Agency Information Collection Activities; Submission for OMB Review; Comment Request

AGENCY:

Federal Trade Commission.

ACTION:

Notice and request for comment.

SUMMARY:

In compliance with the Paperwork Reduction Act (PRA) of 1995, the FTC is seeking public comments on its request to Office of Management and Budget (OMB) to extend for three years the current PRA clearance for the information collection requirements contained in the Health Breach Notification Rule. That clearance expires on March 31, 2016.

DATES:

Comments must be received by March 4, 2016.

ADDRESSES:

Interested parties may file a comment online or on paper by following the instructions in the Request for Comment part of the SUPPLEMENTARY INFORMATION section below. Write “Health Breach Notification Rule, PRA Comments, P-125402” on your comment, and file your comment online at https://ftcpublic.commentworks.com/ftc/healthbreachnotificationpra2 by following the instructions on the web-based form. If you prefer to file your comment on paper, mail or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW., Suite CC-5610 (Annex J), Washington, DC 20580, or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW., 5th Floor, Suite 5610 (Annex J), Washington, DC 20024.

FOR FURTHER INFORMATION CONTACT:

Requests for additional information or copies of the proposed information requirements should be addressed to Cora Tung Han, 202-326-2441, Attorney, Privacy & Identity Protection, Bureau of Consumer Protection, 600 Pennsylvania Ave. NW., Washington, DC 20580.

SUPPLEMENTARY INFORMATION:

Title: Health Breach Notification Rule.

OMB Control Number: 3084-0150.

Type of Review: Extension of a currently approved collection.

Abstract: The Health Breach Notification Rule (Rule), 16 CFR part 318, requires vendors of personal health records and PHR related entities to provide: (1) Notice to consumers whose unsecured personally identifiable health information has been breached; and (2) notice to the Commission. The Rule only applies to electronic health records and does not include recordkeeping requirements. The Rule requires third party service providers (i.e., those companies that provide services such as billing or data storage) to vendors of personal health records and PHR related entities to provide notification to such vendors and PHR related entities following the discovery of a breach. To notify the FTC of a breach, the Commission developed a form, which is posted at www.ftc.gov/healthbreach,, for entities subject to the rule to complete and return to the agency.

On October 16, 2015, the FTC sought comment on the information collection requirements associated with the Rule. 80 FR 62530. The FTC received three comments. None of these however addressed either the burden associated with the Rule or any of the other issues raised by the public comment request. Pursuant to the OMB regulations, 5 CFR part 1320, that implement the PRA, 44 U.S.C. 3501 et seq., the FTC is providing this second opportunity for public comment while seeking OMB approval to renew the pre-existing clearance for the Rule. For more details about the Rule requirements and the basis for the calculations summarized below, see 80 FR 62530.

Likely Respondents: Vendors of personal health records, PHR related entities and third party service providers.

Estimated Annual Hours Burden: 3,267.

Estimated Frequency: 2 breach incidents per year.

Total Annual Labor Cost: $61,764.

Total Annual Capital or Other Non-Labor Cost: $49,960.

Request for Comment: You can file a comment online or on paper. For the Commission to consider your comment, we must receive it on or before March 4, 2016. Write “Health Breach Notification Rule, PRA Comments, P-125402” on your comment. Your comment—including your name and your state—will be placed on the public record of this proceeding, including, to the extent practicable, on the public Commission Web site, at http://www.ftc.gov/os/publiccomments.shtm. As a matter of discretion, the Commission tries to remove individuals' home contact information from comments before placing them on the Commission Web site.

Because your comment will be made public, you are solely responsible for making sure that your comment does not include any sensitive personal information, such as anyone's Social Security number, date of birth, driver's license number or other state identification number or foreign country equivalent, passport number, financial account number, or credit or debit card number. You are also solely responsible for making sure that your comment does not include any sensitive health information, like medical records or other individually identifiable health information. In addition, do not include any “[t]rade secret or any commercial or financial information which is . . . privileged or confidential,” as discussed in Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2). In particular, do not include competitively sensitive information such as costs, sales statistics, inventories, formulas, patterns, devices, manufacturing processes, or customer names.

If you want the Commission to give your comment confidential treatment, you must file it in paper form, with a request for confidential treatment, and you are required to follow the procedure explained in FTC Rule 4.9(c), 16 CFR 4.9(c). Your comment will be kept confidential only if the FTC General Counsel grants your request in accordance with the law and the public interest.

Postal mail addressed to the Commission is subject to delay due to heightened security screening. As a result, we encourage you to submit your comment online, or to send it to the Commission by courier or overnight service. To make sure that the Commission considers your online comment, you must file it at https://ftcpublic.commentworks.com/ftc/healthbreachnotificationpra2,, by following the instructions on the web-based form. If this Notice appears at http://www.regulations.gov,, you also may file a comment through that Web site.

If you file your comment on paper, write “Health Breach Notification Rule, PRA Comments, P-125402” on your comment and on the envelope, and mail or deliver it to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW., Suite CC-5610 (Annex J), Washington, DC 20580, or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW., 5th Floor, Suite 5610 (Annex J), Washington, DC 20024. If possible, submit your paper comment to the Commission by courier or overnight service.

The FTC Act and other laws that the Commission administers permit the collection of public comments to consider and use in this proceeding as appropriate. The Commission will consider all timely and responsive public comments that it receives on or before March 4, 2016. You can find more information, including routine uses permitted by the Privacy Act, in the Commission's privacy policy, at http://www.ftc.gov/ftc/privacy.shtm.

Comments on the information collection requirements subject to review under the PRA should also be submitted to OMB. If sent by U.S. mail, address comments to: Office of Information and Regulatory Affairs, Office of Management and Budget, Attention: Desk Officer for the Federal Trade Commission, New Executive Office Building, Docket Library, Room 10102, 725 17th Street NW., Washington, DC 20503. Comments sent to OMB by U.S. postal mail, however, are subject to delays due to heightened security precautions. Thus, comments instead should be sent by facsimile to (202) 395-5167.