The FTC intends to ask the Office of Management and Budget (“OMB”) to extend through September 30, 2015, the current Paperwork Reduction Act (“PRA”) clearance for the information collection requirements in the Health Breach Notification Rule. That clearance expires on September 30, 2012.
Comments must be filed by July 30, 2012.
Interested parties may file a comment online or on paper, by following the instructions in the Request for Comment part of the SUPPLEMENTARY INFORMATION section below. Write “Health Breach Notification Rule, PRA Comments, P-125402” on your comment and file your comment online at https://ftcpublic.commentworks.com/ftc/healthbreachnotificationPRA by following the instructions on the web-based form. If you prefer to file your comment on paper, mail or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Room H-113 (Annex J), 600 Pennsylvania Avenue NW, Washington, DC 20580.
FOR FURTHER INFORMATION CONTACT:
Amanda Koulousias, Attorney, Division of Privacy and Identity Protection, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW., Washington, DC 20580, (202) 326-2252.
On February 17, 2009, President Obama signed the American Recovery and Reinvestment Act of 2009 (the “Recovery Act” or “the Act”) into law. The Act includes provisions to advance the use of health information technology and, at the same time, strengthen privacy and security protections for health information. The Act required the FTC to adopt a rule implementing the breach notification requirements applicable to vendors of personal health records, “PHR related entities,” 
and third party service providers, and the Commission issued a final rule on August 25, 2009. 74 FR 42962.
The Health Breach Notification Rule (“Rule”), 16 CFR part 318, requires vendors of personal health records and PHR related entities to provide: (1) notice to consumers whose unsecured personally identifiable health information has been breached; and (2) notice to the Commission. The Rule only applies to electronic health records and does not include recordkeeping requirements. The Rule requires third party service providers (i.e., those companies that provide services such as billing or data storage) to vendors of personal health records and PHR related entities to provide notification to such vendors and PHR related entities following the discovery of a breach. To notify the FTC of a breach, the Commission developed a form, which is posted at www.ftc.gov/healthbreach, for entities subject to the rule to complete and return to the agency.
These notification requirements are subject to the provisions of the PRA, 44 U.S.C. Chapter 35. Under the PRA, Federal agencies must get OMB approval for each collection of information they conduct or sponsor. “Collection of information” includes agency requests or requirements to submit reports, keep records, or provide information to a third party. 44 U.S.C. 3502(3); 5 CFR 1320.3(c). On September 22, 2009, OMB granted the FTC clearance (under Control Number 3084-0150) for these notification requirements through September 30, 2012. As required by the PRA, the FTC is providing this opportunity for public comment before requesting that OMB extend the existing paperwork clearance for the Rule. 44 U.S.C. 3506(c)(2)(A).
The FTC invites comments on: (1) Whether the notification requirements in the Rule and associated form are necessary, including whether the information will be practically useful; (2) the accuracy of our burden estimates, including whether the methodology and assumptions used are valid; (3) how to improve the quality, utility, and clarity of the required notifications; and (4) how to minimize the burden of providing the required information to consumers and to the agency. All comments should be filed as prescribed in the ADDRESSES section above, and must be received on or before July 30, 2012.
In the Commission's view, it has maximized the practical utility of the breach notification requirements in the Rule, consistent with the requirements of the Recovery Act. Under the Rule, consumers whose information has been affected by a breach of security receive notice of it “without unreasonable delay and in no case later than 60 calendar days” after discovery of the breach. Among other information, the notices must provide consumers with steps they can take to protect themselves from harm. Moreover, the breach notice requirements encourage entities to safeguard the information of their customers, thereby potentially reducing the incidence of harm.
