Agency Information Collection Activities; Proposed Collection; Public Comment Request, 14453-14455 [2016-05961]

Download as PDF Federal Register / Vol. 81, No. 52 / Thursday, March 17, 2016 / Notices To ensure consideration, comments must be received by July 1, 2016. Comments received after this date will be considered as time permits. ADDRESSES: Individuals, groups, and organizations interested in commenting on this topic may submit comments by email to info@bioethics.gov or by mail to the following address: Public Commentary, Presidential Commission for the Study of Bioethical Issues, 1425 New York Ave. NW., Suite C–100, Washington, DC 20005. FOR FURTHER INFORMATION CONTACT: Lisa M. Lee, Executive Director, Presidential Commission for the Study of Bioethical Issues. Telephone: 202–233–3960. Email: Lisa.Lee@bioethics.gov. Additional information may be obtained at https://www.bioethics.gov. SUPPLEMENTARY INFORMATION: On November 24, 2009, the President established the Presidential Commission for the Study of Bioethical Issues (the Commission) to advise him on bioethical issues generated by novel and emerging research in biomedicine and related areas of science and technology. The Commission is charged with identifying and promoting policies and practices that ensure ethically responsible conduct of scientific research and health care delivery. Undertaking these duties, the Commission seeks to identify and examine specific bioethical, legal, and social issues related to potential scientific and technological advances; examine diverse perspectives and possibilities for international collaboration on these issues; and recommend legal, regulatory, or policy actions as appropriate. The Commission will conclude at the end of the Presidential administration, and in its two final meetings will reflect on the past, present, and future of national bioethics advisory bodies. These meetings will include discussion of the role of national advisory bodies in the developing public policy in the United States and elsewhere, and consideration of the future of U.S. national bioethics advisory bodies that might follow. The Commission is interested in receiving comments from individuals, groups, and professional communities who wish to join the Commission in reflecting on the past, present, and future of national bioethics advisory bodies in the United States and elsewhere. The Commission is particularly interested in receiving public commentary regarding: • The advantages and disadvantages of different models for national bioethics advisory bodies, e.g., standing asabaliauskas on DSK3SPTVN1PROD with NOTICES DATES: VerDate Sep<11>2014 17:03 Mar 16, 2016 Jkt 238001 or temporary, narrowly or broadly focused (examining one topic or issue or a variety of issues); • The lessons we can learn from national bodies in other countries to inform how U.S. bodies might work; • The influence of national bioethics bodies on bioethics as a field; other academic fields, such as science, medicine, and technology; and public policy; • The future of national bioethics advisory groups in the United States. To this end, the Commission is inviting interested parties to provide input and advice through written comments. Comments will be publicly available, including any personally identifiable or confidential business information that they contain. Trade secrets should not be submitted. Dated: March 1, 2016. Lisa M. Lee, Executive Director, Presidential Commission for the Study of Bioethical Issues. [FR Doc. 2016–06015 Filed 3–16–16; 8:45 am] BILLING CODE 4150–06–P DEPARTMENT OF HEALTH AND HUMAN SERVICES Office of the Secretary [Document Identifier: HHS–OS–0945–0003– 60D] Agency Information Collection Activities; Proposed Collection; Public Comment Request Office of the Secretary, HHS. Notice. AGENCY: ACTION: In compliance with section 3506(c)(2)(A) of the Paperwork Reduction Act of 1995, the Office of the Secretary (OS), Department of Health and Human Services, announces plans to submit an Information Collection Request (ICR), described below, to the Office of Management and Budget (OMB). The ICR is for revision of the approved information collection assigned OMB control number #0945– 0003, which expires on January 1, 2017. Prior to submitting that ICR to OMB, OS seeks comments from the public regarding the burden estimate, below, or any other aspect of the ICR. DATES: Comments on the ICR must be received on or before May 16, 2016. ADDRESSES: Submit your comments to Information.CollectionClearance@ hhs.gov or by calling (202) 690–6162. FOR FURTHER INFORMATION CONTACT: Information Collection Clearance staff, Information.CollectionClearance@ hhs.gov or (202) 690–6162. SUMMARY: PO 00000 Frm 00044 Fmt 4703 Sfmt 4703 14453 When submitting comments or requesting information, please include the document identifier HHS–OS–0945– 0003–60D for reference. Information Collection Request Title: HIPAA Privacy, Security, and Breach Notification Rules, and Supporting Regulations Contained in 45 CFR parts 160 and 