Office of the Secretary, HHS.
In compliance with the requirement of section 3506(c)(2)(A) of the Paperwork Reduction Act of 1995, the Office of the Secretary (OS), Department of Health and Human Services, is publishing the following summary of a proposed collection for public comment. Interested persons are invited to send comments regarding this burden estimate or any other aspect of this collection of information, including any of the following subjects: (1) The necessity and utility of the proposed information collection for the proper performance of the agency's functions; (2) the accuracy of the estimated burden; (3) ways to enhance the quality, utility, and clarity of the information to be collected; and (4) the use of automated collection techniques or other forms of information technology to minimize the information collection burden. To obtain copies of the supporting statement and any related forms for the proposed paperwork collections referenced above, e-mail your request, including your address, phone number, OMB number, and OS document identifier, to Sherette.firstname.lastname@example.org, or call the Reports Clearance Office on (202) 690-5683. Send written comments and recommendations for the proposed information collections within 30 days of this notice directly to the OS OMB Desk Officer; faxed to OMB at 202-395-5806.
Proposed Project: HITECH Act Breach Notification-OMB No. 0990-0346-Extension-Office of Civil Rights.Start Printed Page 68625
Abstract: The Health Information Technology for Economic and Clinical Health (HITECH) Act, Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (ARRA) (Pub. L. 111-5) requires the Office for Civil Rights to collect information regarding breaches discovered by covered entities and their business associates under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule (45 CFR Part 160 and Subparts A and E of Part 164). ARRA was enacted on February 17, 2009. The Department of Health and Human Services (HHS) issued interim final regulations on August 24, 2009 (74 FR 42740), which became effective September 23, 2009, to require HIPAA covered entities and their business associates to provide notification in the case of breaches of unsecured protected health information. Section 164.404 of this interim final regulation requires HIPAA covered entities to notify affected individuals of a breach of their unsecured protected health information and, in some cases, to notify the media of such breaches pursuant to § 164.406. Section 164.408 requires covered entities to provide the Secretary with immediate notice of all breaches of unsecured protected health information involving more than 500 individuals. Additionally, the Act requires covered entities to provide the Secretary with an annual log of all breaches of unsecured protected health information that involve less than 500 individuals. Finally, business associates must notify the covered entity of any breaches that occur subject to § 164.410.
|Type of respondent||Number of respondents||Average number of responses per respondent||Average burden hours per response||Total burden hours|
|Individual Notice—Written and E-mail Notice (drafting, preparing, sending, and documenting notification)||106||1||206||21,836|
|500 or More Affected Individuals (investigating and documenting breach)||56||1||44||2,464|
|Less than 500 Affected Individuals (investigating and documenting breach)||50||1||8||400|
|Individual Notice—Substitute Notice (posting or publishing)||70||1||1||70|
|Individual Notice—Substitute Notice (toll-free number)||70||1||3,438||240,660|
|Notice to Secretary (notice for breaches affecting 500 or more individuals and annual notice and maintenance of annual log)||106||1||140/60||247|
Office of the Secretary, Paperwork Reduction Act Reports Clearance Officer.
[FR Doc. E9-30593 Filed 12-24-09; 8:45 am]
BILLING CODE 4153-01-P