Skip Navigation

 

Frequent Questions   Frequent Questions

Font Size Reduce Text SizeEnlarge Text Size     Print Send this page to printer     Download Reader  Download PDF readerHHS Home|HHS News|About HHS

OCIO Home > Policy

OCIO Home

About the OCIO

Policy

Information Collection / Paperwork Reduction Act

Records Management

Printing Management

Mail Management

Enterprise Architecture

Enterprise Performance Life Cycle

Capital Planning & Budget

IT Contracting & Purchasing

Enterprise Solutions

IT Security & Privacy

E-Government & President's Management Agenda

Plans & Reports

OCIO Site Map

Personally Identifiable Information (PII) Breach Response Team (BRT) Charter

April 15, 2008

HHS-OCIO-2008-0001.002C

1. Purpose


The purpose of this charter is to establish the Department of Health and Human Services (HHS) Personally Identifiable Information (PII) Breach Response Team (BRT) (henceforth called the HHS BRT). This is a first issuance.


2. Vision and Mission

In response to the Office of Management and Budget (OMB) Memorandum, Recommendations for Identity Theft Related Data Breach Notification dated September 20, 2006, HHS is establishing this charter to institute an HHS BRT as “a core management group responsible for responding to the loss of personal information.” This charter establishes the following mission for the HHS BRT:

The principal purpose of the HHS BRT is to convene in response to a suspected or actual breach of PII; to engage in a risk analysis to determine if the security incident poses problems related to identity theft or any applicable federal laws and policies, and, if so, the level of such risk; and, where appropriate, to tailor the Department’s response to the nature and scope of the risk presented.  Secondarily, the HHS BRT will engage in advanced planning to refine and improve the Department’s response to the potential loss of control of PII.

The principles, guidelines, and processes described in the HHS BRT Charter are applicable to all HHS organizational components (i.e., Operating Divisions, or OPDIVs, and Staffing Divisions, or STAFFDIVs) to provide a forum in which suspected or actual breaches of PII are addressed by senior leadership from across several HHS organizational components.  While the September 20, 2006, OMB Memorandum is the impetus for instituting the HHS BRT, identity theft is only one of several outcomes the HHS BRT must consider.  Due to the nature of the services provided by HHS, an information security incident may include a variety of Federal laws, such as the Health Insurance Portability and Accountability Act (HIPAA) of 1996 the Privacy Act, privacy and security regulations, and others.  The HHS BRT will consider the potential applicability of other Federal laws when responding to an incident and, depending on the law and the factual circumstances, may also refer the incident to an agency or division that has additional authority to investigate or otherwise respond to the report.  For example, any incident which primarily involves protected health information or electronically protected health information, as defined in 45 CFR § 160.103, will be forwarded to the HHS Office for Civil Rights (OCR) or the Centers for Medicare and Medicaid Services (CMS) Office of E-Health Standards and Services (OESS), as appropriate.

The loss of control of PII can result from information security incidents including the loss or theft of HHS devices on which PII is stored or resides, or the loss or theft of documents containing PII.  Incident details come from various sources, including a specific OPDIV/STAFFDIV, system monitoring software, an individually reported loss, or complaints submitted under HIPAA or pursuant to another Federal law.  These incidents are then reported directly to the HHS Information Security and Privacy Program within the Office of the Chief Information Officer (OCIO), which then notifies members of the HHS BRT.  Regardless of the originating source, the HHS BRT will assess any incident that represents a potential failure by the Department to properly protect and control the wide variety of PII maintained across its OPDIVs and STAFFDIVs.  The HHS BRT determines and advises on Department-, OPDIV-, and STAFFDIV-specific responses to the breach of PII; identifies and addresses potential legal and public relations issues; and notifies internal and external entities as required.

In addition to responding to specific incidents, the HHS BRT regularly advises the Department on ways to improve the protection of PII.

4. Responsibilities 

The HHS BRT analyzes incidents as they are reported to evaluate the level of risk of identity theft and, as necessary, provides guidance for further response. The primary roles and responsibilities of the HHS BRT are to: 

  • Evaluate breaches or suspected breaches of PII and decide what actions should be taken; 
  • Provide input to and approve incident response activities for incidents involving PII not covered by HIPAA; 
  • Assess the responsible organization’s proposed course of action, risk assessments, response plan, and proposed notification activities, provide feedback, and make recommendations for improvement or course corrections in a timely manner; 
  • Ensure proper reporting, notification, and follow-up actions to stakeholders across relevant HHS organizational components when an incident involving PII occurs; 
  • Work closely with the HHS Information Security and Privacy Program to coordinate Department response activities and data collection; 
  • Refer incidents to HHS OCR or CMS OESS, as appropriate; 
  • Notify appropriate internal HHS stakeholders, including the following: OPDIV Security Offices; HHS Records Officer; building physical security; the HHS Assistant Secretary for Preparedness and Response (ASPR); the Office of the Inspector General (OIG); HHS OCR; and CMS OESS; as well as appropriate external entities such as the United States Computer Emergency Readiness Team (US-CERT) and law enforcement; and, 
  • Provide notification and assessments of information breaches to the HHS Risk Management and Financial Oversight Board (RMFOB). 