164. Abstract: This revision does not change any requirements of the HIPAA Privacy, Security, and Breach Notification Rules. Among other updates summarized below, the ICR requests to rename the information collection and incorporate into it the substance of two other information collections (#0945–0004, set to expire on May 31, 2016; and #0945–0001, expiring on September 30, 2016), which then would be discontinued. The ICR addresses the burden on regulated entities for compliance with the information collection requirements of the HIPAA Privacy, Security, and Breach Notification Rules; the voluntary burden on members of the public for obtaining information from covered entities regarding breaches of their protected health information; and the information collection burden on the Office for Civil Rights (OCR) associated with administering aspects of the HIPAA Breach Notification program. Combining the three existing information collections identified above will allow the regulated community, the public, and OCR to more easily view and track the estimated burdens associated with the HIPAA Rules that are administered and enforced by OCR. In addition to combining the ICRs, the proposed updates take into account our experience administering the Rules to more accurately reflect the burdens of compliance with the applicable regulatory requirements; remove the estimated burden of initial compliance with the Omnibus HIPAA Final Rule, because we are well past the compliance dates; and incorporate increases in wages for the job categories that we expect to be involved in compliance activities. Need and Proposed Use of the Information: The HIPAA Rules require covered entities, and in many respects their business associates, to protect the privacy and security of individually identifiable health information (called ‘‘protected health information’’ or ‘‘PHI’’); fulfill individuals’ rights under HIPAA with respect to their health information; and provide notification in case of a breach of unsecured protected health information. The information collections associated with these regulatory requirements include SUPPLEMENTARY INFORMATION: E:\FR\FM\17MRN1.SGM 17MRN1 14454 Federal Register / Vol. 81, No. 52 / Thursday, March 17, 2016 / Notices documenting and updating policies and procedures for ensuring the privacy and security of individuals’ health information, recording compliance activities, providing individuals with a notice of privacy practices and with access to their information upon request, and notifying affected individuals, the Secretary, and in some cases the media of a breach of protected health information. Likely Respondents: HIPAA covered entities and business associates (required burden), and individual members of the public affected by breaches of their protected health information (voluntary burden). Burden Statement: Burden in this context means the time expended by persons to generate, maintain, retain, disclose or provide the information requested. This includes the time needed to review instructions, to develop, acquire, install and utilize technology and systems for the purpose of collecting, validating and verifying information, processing and maintaining information, and disclosing and providing information, to train personnel and to be able to respond to a collection of information, to search data sources, to complete and review the collection of information, and to transmit or otherwise disclose the information. The total annual burden hours estimated for this ICR are summarized in the table below. TOTAL ESTIMATED ANNUALIZED BURDEN—HOURS Number of responses per respondent Type of respondent Number of respondents 160.204 .......... Process for Requesting Exception Determinations (states or persons). Risk Analysis—Documentation .................... Information System Activity Review—Documentation. Security Reminders—Periodic Updates ....... Security Incidents (other than breaches)— Documentation. Contingency Plan—Testing and Revision .... Contingency Plan—Criticality Analysis ........ Maintenance Records .................................. Security Incidents—Business Associate reporting of incidents (other than breach) to Covered Entities. Documentation—Review and Update 3 ........ Individual Notice—Written and E-mail Notice (drafting). Individual Notice—Written and E-mail Notice (preparing and documenting notification). Individual Notice—Written and E-mail Notice (processing and sending). Individual Notice—Substitute Notice (posting or publishing). Individual Notice—Substitute Notice (staffing toll-free number). Individual Notice—Substitute Notice (individuals’ voluntary burden to call toll-free number for information). Media Notice ................................................ Notice to Secretary (notice for breaches affecting 500 or more individuals). Notice to Secretary (notice for breaches affecting fewer than 500 individuals). 500 or More Affected Individuals (investigating and documenting breach). Less than 500 Affected Individuals (investigating and documenting breach). 