Agency Information Collection Activities; Submission for OMB Review; Comment Request

Federal Register, Volume 84 Issue 85 (Thursday, May 2, 2019)
[Federal Register Volume 84, Number 85 (Thursday, May 2, 2019)]
[Pages 18845-18846]
From the Federal Register Online via the Government Publishing Office []
[FR Doc No: 2019-08909]
Agency Information Collection Activities; Submission for OMB
Review; Comment Request
AGENCY: Federal Trade Commission (FTC).
ACTION: Notice and request for comment.
SUMMARY: The FTC requests that the Office of Management and Budget
(OMB) extend for three years the current PRA clearance for information
collection requirements contained in the agency's Health Breach
Notification Rule. The existing clearance expires on May 31, 2019. The
public should address comments to this notice to the OMB.
DATES: Comments must be received by June 3, 2019.
ADDRESSES: Comments in response to this notice should be submitted to
the OMB Desk Officer for the Federal Trade Commission within 30 days of
this notice. You may submit comments using any of the following
    Electronic: Write ``Health Breach Notification Rule: PRA Comment,
P072108,'' on your comment and file your comment online at, by following the instructions on the web-based
    Email: [email protected].
    Fax: (202) 395-5806.
    Mail: Office of Information and Regulatory Affairs, Office of
Management and Budget, Attention: Desk Officer for the Federal Trade
Commission, New Executive Office Building, Docket Library, Room 10102,
725 17th Street NW, Washington, DC 20503.
FOR FURTHER INFORMATION CONTACT: Robin Wetherill, 202-326-2220,
Attorney, Privacy & Identity Protection, Bureau of Consumer Protection,
600 Pennsylvania Ave. NW, Washington, DC 20580.
    Title: Health Breach Notification Rule.
    OMB Control Number: 3084-0150.
    Type of Review: Extension of a currently approved collection.
    Abstract: The Health Breach Notification Rule (Rule), 16 CFR part
318, requires vendors of personal health records and PHR related
entities to
[[Page 18846]]
provide: (1) Notice to consumers whose unsecured personally
identifiable health information has been breached; and (2) notice to
the Commission. The Rule only applies to electronic health records and
does not include recordkeeping requirements. The Rule requires third
party service providers (i.e., those companies that provide services
such as billing or data storage) to vendors of personal health records
and PHR related entities to provide notification to such vendors and
PHR related entities following the discovery of a breach. To notify the
FTC of a breach, the Commission developed a simple, two-page form
requesting minimal information and consisting mainly of check boxes,
which is posted at
    On February 8, 2019, the FTC sought comment on the information
collection requirements associated with the Rule. 84 FR 2868. The FTC
received seven non-germane comments that did not address either the
burden associated with the Rule or any of the other issues raised by
the public comment request. Pursuant to OMB regulations, 5 CFR part
1320, that implement the PRA, 44 U.S.C. 3501 et seq., the FTC is
providing this second opportunity for public comment while seeking OMB
approval to renew the pre-existing clearance for the Rule. For more
details about the Rule requirements and the basis for the calculations
summarized below, see 84 FR 2868.
    Likely Respondents: Vendors of personal health records, PHR related
entities and third party service providers.
    Estimated Annual Hours Burden: 4,779.
    Estimated Frequency: 25,000 single-person breaches per year and
0.33 major breaches per year.
    Total Annual Labor Cost: $96,656.\1\
    \1\ Hourly wages throughout this document are updated from the
60-Day Federal Register notice and are based on mean hourly wages
found at (``Occupational
Employment and Wages-May 2018,'' U.S. Department of Labor, released
March 2019, Table 1 (``National employment and wage data from the
Occupational Employment Statistics survey by occupation, May
    The breakdown of labor hours and costs is as follows: 50 hours
of computer and information systems managerial time at approximately
$73 per hour; 12 hours of marketing manager time at $71 per hour; 33
hours of computer programmer time at $43 per hour; and 5 hours of
legal staff time at $69 per hour. The cost of telephone operators is
estimated at $19/hour.
    Total Annual Capital or Other Non-Labor Cost: $29,952.\2\
    \2\ Average wages for information security analysts are
estimated at $49/hour.
Request for Comment
    Your comment--including your name and your state--will be placed on
the public record of this proceeding at the
website. Because your comment will be made public, you are solely
responsible for making sure that your comment does not include any
sensitive personal information, such as anyone's Social Security
number; date of birth; driver's license number or other state
identification number, or foreign country equivalent; passport number;
financial account number; or credit or debit card number. You are also
solely responsible for making sure that your comment does not include
any sensitive health information, such as medical records or other
individually identifiable health information. In addition, your comment
should not include any ``trade secret or any commercial or financial
information which . . . is privileged or confidential''--as provided by
Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2),
16 CFR 4.10(a)(2)--including in particular competitively sensitive
information such as costs, sales statistics, inventories, formulas,
patterns, devices, manufacturing processes, or customer names.
Heather Hippsley,
Deputy General Counsel.
[FR Doc. 2019-08909 Filed 5-1-19; 8:45 am]