Skip to Content


Agency Information Collection Activities; Submission to OMB for Review and Approval; Public Comment Request

Document Details

Information about this document as published in the Federal Register.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble


Office of the Secretary, HHS.




In compliance with section 3507(a)(1)(D) of the Paperwork Reduction Act of 1995, the Office of the Secretary (OS), Department of Health and Human Services, has submitted an Information Collection Request (ICR), described below, to the Office of Management and Budget (OMB) for review and approval. The ICR is for revision of the approved information collection assigned OMB control number 0945-0003 scheduled to expire on 12/31/2015. Comments submitted during the first public review of this ICR will be provided to OMB. OMB will accept further comments from the public on this ICR during the review and approval period.


Comments on the ICR must be received on or before October 15, 2013.


Submit your comments to or via facsimile to (202) 395-5806.

Start Further Info


Information Collection Clearance staff, or (202) 690-6162.

End Further Info End Preamble Start Supplemental Information


When submitting comments or requesting information, please include the OMB control number 0945-0003 and document identifier HHS-OS-20296-30D for reference.

Information Collection Request Title: Standards for Privacy of Individually Identifiable Health Information, Security Standards for the Protection of Electronic Protected Health Information, and Supporting Regulations Contained in 45 CFR Parts 160 and 164

OMB No.: 0945-0003.

Abstract: The Office for Civil Rights (OCR) is notifying the public of revisions to a previously approved OCR data collection. The revisions reflect certain regulatory modifications to the HIPAA Privacy and Security Rules, pursuant to the Health Information for Economic and Clinical Health (HITECH) Act and the Genetic Information Nondiscrimination Act (GINA), that were finalized in the Omnibus HIPAA Final Rule published on January 25, 2013 (78 FR 5566). These modifications strengthen privacy and security protections for individually identifiable health information used or disclosed by business associates and enhance the rights of individuals with respect to their identifiable health information.

Need and Proposed Use of the Information: The information collection addresses HIPAA requirements related to the use, disclosure, and safeguarding of individually identifiable health information by covered entities affected by the HIPAA Rules. The information is routinely used by covered entities and business associates for treatment, payment, and health care operations. In addition, the information is used for specified public policy purposes, including research, public health, and as required by other laws. The Privacy Rule also ensures that the individuals are able to exercise certain rights with respect to their information, including the rights to access and seek amendments to their health records and to receive a Notice of Privacy Practices (NPP) from their direct treatment providers and health plans.

Likely Respondents: Respondents include HIPAA covered entities and their business associates, as well as members of the public.

Burden Statement: Burden in this context means the time expended by persons to generate, maintain, retain, disclose or provide the information requested. This includes the time needed to review instructions, to develop, acquire, install and utilize technology and systems for the purpose of collecting, validating and verifying information, processing and maintaining information, and disclosing and providing information, to train personnel and to be able to respond to a collection of information, to search data sources, to complete and review the collection of information, and to transmit or otherwise disclose the information. The total annual burden hours estimated for this ICR are summarized in the tables below.

Total Estimated Annualized Burden—Hours

[New burdens associated with the final rule]

SectionType of respondentNumber of respondentsAverage number of responses per respondentAverage burden hours per responseTotal burden hours
164.316Documentation of Security Rule Policies and Procedures and Administrative Safeguards (business associates)300,000170/60350,000
164.504Business Associates Needing to Establish or Modify Business Associate Agreements with Subcontractors375,000*120/60125,000
164.520Revision of Notice of Privacy Practices for Protected Health Information (drafting revised language) (health plans)1,5001.111167
Start Printed Page 56233
164.520Dissemination of Notice of Privacy Practices for Protected Health Information (health plans)20,000,0001.0033333566,667
164.520Revision of Notice of Privacy Practices (providers)697,0001.1111177,444

Ongoing Annual Burdens of Compliance With the Rules

SectionType of respondentNumber of respondentsNumber of responses per respondentAverage burden hours per responseTotal burden hours
160.204Process for Requesting Exception Determinations (states or persons)111616
164.504Uses and Disclosures—Organizational Requirements700,00015/6058,333
164.508Uses and Disclosures for Which Individual authorization is required700,00011700,000
164.512Uses and Disclosures for Research Purposes113,52415/609,460
164.520Notice of Privacy Practices for Protected Health Information (health plans—periodic distribution of NPPs by paper mail)100,000,00010.25416667
164.520Notice of Privacy Practices for Protected Health Information (health plans—periodic distribution of NPPs by electronic mail)100,000,00010.167278333
164.520Notice of Privacy Practices for Protected Health Information (health care providers—dissemination and acknowledgement)613,000,00013/6030,650,000
164.522Rights to Request Privacy Protection for Protected Health Information150,00013/607,500
164.524Access of Individuals to Protected Health Information (disclosures)150,00013/607,500
164.526Amendment of Protected Health Information (requests)150,00013/607,500
164.526Amendment of Protected Health Information (denials)50,00013/602,500
164.528Accounting for Disclosures of Protected Health Information70,00013/605,833

Total Hours: 32,762,920.

Start Signature

Darius Taylor,

Deputy Information Collection Clearance Officer.

End Signature End Supplemental Information

[FR Doc. 2013-22148 Filed 9-11-13; 8:45 am]