1 ................................ 1 16 .............................. 16 1,700,000 2 ................ 1,700,000 .................. 1 12 10 .............................. .75 ............................. 17,000,000 15,300,000 1,700,000 .................. 1,700,000 .................. 12 52 1 ................................ 5 ................................ 20,400,000 442,000,000 1,700,000 1,700,000 1,700,000 1,000,000 .................. .................. .................. .................. 1 1 12 12 8 ................................ 4 ................................ 6 ................................ 20 .............................. 13,600,000 6,800,000 122,400,000 240,000,000 1,700,000 .................. 58,481 4 ..................... 1 1 6 ................................ .5 ............................... 10,200,000 29,240 58,481 ....................... 1 .5 ............................... 29,240 58,481 ....................... 5 353 .008 ........................... 165,150 2,746 6 ....................... 1 1 ................................ 2,746 2,746 ......................... 1 5.75 7 ......................... 15,789 11,326,440 8 .............. 1 .125 9 ......................... 1,415,805 267 10 ........................ 267 ............................ 1 1 1.25 ........................... 1.25 ........................... 333 333 58,215 11 ................... 1 1 ................................ 58,215 267 ............................ 1 50 .............................. 13,350 2,479 (breaches affecting 10–499 individuals). 55,736 (breaches affecting <10 individuals). 700,000 ..................... 1 8 ................................ 19,832 1 4 ................................ 222,944 1 5/60 ........................... 58,333 700,000 ..................... 1 1 ................................ 700,000 113,524 12 ................. 1 5/60 ........................... 9,460 100,000,000 13 .......... 1 0.25 minutes [1 hour per 240 notices]. 416,667 100,000,000 .............. 1 0.167 minutes [1 hour per 360 notices]. 278,333 164.308 .......... 164.308 .......... 164.308 .......... 164.308 .......... 164.308 164.308 164.310 164.314 .......... .......... .......... .......... 164.316 .......... 164.404 .......... 164.404 .......... 164.404 .......... 164.404 .......... 164.404 .......... 164.404 .......... 164.406 .......... 164.408 .......... 164.408 .......... 164.414 .......... 164.414 .......... ....................................................................... 164.504 .......... asabaliauskas on DSK3SPTVN1PROD with NOTICES 164.508 .......... 164.512 .......... 164.520 .......... 164.520 .......... VerDate Sep<11>2014 Uses and Disclosures—Organizational Requirements. Uses and Disclosures for Which Individual authorization is required. Uses and Disclosures for Research Purposes. Notice of Privacy Practices for Protected Health Information (health plans—periodic distribution of NPPs by paper mail). Notice of Privacy Practices for Protected Health Information (health plans—periodic distribution of NPPs by electronic mail). 17:03 Mar 16, 2016 Jkt 238001 PO 00000 Frm 00045 Fmt 4703 Sfmt 4703 E:\FR\FM\17MRN1.SGM Average burden hours per response 1 Total burden hours Section 17MRN1 Federal Register / Vol. 81, No. 52 / Thursday, March 17, 2016 / Notices 14455 TOTAL ESTIMATED ANNUALIZED BURDEN—HOURS—Continued Number of responses per respondent Type of respondent Number of respondents 164.520 .......... Notice of Privacy Practices for Protected Health Information (health care providers—dissemination and acknowledgement). Rights to Request Privacy Protection for Protected Health Information. Access of Individuals to Protected Health Information (disclosures). Amendment of Protected Health Information (requests). Amendment of Protected Health Information (denials). Accounting for Disclosures of Protected Health Information. 613,000,000 14 .......... 1 3/60 ........................... 30,650,000 20,000 15 ................... 1 3/60 ........................... 1,000 200,000 16 ................. 1 3/60 ........................... 10,000 150,000 ..................... 1 5/60 ........................... 12,500 50,000 ....................... 1 5/60 ........................... 4,166 5,000 17 ..................... 1 3/60 ........................... 250 ....................................................................... ................................... ........................ ................................... 921,813,702 164.522 .......... 164.524 .......... 164.526 .......... 164.526 .......... 164.528 .......... Total ........ Average burden hours per response 1 Total burden hours Section 1 The asabaliauskas on DSK3SPTVN1PROD with NOTICES figures in this column are averages based on a range. Small entities may require fewer hours to conduct certain compliance activities, particularly with respect to Security Rule requirements, while large entities may spend more hours than those provided here. 2 This estimate includes 700,000 estimated covered entities and 1 million estimated business associates. The Omnibus HIPAA Final Rule burden analysis estimated that there were 1–2 million business associates. However, because many business associates have business associate relationships with multiple covered entities, we believe the lower end of this range is more accurate. 