The form entities must use to inform the Commission of a security breach requests minimal information, mostly in the form of replies to check boxes; thus, entities do not require extensive time to complete it. The Commission inputs the information it receives from entities into a database that the Commission updates periodically and makes available to the public. The publicly-available database serves businesses, the public, and policymakers. It provides businesses with information about potential sources of data breaches, which is particularly helpful to those setting up data security procedures. It provides the public with information about the extent of data breaches. Finally, it helps policymakers in developing breach notification requirements in non-health-related areas. Thus, in the Commission's view, the Rule and form have significant practical utility.
The PRA burden of the Rule's requirements depends on a variety of factors, including the number of covered firms; the percentage of such firms that will experience a breach requiring further investigation and, if necessary, the sending of breach notices; and the number of consumers notified. The annual hours and cost estimates below likely overstate the burden because, among other things, they assume, though it is not necessarily so, that all breaches subject to the Rule's notification requirements will be required to take all of the steps described below.
At the time the Rule was issued, insufficient data was available about the incidence of breaches in the PHR industry. Accordingly, staff based its burden estimate on data pertaining to private sector breaches across multiple industries. Staff estimated that there would be 11 breaches per year requiring notification of 232,000 consumers.
As described above, the Rule requires covered entities that have suffered a breach to notify the Commission. Since the Rule has now been in effect for over two years,
staff is now able to base the burden estimate on the actual notifications received from covered entities, which include the number of consumers notified. Accordingly, staff has used this information to update its burden estimate.
During 2010 and 2011, two firms informed the Commission of events that resulted in notices to consumers. In 2010, one firm sent notices to 2,094 consumers, and another firm sent notices to 3 consumers. This second firm sent an additional 2,899 notices (conveying similar information as in its 2010 notices) in 2011.
This information indicates that an average of about 2,500 consumers per year received notifications over the years 2010 and 2011. This number is about one percent of the figure staff had previously projected would require notification. Among other things, staff believes that this lower incidence rate may be due to a reported low utilization by consumers of PHR vendors.
Among the barriers cited to adoption of PHRs are consumer resistance due to concerns about privacy and the lack of consumer motivation to manage their own health data.
Given the information it has received to date from covered entities, staff bases its current burden estimate on an assumed two breach incidents per year that, together, require the notification of approximately 2,500 consumers.
Estimated Annual Labor Costs: $13,379.
FTC staff projects that covered firms will require on average, per breach, 100 hours of employee labor to determine what information has been breached, identify the affected customers, prepare the breach notice, and make the required report to the Commission, at an estimated cost of $5,268 
(staff assumes that outside services of a forensic expert will also be required and those services are separately accounted for under “Estimated Annual Non-Labor Costs” below). Based on an estimated 2 breaches per year, the annual employee labor cost burden for affected entities to perform these tasks is $10,536.
Additionally, covered entities will incur labor costs associated with processing calls they may receive in the event of a data breach. The rule requires that covered entities that fail to contact 10 or more consumers because of insufficient or out-of-date contact information must provide substitute notice through either a clear and conspicuous posting on their web site or media notice. Such substitute notice must include a toll-free number for the purpose of allowing a consumer to learn whether or not his/her information was affected by the breach.
Individuals contacted directly will have already received this information. Staff estimates that no more than 10 percent of affected consumers will utilize the offered toll-free number. Thus, of the 2,500 consumers affected by a breach annually, staff estimates that 250 may call the companies over the 90 days they are required to provide such access. Staff additionally projects that 250 additional consumers who are not affected by the breach will also call the companies during this period. Staff estimates that processing all 500 calls will require an average of 192 hours of employee labor at a cost of $2,843.
Accordingly, estimated cumulative annual labor costs, excluding outside forensic services, is $13,379.
Estimated Annual Non-Labor Costs: $7,918.
Commission staff anticipates that capital and other non-labor costs associated with the Rule will consist of the following:
1. The services of a forensic expert in investigating the breach; and
2. Notification of consumers via email, mail, web posting, or media.
Staff estimates that covered firms (breached entities) will require 30 hours of a forensic expert's time, at a cumulative cost of $3,534 for each breach. This is the product of hourly wages of an information security analyst ($39.27), tripled to reflect profits and overhead for an outside consultant ($117.81), and multiplied by 30 hours. Based on the estimate that there will be 2 breaches per year, the annual cost associated with the services of an outside forensic expert is $7,068.
