filed 3–16–16; 8:45 am] 6:00 p.m. ET on April 18, 2016.
Authority: 42 U.S.C. 217a. The Secretary’s
BILLING CODE 4153–01–P Advisory Committee on National Health ADDRESSES: Nominations should be
Promotion and Disease Prevention Objectives submitted by email to HP2030@hhs.gov.
VerDate Sep<11>2014 17:03 Mar 16, 2016 Jkt 238001 PO 00000 Frm 00046 Fmt 4703 Sfmt 4703 E:\FR\FM\17MRN1.SGM 17MRN1](https://thefederalregister.org/doc/81_FR_14505/page/3.svg)
Document Created: 2016-03-17 00:58:39
Document Modified: 2016-03-17 00:58:39
| Category | Regulatory Information | |
| Collection | Federal Register | |
| sudoc Class | AE 2.7: GS 4.107: AE 2.106: | |
| Publisher | Office of the Federal Register, National Archives and Records Administration | |
| Section | Notices | |
| Action | Notice. | |
| Dates | Comments on the ICR must be received on or before May 16, 2016. | |
| Contact | Information Collection Clearance staff, [email protected] or (202) 690-6162. | |
| FR Citation | 81 FR 14453 |
2025 Federal Register | Disclaimer | Privacy Policy
USC | CFR | eCFR