3 This element includes the burden of updating documentation in accordance with the evaluation required by 45 CFR 164.306. Therefore, we do not separately address the burden associated with the evaluation. 4 Total number of breach incidents in 2015. 5 Average number of individuals affected per breach incident in 2015. 6 This number includes all 267 large breaches and all 2,479 breaches affecting 10–499 individuals. As we stated in the preamble to the Omnibus HIPAA Final Rule, although some breaches involving fewer than 10 individuals may require substitute notice, we believe the costs of providing such notice through alternative written means or by telephone is negligible. 7 We again assume that call center staff will spend 5 minutes per call, but now with an average of 4,124 individuals affected by breaches requiring substitute notice. Multiplying these figures results in 5.75 hours per breach. This estimate is much lower than the 46.26 hours per breach requiring substitute notice in our previous estimate, which we believe was the result of an arithmetic error. The estimate of 4,124 individuals being affected by breaches requiring substitute notice results from the assumption that the number of callers to the toll-free number will equal 10% of the sum of all individuals affected by large breaches (113,250,136) and 5% of individuals affected by small breaches (.05 × 285,413 = 14,270). We calculate .10 * (113,250,136 + 14,270) = 11,326,440. 8 As noted in the previous footnote, this number equals 10% of the sum of all individuals affected by large breaches and 5% of individuals affected by small breaches. 9 This number includes 7.5 minutes for each individual who calls: an average of 2.5 minutes to wait on the line/decide to call back and 5 minutes for the call itself. 10 The total number of breaches affecting 500 or more individuals in 2015. 11 The total number of breaches affecting fewer than 500 individuals in 2015. 12 The number of entities who use and disclose protected health information for research purposes. 13 As in our previous submission, we assume that half of the approximately 200,000,000 individuals insured by covered health plans will receive the plan’s NPP by paper mail, and half will receive the NPP by electronic mail. 14 We estimate that each year covered health care providers will have first-time visits with 613 million individuals, to whom the providers must give a NPP. 15 We assume covered entities address 20,000 requests for confidential communications or restrictions on disclosures per year. 16 We estimate that covered entities annually fulfill 200,000 requests from individuals for access to their protected health information. 17 We estimate that covered entities annually fulfill 5,000 requests from individuals for an accounting of disclosures of their protected health information. OS specifically requests comments on (1) the necessity and utility of the proposed information collection for the proper performance of the agency’s functions, (2) the accuracy of the estimated burden, (3) ways to enhance the quality, utility, and clarity of the information to be collected, and (4) the use of automated collection techniques or other forms of information technology to minimize the information collection burden. Terry S. Clark, Assistant Information Collection Clearance Officer. [FR Doc. 2016–05961 Filed 3–16–16; 8:45 am] BILLING CODE 4153–01–P VerDate Sep<11>2014 17:03 Mar 16, 2016 Jkt 238001 DEPARTMENT OF HEALTH AND HUMAN SERVICES Announcement of Establishment of the Secretary’s Advisory Committee on National Health Promotion and Disease Prevention Objectives for 2030 and Solicitation of Nominations for Membership Office of Disease Prevention and Health Promotion, Office of the Assistant Secretary for Health, Office of the Secretary, U.S. Department of Health and Human Services. ACTION: Notice. AGENCY: Authority: 42 U.S.C. 217a. The Secretary’s Advisory Committee on National Health Promotion and Disease Prevention Objectives PO 00000 Frm 00046 Fmt 4703 Sfmt 4703 for 2030 is governed by provisions of the Federal Advisory Committee Act (FACA), Public Law 92–463, as amended (5 U.S.C., App.), which sets forth standards for the formation and use of federal advisory committees. The U.S. Department of Health and Human Services (HHS) announces the establishment of the Secretary’s Advisory Committee on National Health Promotion and Disease Prevention Objectives for 2030 (Committee) and invites nominations for membership. DATES: Nominations for membership to the Committee must be submitted by 6:00 p.m. ET on April 18, 2016. ADDRESSES: Nominations should be submitted by email to HP2030@hhs.gov. SUMMARY: E:\FR\FM\17MRN1.SGM 17MRN1

