Standards for Privacy of Individually Identifiable Health Information and Supporting Regulations at 45 CFR Parts 160 and 164
Revision of a currently approved collection
No
Regular
03/01/2021
Requested
Previously Approved
36 Months From Approved
01/31/2023
1,122,777,231
1,097,206,223
952,089,673
921,158,940
0
0
The individually identifiable health information collected is used by patients and by more than 700,000 covered entities affected by the HIPAA Privacy Rule. The information is routinely used by covered entities for treatment, payment, and health care operations. In addition, the information is used for specified public policy purposes, including research, public health, and as required by other laws.
PL:
Pub.L. 104 - 191 1
Name of Law: Health Insurance Portability and Accountability Act of 1996
HHS is:
(1) Adjusting the number of covered entities (CEs) from 700,000 to 774,331 due to more recent data.
(2) Adjusting the number of access requests for copies of protected health information (PHI) from 200,000 to 2,460,000 annually based on a review of available data.
(3) Increasing the estimated burden hours for responding to access requests from 3 to 5 minutes per request and allocating 1 minute as uncompensated due to changes in technology and reassessment of the types of access requests.
(4) Increasing the burden hours by a factor of 2 for responding to individualsâ requests for restrictions on disclosures of their PHI because easing the minimum necessary requirements for disclosures for care coordination by health plans may cause some individuals to seek to narrow the scope of some permitted disclosures;
(5) Newly estimating the burdens resulting from the pre-existing, ongoing requirement for CEs to make minimum necessary evaluations before using or disclosing PHI for payment and health care operations purposes (and before using PHI for treatment) in the amount of 18 hours annually per CE, and decreasing the annual minimum necessary burden by 4 hours per CE due to easing the minimum necessary requirement for care coordination disclosures, resulting in a total ongoing annual burden of 14 hours per CE;
(6) Recognizing for the first time burdens associated with providing electronic copies of PHI to third parties designated by individuals in the amount of 2 minutes per request for 25 percent of 615,000 such requests received annually based on reassessment of CEsâ burdens due to the Ciox v. Azar court decision;
(7) Recognizing for the first time burdens associated with providing electronic copies of PHI to health plans and health care providers as third parties designated by individuals in the amount of 4 minutes per request for 25 percent of 615,000 such requests received annually based on a reassessment of CEsâ burdens following the Ciox v. Azar decision; and
(8) Decreasing the estimated burden for disseminating the Notice of Privacy Practices (NPP) and obtaining an acknowledgement of receipt, from 3 minutes to 1 minute and 15 seconds due to the proposal to eliminate the requirements relating to the acknowledgement of receipt.
New Burdens Resulting from Program Changes
In addition to these changes above, HHS is proposing to add new burdens as a result of program changes:
(1) An annualized burden of 10 minutes per CE for posting an updated NPP due to changes to the required content;
(2) An annualized burden of 3.5 minutes per request for submitting an access request for an individual to another provider for an estimated 92,250 annual requests, a proposed new individual right;
(3) An annualized 10-minute burden per CE for posting an access and authorization fee schedule online, a proposed new regulatory requirement;
(4) An annualized 7-minute burden for each of an estimated 6,130,000 annual requests from individuals to discuss their direct treating health care providerâs NPP, a proposed new individual right;
(5) An annualized 3-minute burden for each of an estimated 73,800 annual requests from individuals for an individualized estimate of the fees to provide copies of requested PHI, a proposed new individual right;
(6) An annualized 1-minute burden for each of an estimated 24,600 annual requests from individuals for an itemized list of charges for copies of PHI, a proposed new individual right;
(7) A 1-time burden of 6 hours and 55 minutes for each CE to update its policies and procedures due to multiple proposed changes to the Privacy Rule access and disclosure requirements; and;
(8) A 1-time burden of 4 hours and 40 minutes for each CE to update the content of its HIPAA training program and a 1-time burden of 7 additional minutes of time spent in training on the right of access per CE due to proposed changes to the right of access and fees for copies of PHI.
On behalf of this Federal agency, I certify that the collection of information encompassed by this request complies with 5 CFR 1320.9 and the related provisions of 5 CFR 1320.8(b)(3).
The following is a summary of the topics, regarding the proposed collection of information, that the certification covers:
(i) Why the information is being collected;
(ii) Use of information;
(iii) Burden estimate;
(iv) Nature of response (voluntary, required for a benefit, or mandatory);
(v) Nature and extent of confidentiality; and
(vi) Need to display currently valid OMB control number;
If you are unable to certify compliance with any of these provisions, identify the item by leaving the box unchecked and explain the reason in the Supporting Statement.
HIPAA NPRM ICR Supporting Statement Submitted to ROCIS.docx
published 60-FRN day 0945-0003.pdf
30-day FRN 0945-0003 HIPAA 2019 ICR Extension.doc
Notice of Privacy Practices for Protected Health Information – Post updated notice online