As explained above, staff estimates that an average of 2,500 consumers per year will receive a breach notification. Given the online relationship between consumers and vendors of personal health records and PHR related entities, most notifications will be made by email and the cost of such notifications will be minimal.
In some cases, however, vendors of personal health records and PHR related entities will need to notify individuals by postal mail, either because these individuals have asked for such notification, or because the email addresses of these individuals are not current or not working. Staff estimates that the cost of notifying an individual by postal mail is approximately $2.50 per letter.
Assuming that vendors of personal health records and PHR related entities will need to notify by postal mail 10 percent of the 2,500 customers whose information is breached, the estimated cost of this notification will be $625 per year.
In addition, vendors of personal health records and PHR related entities sometimes may need to notify consumers by posting a message on their home page, or by providing media notice. Based on a recent study on data breach costs, staff estimates the cost of providing notice via Web site posting to be 6 cents per breached record, and the cost of providing notice via published media to be 3 cents per breached record.
Applied to the above-stated estimate of 2,500 affected consumers, the estimated total annual cost of Web site notice will be $150, and the estimated total annual cost of media notice will be $75, yielding an estimated total annual cost for all forms of notice to consumers of $225.
In sum, the total estimate for non-labor costs is $7,918: $7,068 (services of a forensic expert) + $850 (costs of notifying consumers).
Request for Comment: You can file a comment online or on paper. For the Commission to consider your comment, we must receive it on or before July 30, 2012. Write “Health Breach Notification Rule, PRA Comments, P-125402” on your comment. Your comment—including your name and your state—will be placed on the public record of this proceeding, including to the extent practicable, on the public Commission Web site, at http://www.ftc.gov/os/publiccomments.shtm. As a matter of discretion, the Commission tries to remove individuals' home contact information from comments before placing them on the Commission Web site.
Because your comment will be made public, you are solely responsible for making sure that your comment does not include any sensitive personal information, like anyone's Social Security number, date of birth, driver's license number or other state identification number or foreign country equivalent, passport number, financial account number, or credit or debit card number. You are also solely responsible for making sure that your comment does not include any sensitive health information, like medical records or other individually identifiable health information. In addition, do not include any “[t]rade secret or any commercial or financial information which is obtained from any person and which is privileged or confidential” as provided in Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2). In particular, do not include competitively sensitive information such as costs, sales statistics, inventories, formulas, patterns, devices, manufacturing processes, or customer names.
If you want the Commission to give your comment confidential treatment, you must file it in paper form, with a request for confidential treatment, and you have to follow the procedure explained in FTC Rule 4.9(c).
Your comment will be kept confidential only if the FTC General Counsel, in his or her sole discretion, grants your request in accordance with the law and the public interest.
Postal mail addressed to the Commission is subject to delay due to heightened security screening. As a result, we encourage you to submit your comments online. To make sure that the Commission considers your online comment, you must file it at https://ftcpublic.commentworks.com/ftc/healthbreachnotificationPRA, by following the instructions on the web-based form. If this Notice appears at http://www.regulations.gov/#!home, you also may file a comment through that Web site.
If you file your comment on paper, write “Health Breach Notification Rule, PRA comments, P-125402” on your comment and on the envelope, and mail or deliver it to the following address: Federal Trade Commission, Office of the Secretary, Room H-113 (Annex J), 600 Pennsylvania Avenue NW., Washington, DC 20580. If possible, submit your paper comment to the Commission by courier or overnight service.
Christian S. White,
Acting General Counsel.
[FR Doc. 2012-12863 Filed 5-25-12; 8:45 am]
BILLING CODE 6750-01-P