Agencies

[Federal Register Volume 81, Number 52 (Thursday, March 17, 2016)]
[Notices]
[Pages 14453-14455]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2016-05961]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of the Secretary

[Document Identifier: HHS-OS-0945-0003-60D]


Agency Information Collection Activities; Proposed Collection; 
Public Comment Request

AGENCY: Office of the Secretary, HHS.

ACTION: Notice.

-----------------------------------------------------------------------

SUMMARY: In compliance with section 3506(c)(2)(A) of the Paperwork 
Reduction Act of 1995, the Office of the Secretary (OS), Department of 
Health and Human Services, announces plans to submit an Information 
Collection Request (ICR), described below, to the Office of Management 
and Budget (OMB). The ICR is for revision of the approved information 
collection assigned OMB control number #0945-0003, which expires on 
January 1, 2017. Prior to submitting that ICR to OMB, OS seeks comments 
from the public regarding the burden estimate, below, or any other 
aspect of the ICR.

DATES: Comments on the ICR must be received on or before May 16, 2016.

ADDRESSES: Submit your comments to 
Information.CollectionClearance@hhs.gov or by calling (202) 690-6162.

FOR FURTHER INFORMATION CONTACT: Information Collection Clearance 
staff, Information.CollectionClearance@hhs.gov or (202) 690-6162.

SUPPLEMENTARY INFORMATION: When submitting comments or requesting 
information, please include the document identifier HHS-OS-0945-0003-
60D for reference.
    Information Collection Request Title: HIPAA Privacy, Security, and 
Breach Notification Rules, and Supporting Regulations Contained in 45 
CFR parts 160 and 164.
    Abstract: This revision does not change any requirements of the 
HIPAA Privacy, Security, and Breach Notification Rules. Among other 
updates summarized below, the ICR requests to rename the information 
collection and incorporate into it the substance of two other 
information collections (#0945-0004, set to expire on May 31, 2016; and 
#0945-0001, expiring on September 30, 2016), which then would be 
discontinued. The ICR addresses the burden on regulated entities for 
compliance with the information collection requirements of the HIPAA 
Privacy, Security, and Breach Notification Rules; the voluntary burden 
on members of the public for obtaining information from covered 
entities regarding breaches of their protected health information; and 
the information collection burden on the Office for Civil Rights (OCR) 
associated with administering aspects of the HIPAA Breach Notification 
program. Combining the three existing information collections 
identified above will allow the regulated community, the public, and 
OCR to more easily view and track the estimated burdens associated with 
the HIPAA Rules that are administered and enforced by OCR. In addition 
to combining the ICRs, the proposed updates take into account our 
experience administering the Rules to more accurately reflect the 
burdens of compliance with the applicable regulatory requirements; 
remove the estimated burden of initial compliance with the Omnibus 
HIPAA Final Rule, because we are well past the compliance dates; and 
incorporate increases in wages for the job categories that we expect to 
be involved in compliance activities.
    Need and Proposed Use of the Information: The HIPAA Rules require 
covered entities, and in many respects their business associates, to 
protect the privacy and security of individually identifiable health 
information (called ``protected health information'' or ``PHI''); 
fulfill individuals' rights under HIPAA with respect to their health 
information; and provide notification in case of a breach of unsecured 
protected health information. The information collections associated 
with these regulatory requirements include

[[Page 14454]]

documenting and updating policies and procedures for ensuring the 
privacy and security of individuals' health information, recording 
compliance activities, providing individuals with a notice of privacy 
practices and with access to their information upon request, and 
notifying affected individuals, the Secretary, and in some cases the 
media of a breach of protected health information.
    Likely Respondents: HIPAA covered entities and business associates 
(required burden), and individual members of the public affected by 
breaches of their protected health information (voluntary burden).
    Burden Statement: Burden in this context means the time expended by 
persons to generate, maintain, retain, disclose or provide the 
information requested. This includes the time needed to review 
instructions, to develop, acquire, install and utilize technology and 
systems for the purpose of collecting, validating and verifying 
information, processing and maintaining information, and disclosing and 
providing information, to train personnel and to be able to respond to 
a collection of information, to search data sources, to complete and 
review the collection of information, and to transmit or otherwise 
disclose the information. The total annual burden hours estimated for 
this ICR are summarized in the table below.

