Skip to Content

We invite you to try out our new beta eCFR site at We’ve made big changes to make the eCFR easier to use. Be sure to leave feedback using the 'Feedback' button on the bottom right of each page!


Agency Information Collection Activities; Submission for OMB Review; Comment Request

Document Details

Information about this document as published in the Federal Register.

Document Statistics
Document page views are updated periodically throughout the day and are cumulative counts for this document. Counts are subject to sampling, reprocessing and revision (up or down) throughout the day.
Enhanced Content

Relevant information about this document from provides additional context. This information is not part of the official Federal Register document.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble


Federal Trade Commission (FTC).


Notice and request for comment.


The FTC requests that the Office of Management and Budget (OMB) extend for three years the current PRA clearance for information collection requirements contained in the agency's Health Breach Notification Rule. The existing clearance expires on May 31, 2019. The public should address comments to this notice to the OMB.


Comments must be received by June 3, 2019.


Comments in response to this notice should be submitted to the OMB Desk Officer for the Federal Trade Commission within 30 days of this notice. You may submit comments using any of the following methods:

Electronic: Write “Health Breach Notification Rule: PRA Comment, P072108,” on your comment and file your comment online at, by following the instructions on the web-based form.


Fax: (202) 395-5806.

Mail: Office of Information and Regulatory Affairs, Office of Management and Budget, Attention: Desk Officer for the Federal Trade Commission, New Executive Office Building, Docket Library, Room 10102, 725 17th Street NW, Washington, DC 20503.

Start Further Info


Robin Wetherill, 202-326-2220, Attorney, Privacy & Identity Protection, Bureau of Consumer Protection, 600 Pennsylvania Ave. NW, Washington, DC 20580.

End Further Info End Preamble Start Supplemental Information


Title: Health Breach Notification Rule.

OMB Control Number: 3084-0150.

Type of Review: Extension of a currently approved collection.

Abstract: The Health Breach Notification Rule (Rule), 16 CFR part 318, requires vendors of personal health records and PHR related entities to Start Printed Page 18846provide: (1) Notice to consumers whose unsecured personally identifiable health information has been breached; and (2) notice to the Commission. The Rule only applies to electronic health records and does not include recordkeeping requirements. The Rule requires third party service providers (i.e., those companies that provide services such as billing or data storage) to vendors of personal health records and PHR related entities to provide notification to such vendors and PHR related entities following the discovery of a breach. To notify the FTC of a breach, the Commission developed a simple, two-page form requesting minimal information and consisting mainly of check boxes, which is posted at​healthbreach.

On February 8, 2019, the FTC sought comment on the information collection requirements associated with the Rule. 84 FR 2868. The FTC received seven non-germane comments that did not address either the burden associated with the Rule or any of the other issues raised by the public comment request. Pursuant to OMB regulations, 5 CFR part 1320, that implement the PRA, 44 U.S.C. 3501 et seq., the FTC is providing this second opportunity for public comment while seeking OMB approval to renew the pre-existing clearance for the Rule. For more details about the Rule requirements and the basis for the calculations summarized below, see 84 FR 2868.

Likely Respondents: Vendors of personal health records, PHR related entities and third party service providers.

Estimated Annual Hours Burden: 4,779.

Estimated Frequency: 25,000 single-person breaches per year and 0.33 major breaches per year.

Total Annual Labor Cost: $96,656.[1]

Total Annual Capital or Other Non-Labor Cost: $29,952.[2]

Request for Comment

Your comment—including your name and your state—will be placed on the public record of this proceeding at the website. Because your comment will be made public, you are solely responsible for making sure that your comment does not include any sensitive personal information, such as anyone's Social Security number; date of birth; driver's license number or other state identification number, or foreign country equivalent; passport number; financial account number; or credit or debit card number. You are also solely responsible for making sure that your comment does not include any sensitive health information, such as medical records or other individually identifiable health information. In addition, your comment should not include any “trade secret or any commercial or financial information which . . . is privileged or confidential”—as provided by Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2)—including in particular competitively sensitive information such as costs, sales statistics, inventories, formulas, patterns, devices, manufacturing processes, or customer names.

Start Signature

Heather Hippsley,

Deputy General Counsel.

End Signature End Supplemental Information


1.  Hourly wages throughout this document are updated from the 60-Day Federal Register notice and are based on mean hourly wages found at​news.release/​ocwage.htm (“Occupational Employment and Wages-May 2018,” U.S. Department of Labor, released March 2019, Table 1 (“National employment and wage data from the Occupational Employment Statistics survey by occupation, May 2018”).

The breakdown of labor hours and costs is as follows: 50 hours of computer and information systems managerial time at approximately $73 per hour; 12 hours of marketing manager time at $71 per hour; 33 hours of computer programmer time at $43 per hour; and 5 hours of legal staff time at $69 per hour. The cost of telephone operators is estimated at $19/hour.

Back to Citation

2.  Average wages for information security analysts are estimated at $49/hour.

Back to Citation

[FR Doc. 2019-08909 Filed 5-1-19; 8:45 am]