NRPM: Security and Electronic Signature Standards. Collection of Information Requirements


[Please label written comments or e-mailed comments about this section with the subject: PRA]

Under the Paperwork Reduction Act of 1995, we are required to provide 60-day notice in the Federal Register and solicit public comment before a collection of information requirement is submitted to the Office of Management and Budget (OMB) for review and approval. In order to fairly evaluate whether an information collection should be approved by OMB, section 3506(c)(2)(A) of the Paperwork Reduction Act of 1995 requires that we solicit comment on the following issues:

  • The need for the information collection and its usefulness in carrying out the proper functions of our agency.
  • The accuracy of our estimate of the information collection burden.
  • The quality, utility, and clarity of the information to be collected.
  • Recommendations to minimize the information collection burden on the affected public, including automated collection techniques.

As discussed below, we are soliciting comment on the recordkeeping requirements, as referenced in § 142.308 of this document. In addition, we are soliciting comment on the applicability of the PRA as it may relate to the requirement to use the standard adopted in § 142.310 of this regulation.

§ 142.308 Security standard.

In summary, each entity designated in § 142.302 must maintain documentation demonstrating the development, implementation, and maintenance of appropriate security measures that include, at a minimum, the requirements and implementation features set forth in this section. In addition, entities must maintain necessary documentation to demonstrate that these measures have been periodically reviewed, validated, updated, and kept current.

While we solicit comment on these recordkeeping requirements we explicitly solicit comment on the burden associated with maintaining documentation related to the implementation the requirements set forth in § 142.308. Since the level of documentation necessary to demonstrate compliance with these requirements is dependent upon individual business needs and the fact that we do not prescribe the form, format, or degree of documentation necessary to demonstrate compliance, we are currently unable to accurately estimate the degree of recordkeeping burden that will be experienced by the varying entities. Therefore, commentors should provide an estimate of: (1) the initial recordkeeping burden associated with meeting these requirements and (2) the recordkeeping burden associated with maintaining documentation to demonstrate that the measures have been periodically reviewed, validated, updated, and kept current.

Below is a discussion of the applicability of the PRA as it may relate to the adoption of the standard referenced in § 142.310 of this regulation.

§ 142.310 Electronic signature standard.

In summary, any entity electing to use an electronic signature in a transaction as defined in § 142.103, or if an electronic signature is required by a transaction standard adopted by the Secretary, the entity must apply the electronic signature standard described in paragraph (b) of this section to that transaction.


The emerging and increasing use of health care EDI standards and transactions raises the issue of the applicability of the PRA. The question arises whether a regulation that adopts an EDI standard used to exchange certain information constitutes an information collection subject to the PRA.

In particular, we are still considering whether the use of any EDI transaction standard, such as the electronic signature described in this regulation, should be viewed or regarded as a standardized electronic collection of information. If it is a standardized electronic information collection, then the requirement by the Federal government on the industry to accept and transmit the information may be subject to OMB review and approval under the PRA.

We invite public comment on the issues discussed above. If the requirements, as set forth in § 142.310 are determined to be subject to the PRA, we will submit these requirements to OMB for PRA approval. If you comment on these information collection and recordkeeping requirements, please e-mail comments to (Attn:HCFA-0049) or mail copies directly to the following:

Health Care Financing Administration,
Office of Information Services,
Security and Standards Group,
Division of HCFA Enterprise Standards,
Room N2-14-26, 7500 Security Boulevard,
Baltimore, MD 21244-1850.
Attn: John Burke HCFA-0049, HCFA Reports Clearance Officer.


Office of Information and Regulatory Affairs,
Office of Management and Budget,
Room 10235, New Executive Office Building,
Washington, DC 20503,
Attn: Allison Herron Eydt, HCFA Desk Officer.