                                    Total Estimated Annualized Burden--Hours
----------------------------------------------------------------------------------------------------------------
                                                                   Number of     Average burden
       Section          Type of respondent        Number of      responses per      hours per      Total burden
                                                 respondents      respondent      response \1\         hours
----------------------------------------------------------------------------------------------------------------
160.204.............  Process for Requesting  1...............               1  16..............              16
                       Exception
                       Determinations
                       (states or persons).
164.308.............  Risk Analysis--         1,700,000 \2\...               1  10..............      17,000,000
                       Documentation.
164.308.............  Information System      1,700,000.......              12  .75.............      15,300,000
                       Activity Review--
                       Documentation.
164.308.............  Security Reminders--    1,700,000.......              12  1...............      20,400,000
                       Periodic Updates.
164.308.............  Security Incidents      1,700,000.......              52  5...............     442,000,000
                       (other than
                       breaches)--Documentat
                       ion.
164.308.............  Contingency Plan--      1,700,000.......               1  8...............      13,600,000
                       Testing and Revision.
164.308.............  Contingency Plan--      1,700,000.......               1  4...............       6,800,000
                       Criticality Analysis.
164.310.............  Maintenance Records...  1,700,000.......              12  6...............     122,400,000
164.314.............  Security Incidents--    1,000,000.......              12  20..............     240,000,000
                       Business Associate
                       reporting of
                       incidents (other than
                       breach) to Covered
                       Entities.
164.316.............  Documentation--Review   1,700,000.......               1  6...............      10,200,000
                       and Update \3\.
164.404.............  Individual Notice--     58,481 \4\......               1  .5..............          29,240
                       Written and E-mail
                       Notice (drafting).
164.404.............  Individual Notice--     58,481..........               1  .5..............          29,240
                       Written and E-mail
                       Notice (preparing and
                       documenting
                       notification).
164.404.............  Individual Notice--     58,481..........         \5\ 353  .008............         165,150
                       Written and E-mail
                       Notice (processing
                       and sending).
164.404.............  Individual Notice--     2,746 \6\.......               1  1...............           2,746
                       Substitute Notice
                       (posting or
                       publishing).
164.404.............  Individual Notice--     2,746...........               1  5.75 \7\........          15,789
                       Substitute Notice
                       (staffing toll-free
                       number).
164.404.............  Individual Notice--     11,326,440 \8\..               1  .125 \9\........       1,415,805
                       Substitute Notice
                       (individuals'
                       voluntary burden to
                       call toll-free number
                       for information).
164.406.............  Media Notice..........  267 \10\........               1  1.25............             333
164.408.............  Notice to Secretary     267.............               1  1.25............             333
                       (notice for breaches
                       affecting 500 or more
                       individuals).
164.408.............  Notice to Secretary     58,215 \11\.....               1  1...............          58,215
                       (notice for breaches
                       affecting fewer than
                       500 individuals).
164.414.............  500 or More Affected    267.............               1  50..............          13,350
                       Individuals
                       (investigating and
                       documenting breach).
164.414.............  Less than 500 Affected  2,479 (breaches                1  8...............          19,832
                       Individuals             affecting 10-
                       (investigating and      499
                       documenting breach).    individuals).
                      ......................  55,736 (breaches               1  4...............         222,944
                                               affecting <10
                                               individuals).
164.504.............  Uses and Disclosures--  700,000.........               1  5/60............          58,333
                       Organizational
                       Requirements.
164.508.............  Uses and Disclosures    700,000.........               1  1...............         700,000
                       for Which Individual
                       authorization is
                       required.
164.512.............  Uses and Disclosures    113,524 \12\....               1  5/60............           9,460
                       for Research Purposes.
164.520.............  Notice of Privacy       100,000,000 \13\               1  0.25 minutes [1          416,667
                       Practices for                                             hour per 240
                       Protected Health                                          notices].
                       Information (health
                       plans--periodic
                       distribution of NPPs
                       by paper mail).
164.520.............  Notice of Privacy       100,000,000.....               1  0.167 minutes [1         278,333
                       Practices for                                             hour per 360
                       Protected Health                                          notices].
                       Information (health
                       plans--periodic
                       distribution of NPPs
                       by electronic mail).

