AGENCY:
Office of the Secretary, HHS.
ACTION:
Notice.
SUMMARY:
In compliance with the requirement of the Paperwork Reduction Act of 1995, the Office of the Secretary (OS), Department of Health and Human Services, is publishing the following summary of a proposed collection for public comment.
DATES:
Comments on the ICR must be received on or before February 22, 2023.
ADDRESSES:
Written comments and recommendations for the proposed information collection should be sent within 30 days of publication of this notice to www.reginfo.gov/public/do/PRAMain . Find this particular information collection by selecting “Currently under 30-day Review—Open for Public Comments” or by using the search function.
FOR FURTHER INFORMATION CONTACT:
Sherrette Funn, Sherrette.Funn@hhs.gov or (202) 264-0041. When submitting comments or requesting information, please include the document identifier 0945-0003-30D and project title for reference.
SUPPLEMENTARY INFORMATION:
Interested persons are invited to send comments regarding this burden estimate or any other aspect of this collection of information, including any of the following subjects: (1) The necessity and utility of the proposed information collection for the proper performance of the agency's functions; (2) the accuracy of the estimated burden; (3) ways to enhance the quality, utility, and clarity of the information to be collected; and (4) the use of automated collection techniques or other forms of information technology to minimize the information collection burden.
Title of the Collection: HIPAA Privacy, Security, and Breach Notification Rules, and Supporting Regulations Contained in 45 CFR parts 160 and 164.
Type of Collection: Extension
OMB No. 0945-0003: Office for Civil Rights (OCR)-Health Information Privacy Division
Abstract: OCR requests approval to extend this existing, approved collection for three years without changing any collection requirements. No public comments were received. In 2021, OCR published a Notice of Proposed Rulemaking (NPRM) proposing modifications to the HIPAA Rules that would affect the hourly burdens associated with the HIPAA Rules. 86 FR 6446. OCR is reviewing public comment received on the NPRM about existing burdens associated with compliance with the HIPAA Rules, and on changes in burden that could result from the modifications proposed in the NPRM. On December 2, 2022, OCR published a second NPRM proposing additional modifications to the HIPAA Rules, available at 87 FR 74216. OCR will also review public comment received on the 2022 NPRM, and will update this ICR to reflect the input we receive on this notice and through the rulemaking process.
Type of respondent: HIPAA covered entities, business associates, individuals, and professional and trade associations of covered entities and business associates.
Estimated Annualized Burden Table
| Section | Type of respondent | Number of respondents | Number of responses per respondent | Average burden hours per response [1] | Total burden hours |
|---|---|---|---|---|---|
| 160.204 | Process for Requesting Exception Determinations (states or persons) | 1 | 1 | 16 | 16 |
| 164.308 | Risk Analysis—Documentation [2] | 1,700,000 | 1 | 10 | 17,000,000 |
| 164.308 | Information System Activity Review—Documentation | 1,700,000 | 12 | 0.75 | 15,300,000 |
| 164.308 | Security Reminders—Periodic Updates | 1,700,000 | 12 | 1 | 20,400,000 |
| 164.308 | Security Incidents (other than breaches)—Documentation | 1,700,000 | 52 | 5 | 442,000,000 |
| 164.308 | Contingency Plan—Testing and Revision | 1,700,000 | 1 | 8 | 13,600,000 |
| 164.308 | Contingency Plan—Criticality Analysis | 1,700,000 | 1 | 4 | 6,800,000 |
| 164.310 | Maintenance Records | 1,700,000 | 12 | 6 | 122,400,000 |
| 164.314 | Security Incidents—Business Associate reporting of incidents (other than breach) to Covered Entities | 1,000,000 | 12 | 20 | 240,000,000 |
| 164.316 | Documentation—Review and Update [3] | 1,700,000 | 1 | 6 | 10,200,000 |
| 164.404 | Individual Notice—Written and E-mail Notice (drafting) [4] | 58,482 | 1 | 0.5 | 29,241 |
| 164.404 | Individual Notice—Written and E-mail Notice (preparing and documenting notification) | 58,482 | 1 | 0.5 | 29,241 |
| 164.404 | Individual Notice—Written and E-mail Notice (processing and sending) [5] | 58,482 | 1,941 | 0.008 | 908,108 |
| 164.404 | Individual Notice—Substitute Notice (posting or publishing) [6] | 2,746 | 1 | 1 | 2,746 |
| 164.404 | Individual Notice—Substitute Notice (staffing toll-free number) [7] | 2,746 | 1 | 3.42 | 9,391 |
| 164.404 | Individual Notice—Substitute Notice (individuals' voluntary burden to call toll-free number for information) [8], [9] | 113,264 | 1 | 0.125 | 14,158 |
| 164.406 | Media Notice [10] | 267 | 1 | 1.25 | 334 |
| 164.408 | Notice to Secretary (notice for breaches affecting 500 or more individuals) | 267 | 1 | 1.25 | 334 |
| 164.408 | Notice to Secretary (notice for breaches affecting fewer than 500 individuals) [11] | 58,215 | 1 | 1 | 58,215 |
| 164.410 | Business Associate notice to Covered Entity—500 or more individuals affected | 20 | 1 | 50 | 1,000 |
| 164.410 | Business Associate notice to Covered Entity—Less than 500 individuals affected | 1,165 | 1 | 8 | 9,320 |
| 164.414 | 500 or More Affected Individuals (investigating and documenting breach) | 267 | 1 | 50 | 13,350 |
| 164.414 | Less than 500 Affected Individuals (investigating and documenting breach)—affecting 10-499 | 2,479 | 1 | 8 | 19,832 |
| 164.414 | Less than 500 Affected Individuals (investigating and documenting breach)—affecting <10 | 55,736 | 1 | 4 | 222,944 |
| 164.504 | Uses and Disclosures—Organizational Requirements | 700,000 | 1 | 0.083333333 | 58,333 |
| 164.508 | Uses and Disclosures for Which Individual authorization is required | 700,000 | 1 | 1 | 700,000 |
| 164.512 | Uses and Disclosures for Research Purposes [12] | 113,524 | 1 | 0.083333333 | 9,460 |
| 164.520 | Notice of Privacy Practices for Protected Health Information (health plans—periodic distribution of NPPs by paper mail) [13], [18] | 100,000,000 | 1 | 0.004166667 | 416,667 |
| 164.520 | Notice of Privacy Practices for Protected Health Information (health plans—periodic distribution of NPPs by electronic mail) [19] | 100,000,000 | 1 | 0.002783333 | 278,333 |
| 164.520 | Notice of Privacy Practices for Protected Health Information (health care providers—dissemination and acknowledgement) [14] | 613,000,000 | 1 | 0.05 | 30,650,000 |
| 164.522 | Rights to Request Privacy Protection for Protected Health Information [15] | 20,000 | 1 | 0.05 | 1,000 |
| 164.524 | Access of Individuals to Protected Health Information (disclosures) [16] | 200,000 | 1 | 0.05 | 10,000 |
| 164.526 | Amendment of Protected Health Information (requests) | 150,000 | 1 | 0.083333333 | 12,500 |
| 164.526 | Amendment of Protected Health Information (denials) | 50,000 | 1 | 0.083333333 | 4,167 |
| 164.528 | Accounting for Disclosures of Protected Health Information [17] | 5,000 | 1 | 0.05 | 250 |
| Total | 2,070 | 921,158,940 |
Sherrette A. Funn,
Paperwork Reduction Act Reports Clearance Officer, Office of the Secretary.
[FR Doc. 2023-01196 Filed 1-20-23; 8:45 am]
BILLING CODE 4153-01-P