Daily Rules, Proposed Rules, and Notices of the Federal Government


Agency Information Collection Activities; Submission for OMB Review; Comment Request; Extension

AGENCY: Federal Trade Commission ("FTC" or "Commission").
ACTION: Notice.
SUMMARY: The FTC intends to ask the Office of Management and Budget ("OMB") to extend through September 30, 2015, the current Paperwork Reduction Act ("PRA") clearance for the information collection requirements in the Health Breach Notification Rule. That clearance expires on September 30, 2012.
DATES: Comments must be filed by September 24, 2012.
ADDRESSES: Interested parties may file a comment online or on paper, by following the instructions in the Request for Comment part of theSUPPLEMENTARY INFORMATIONsection below. Write "Health Breach Notification Rule, PRA Comments, P-125402" on your comment and file your comment online at,by following the instructions on the web-based form. If you prefer to file your comment on paper, mail or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Room H-113 (Annex J), 600 Pennsylvania Avenue NW., Washington, DC 20580.
FOR FURTHER INFORMATION CONTACT: Amanda Koulousias, Attorney, Division of Privacy and Identity Protection, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW., Washington, DC 20580, (202) 326-2252.

Title:Health Breach Notification Rule.

OMB Control Number:3084-0150.

Type of Review:Extension of a currently approved collection.

Abstract:The Health Breach Notification Rule (“Rule”), 16 CFR Part 318, requires vendors of personal health records and PHR related entities1 to provide: (1) Notice to consumers whose unsecured personally identifiable health information has been breached; and (2) notice to the Commission. The Rule only applies to electronic health records and does not include recordkeeping requirements. The Rule requires third party service providers (i.e., those companies that provide services such as billing or data storage) to vendors of personal health records and PHR related entities to provide notification to such vendors and PHR related entities following the discovery of a breach. To notify the FTC of a breach, the Commission developed a form, which is posted,for entities subject to the rule to complete and return to the agency.

1“PHR related entity” means an entity, other than a HIPAA-covered entity or an entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity, that: (1) Offers products or services through the Web site of a vendor of personal health records; (2) offers products or services through the Web sites of HIPAA-covered entities that offer individuals personal health records; or (3) accesses information in a personal health record or sends information to a personal health record. 16 CFR 318.2(f).

On May 29, 2012, the FTC sought comment on the information collection requirements associated with the Rule. 77 FR 31612. No comments werereceived.Pursuant to the OMB regulations, 5 CFR Part 1320, that implement the PRA, 44 U.S.C. 3501 et seq., the FTC is providing this second opportunity for public comment while seeking OMB approval to renew the pre-existing clearance for the Rule. For more details about the Rule requirements and the basis for the calculations summarized below, see 77 FR 31612.

Estimated Annual Burden:100 hours per breach (to determine what information has been breached, identify the affected customers, prepare the breach notice, and make the required report to the Commission) + 192 hours to process an estimated 500 calls in the event of a data breach.

Estimated Frequency:2 breach incidents.

Total Annual Labor Cost:$13,379.

Total Annual Capital or Other Non-Labor Cost:$7,918.

Request For Comment:

You can file a comment online or on paper. For the Commission to consider your comment, we must receive it on or before September 24, 2012. Write “Health Breach Notification Rule, PRA Comments, P-125402” on your comment. Your comment—includingyour name and your state—will be placed on the public record of this proceeding, including to the extent practicable, on the public Commission Web site, at a matter of discretion, the Commission tries to remove individuals' home contact information from comments before placing them on the Commission Web site.

Because your comment will be made public, you are solely responsible for making sure that your comment does not include any sensitive personal information, like anyone's Social Security number, date of birth, driver's license number or other state identification number or foreign country equivalent, passport number, financial account number, or credit or debit card number. You are also solely responsible for making sure that your comment does not include any sensitive health information, like medical records or other individually identifiable health information. In addition, do not include any “[t]rade secret or any commercial or financial information which is * * * privileged or confidential” as provided in Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2). In particular, do not include competitively sensitive information such as costs, sales statistics, inventories, formulas, patterns, devices, manufacturing processes, or customer names.

If you want the Commission to give your comment confidential treatment, you must file it in paper form, with a request for confidential treatment, and you have to follow the procedure explained in FTC Rule 4.9(c).2 Your comment will be kept confidential only if the FTC General Counsel, in his or her sole discretion, grants your request in accordance with the law and the public interest.

2In particular, the written request for confidential treatment that accompanies the comment must include the factual and legal basis for the request, and must identify the specific portions of the comment to be withheld from the public record.SeeFTC Rule 4.9(c), 16 CFR 4.9(c).

Postal mail addressed to the Commission is subject to delay due to heightened security screening. As a result, we encourage you to submit your comments online. To make sure that the Commission considers your online comment, you must file it at,by following the instructions on the web-based form. If this Notice appears at!home,you also may file a comment through that Web site.

If you file your comment on paper, write “Health Breach Notification Rule, PRA comments, P-125402” on your comment and on the envelope, and mail or deliver it to the following address: Federal Trade Commission, Office of the Secretary, Room H-113 (Annex J), 600 Pennsylvania Avenue NW., Washington, DC 20580. If possible, submit your paper comment to the Commission by courier or overnight service.

Visit the Commission Web site athttp://www.ftc.govto read this Notice and the news release describing it. The FTC Act and other laws that the Commission administers permit the collection of public comments to consider and use in this proceeding as appropriate. The Commission will consider all timely and responsive public comments that it receives on or before September 24, 2012. You can find more information, including routine uses permitted by the Privacy Act, in the Commission's privacy policy, at

Comments on the disclosure and reporting requirements subject to review under the PRA should additionally be submitted to OMB. If sent by U.S. mail, they should be addressed to Office of Information and Regulatory Affairs, Office of Management and Budget, Attention: Desk Officer for the Federal Trade Commission, New Executive Office Building, Docket Library, Room 10102, 725 17th Street NW., Washington, DC 20503. Comments sent to OMB by U.S. postal mail, however, are subject to delays due to heightened security precautions. Thus, comments instead should be sent by facsimile to (202) 395-5167.

Willard K. Tom, General Counsel.