[[Page 14455]]

 
164.520.............  Notice of Privacy       613,000,000 \14\               1  3/60............      30,650,000
                       Practices for
                       Protected Health
                       Information (health
                       care providers--
                       dissemination and
                       acknowledgement).
164.522.............  Rights to Request       20,000 \15\.....               1  3/60............           1,000
                       Privacy Protection
                       for Protected Health
                       Information.
164.524.............  Access of Individuals   200,000 \16\....               1  3/60............          10,000
                       to Protected Health
                       Information
                       (disclosures).
164.526.............  Amendment of Protected  150,000.........               1  5/60............          12,500
                       Health Information
                       (requests).
164.526.............  Amendment of Protected  50,000..........               1  5/60............           4,166
                       Health Information
                       (denials).
164.528.............  Accounting for          5,000 \17\......               1  3/60............             250
                       Disclosures of
                       Protected Health
                       Information.
rrrrrrrrrrrrrrrrrrrrr
    Total...........  ......................  ................  ..............  ................     921,813,702
----------------------------------------------------------------------------------------------------------------
\1\ The figures in this column are averages based on a range. Small entities may require fewer hours to conduct
  certain compliance activities, particularly with respect to Security Rule requirements, while large entities
  may spend more hours than those provided here.
\2\ This estimate includes 700,000 estimated covered entities and 1 million estimated business associates. The
  Omnibus HIPAA Final Rule burden analysis estimated that there were 1-2 million business associates. However,
  because many business associates have business associate relationships with multiple covered entities, we
  believe the lower end of this range is more accurate.
\3\ This element includes the burden of updating documentation in accordance with the evaluation required by 45
  CFR 164.306. Therefore, we do not separately address the burden associated with the evaluation.
\4\ Total number of breach incidents in 2015.
\5\ Average number of individuals affected per breach incident in 2015.
\6\ This number includes all 267 large breaches and all 2,479 breaches affecting 10-499 individuals. As we
  stated in the preamble to the Omnibus HIPAA Final Rule, although some breaches involving fewer than 10
  individuals may require substitute notice, we believe the costs of providing such notice through alternative
  written means or by telephone is negligible.
\7\ We again assume that call center staff will spend 5 minutes per call, but now with an average of 4,124
  individuals affected by breaches requiring substitute notice. Multiplying these figures results in 5.75 hours
  per breach. This estimate is much lower than the 46.26 hours per breach requiring substitute notice in our
  previous estimate, which we believe was the result of an arithmetic error. The estimate of 4,124 individuals
  being affected by breaches requiring substitute notice results from the assumption that the number of callers
  to the toll-free number will equal 10% of the sum of all individuals affected by large breaches (113,250,136)
  and 5% of individuals affected by small breaches (.05 x 285,413 = 14,270). We calculate .10 * (113,250,136 +
  14,270) = 11,326,440.
\8\ As noted in the previous footnote, this number equals 10% of the sum of all individuals affected by large
  breaches and 5% of individuals affected by small breaches.
\9\ This number includes 7.5 minutes for each individual who calls: an average of 2.5 minutes to wait on the
  line/decide to call back and 5 minutes for the call itself.
\10\ The total number of breaches affecting 500 or more individuals in 2015.
\11\ The total number of breaches affecting fewer than 500 individuals in 2015.
\12\ The number of entities who use and disclose protected health information for research purposes.
\13\ As in our previous submission, we assume that half of the approximately 200,000,000 individuals insured by
  covered health plans will receive the plan's NPP by paper mail, and half will receive the NPP by electronic
  mail.
\14\ We estimate that each year covered health care providers will have first-time visits with 613 million
  individuals, to whom the providers must give a NPP.
\15\ We assume covered entities address 20,000 requests for confidential communications or restrictions on
  disclosures per year.
\16\ We estimate that covered entities annually fulfill 200,000 requests from individuals for access to their
  protected health information.
\17\ We estimate that covered entities annually fulfill 5,000 requests from individuals for an accounting of
  disclosures of their protected health information.

    OS specifically requests comments on (1) the necessity and utility 
of the proposed information collection for the proper performance of 
the agency's functions, (2) the accuracy of the estimated burden, (3) 
ways to enhance the quality, utility, and clarity of the information to 
be collected, and (4) the use of automated collection techniques or 
other forms of information technology to minimize the information 
collection burden.

Terry S. Clark,
Assistant Information Collection Clearance Officer.
[FR Doc. 2016-05961 Filed 3-16-16; 8:45 am]
 BILLING CODE 4153-01-P
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.