View Information Collection Request (ICR) Package

OMB Control No: 3084-0150	ICR Reference No: 202305-3084-001
Status: Historical Inactive	Previous ICR Reference No: 202205-3084-001
Agency/Subagency: FTC	Agency Tracking No:
Title: Health Breach Notification Rule
Type of Information Collection: Revision of a currently approved collection	Common Form ICR: No
Type of Review Request: Regular
OIRA Conclusion Action: Comment filed on proposed rule and continue	Conclusion Date: 08/08/2023
	Date Received in OIRA: 06/09/2023
Terms of Clearance: OMB files this comment in accordance with 5 CFR 1320.11(c). This OMB action is not an approval to conduct or sponsor an information collection under the Paperwork Reduction Act of 1995. This action has no effect on any current approvals. If OMB has assigned this ICR a new OMB Control Number, the OMB Control Number will not appear in the active inventory. For future submissions of this information collection, reference the OMB Control Number provided. Resubmit when proposed rule is finalized.

	Inventory as of this Action	Requested	Previously Approved
Expiration Date	07/31/2025	36 Months From Approved	07/31/2025
Responses	2,501	0	2,501
Time Burden (Hours)	4,654	0	4,654
Cost Burden (Dollars)	31,632	0	31,632

Abstract: The Health Breach Notification Rule ("Rule"), 16 C.F.R. Part 318, requires vendors of personal health records ("PHR") and PHR related entities to provide: (1) notice to consumers whose unsecured personally identifiable health information has been breached; and (2) notice to the Commission. The Rule only applies to electronic health records and does not include recordkeeping requirements. The Rule requires third party service providers (i.e., those companies that provide services such as billing or data storage) to notify vendors of personal health records (PHR) and PHR related entities following the discovery of a breach; those entities in turn must provide notification to consumers and the Commission. To notify the FTC of a breach, the Commission developed a form for entities subject to the Rule to complete and return to the agency. The proposed amendments pertain to, among others: (1) the coverage of the rule—specifically, the rule’s coverage of developers of many health applications (“apps”) and PHR identifiable health information that is drawn from multiple sources; (2) methods of notice; and (3) the content of notice.

Authorizing Statute(s): PL: Pub.L. 111 - 5 13407 Name of Law: American Recovery and Reinvestment Act of 2009

Citations for New Statutory Requirements: PL: Pub.L. 111 - 5 13407 Name of Law: American Recovery and Reinvestment Act of 2009

Associated Rulemaking Information
RIN:	Stage of Rulemaking:	Federal Register Citation:	Date:
3084-AB56	Proposed rulemaking	88 FR 37819	06/09/2023

Federal Register Notices & Comments
Did the Agency receive public comments on this ICR? No

Burden increases because of Program Change due to Agency Discretion: Yes

Burden Increase Due to: Changing Regulations

Burden decreases because of Program Change due to Agency Discretion: No

Burden Reduction Due to:

Short Statement: The proposed amendments to the Rule will result in an estimated 10,650 hours of burden, $720,579 in associated annual labor costs, and $49,463,046 in annual capital and/or other non-labor related costs.

Annual Cost to Federal Government: $150,000

Does this IC contain surveys, censuses, or employ statistical methods? No

Does this ICR request any personally identifiable information (see OMB Circular No. A-130 for an explanation of this term)? Please consult with your agency's privacy program when making this determination. No

Does this ICR include a form that requires a Privacy Act Statement (see 5 U.S.C. §552a(e)(3))? Please consult with your agency's privacy program when making this determination. No

Is this ICR related to the Affordable Care Act [Pub. L. 111-148 & 111-152]? No

Is this ICR related to the Dodd-Frank Wall Street Reform and Consumer Protection Act, [Pub. L. 111-203]? No

Is this ICR related to the American Recovery and Reinvestment Act of 2009 (ARRA)? Yes

Is this ICR related to the Pandemic Response? No

Agency Contact: Ryan Mehm 202 326-2918 rmehm@ftc.gov

View ICR - OIRA Conclusion