Health Breach Notification Rule

ICR 201601-3084-001

OMB: 3084-0150

Federal Form Document

Forms and Documents
Document
Name
Status
Form and Instruction
 Modified
Supporting Statement A
2016-01-29
IC Document Collections
IC ID
Document
Title
Status
188848 Modified
ICR Details
3084-0150 201601-3084-001
Historical Active 201208-3084-004
FTC
Health Breach Notification Rule
Extension without change of a currently approved collection   No
Regular
Approved without change 03/07/2016
Retrieve Notice of Action (NOA) 02/03/2016
  Inventory as of this Action Requested Previously Approved
03/31/2019 36 Months From Approved 03/31/2016
2 0 2
3,267 0 200
49,960 0 7,918
The Health Breach Notification Rule ("Rule"), 16 C.F.R. Part 318, requires vendors of personal health records and PHR related entities to provide: (1) notice to consumers whose unsecured personally identifiable health information has been breached; and (2) notice to the Commission. The Rule only applies to electronic health records and does not include recordkeeping requirements. The Rule requires third party service providers (i.e., those companies that provide services such as billing or data storage) to notify vendors of personal health records and PHR related entities following the discovery of a breach; those entities in turn must provide notification to consumers and the Commission. To notify the FTC of a breach, the Commission developed a form for entities subject to the Rule to complete and return to the agency.
PL: Pub.L. 111 - 5 13407 Name of Law: American Recovery and Reinvestment Act of 2009
  
PL: Pub.L. 111 - 5 13407 Name of Law: American Recovery and Reinvestment Act of 2009
Not associated with rulemaking
  80 FR 6530 10/16/2015
81 FR 5750 02/03/2016
No
1
IC Title Form No. Form Name
Identifying breach, affected customers, notifying customers, etc. Not Applicable Notice of Breach of Health Information
  Total Approved Previously Approved Change Due to New Statute Change Due to Agency Discretion Change Due to Adjustment in Estimate Change Due to Potential Violation of the PRA
Annual Number of Responses 2 2 0 0 0 0
Annual Time Burden (Hours) 3,267 200 0 0 3,067 0
Annual Cost Burden (Dollars) 49,960 7,918 0 0 42,042 0
No
No
The annual time and cost burden have been adjusted upward because the FTC anticipates more consumers will receive breach notifications. Since the Rule has now been in effect for over five years, staff has more information relating to the actual notifications received from covered entities. This includes the number of consumers that the covered entities notified. In 2012, the FTC estimated that an average of 2,500 consumers per year received notifications over the years 2010 and 2011. In 2015-2016, the FTC estimates approximately 20,000 consumers will receive notices per year.
$75,000
No
No
No
No
Yes
Uncollected
Cora Han 2023262441 chan@ftc.gov
  No
On behalf of this Federal agency, I certify that the collection of information encompassed by this request complies with 5 CFR 1320.9 and the related provisions of 5 CFR 1320.8(b)(3).
The following is a summary of the topics, regarding the proposed collection of information, that the certification covers:
 
 
 
 
 
 
 
    (i) Why the information is being collected;
    (ii) Use of information;
    (iii) Burden estimate;
    (iv) Nature of response (voluntary, required for a benefit, or mandatory);
    (v) Nature and extent of confidentiality; and
    (vi) Need to display currently valid OMB control number;
 
 
 
If you are unable to certify compliance with any of these provisions, identify the item by leaving the box unchecked and explain the reason in the Supporting Statement.
02/03/2016
© 2024 OMB.report | Privacy Policy