5. Membership 

Chair – The HHS BRT Chair provides direction to the team to carry out the roles and responsibilities outlined in this charter. The HHS Chief Information Officer (CIO), who is also the designated HHS Senior Agency Official for Privacy (SAOP)[1], serves as the HHS BRT Chair. The Chair’s role is to facilitate communications among the Department’s many formal and logical sub-organizations for effective and efficient response to breaches as they occur and to provide proper guidance for HHS BRT members to come to consensus. 

Coordinator – To ensure the efficient performance of the HHS BRT’s duties, the role of coordinator is necessary. The primary source of breach information and communication of breach updates will be the HHS Information Security and Privacy Program; therefore, the HHS Information Security and Privacy Program representative is designated as the Coordinator. The Coordinator has the following responsibilities: 

 Serves as the liaison to the HHS Information Security and Privacy Program, the HHS BRT, and the OPDIV/STAFFDIV for additional information collection after the initial notification is made to the HHS Information Security and Privacy Program; 

 Serves as an information security and privacy subject matter expert on the HHS BRT; 

 Reviews incidents reported to the HHS Information Security and Privacy Program for applicability to the HHS BRT; 

 Coordinates meetings, communications, reports, and other interactions with and between HHS BRT members; 

 Identifies and manages issues, notifications, and escalations necessary for HHS BRT activity and success; 

 Coordinates the production of reports on breaches and on HHS BRT activities for the RMFOB, the RMFOB Chair, and the HHS Chief Financial Officer (CFO); 

 Coordinates tasks identified by the HHS BRT Chair, requests made by HHS BRT members, and requests made by RMFOB; 

 Ensures the HHS Information Security and Privacy Program staff are used appropriately in support of the HHS BRT and that they have appropriate access to related information; and, 

 Ensures the appropriate handling of PII as it relates to the performance of all HHS BRT activities. Membership – The HHS BRT includes senior leadership representatives with expertise in information technology, legal requirements, privacy, law enforcement, and information security. These individuals are responsible for initiating necessary follow-on activities within their organization. The HHS BRT is comprised of named representatives from the following areas within HHS: 

 HHS Office of the Chief Information Officer 

 HHS Office of the General Counsel 

 HHS Office of the Assistant Secretary for Planning and Evaluation 

 HHS Office for Civil Rights 

 HHS Office of the Assistant Secretary for Public Affairs 

 Centers for Medicare and Medicaid Services 

 Office of Inspector General 

 Office for Facilities Management and Policy 

 Office of the Assistant Secretary for Legislation A list of alternates who are granted full authority to act on the members’ behalf shall be available to the Chair. 

6. Meetings 

Meeting Frequency 

The HHS BRT will meet quarterly, or more frequently as necessary, to fulfill the responsibilities outlined in this charter. Since HHS has a responsibility to inform US-CERT within one hour of learning of a suspected or confirmed PII data breach, as well as notify impacted citizens when the loss of control of PII is suspected or confirmed, the timeliness of any response is extremely important. For this reason meetings are expected to be conducted both formally and informally as in-person meetings, teleconferences, and/or email conversations. The HHS BRT will convene a meeting when members receive notification of an incident that involves the suspected or confirmed loss of control of PII. Any member may convene a meeting by notifying the Chair who will then notify other members. 

Meeting Agenda 

The primary goal of each meeting is to achieve consensus on recommended actions as soon as possible and to communicate these recommendations to the HHS Information Security and Privacy Program. This coordination will enable quick action by the appropriate OPDIV/STAFFDIV and Department stakeholders. As necessary, the HHS BRT will require the OPDIV/STAFFDIV or business owner to provide a detailed incident support. If an incident involves a component of the Department that is a “health care component” for the purposes of the HIPAA Privacy and Security Rules and involves “protected health information” as defined by 45 CFR § 160.103, then any representative from HHS OCR shall exclude himself or herself from voting—through formal votes or informal consensus votes—on recommendations for Department corrective actions. If the incident involves a health care component of the Department and “electronic protected health information” as defined by 45 CFR § 160.103, then any representative from CMS OESS shall exclude himself or herself from voting—through formal votes or informal consensus votes—on recommendations for Department corrective actions. As appropriate, any member of the team with a dual role, such as CMS OESS or HHS OCR, will release information to the HHS BRT when possible if it is not detrimental to the investigation. 

Meeting Decisions 

While the HHS BRT operates via consensus, there may be situations that require a vote. For example, ratification of this charter or proposing a change to the composition of the HHS BRT would require the use of a voting process. When a situation before the HHS BRT requires a vote, it will be conducted as follows: 

 A vote on an issue may be called by the Chair or by any member of the HHS BRT. 

 Each representative organization has a single vote. 

 A simple majority vote will be required to approve a recommended action or position. In the event of a tie vote, the Chair, with advisement from the Coordinator, will determine the appropriate actions to take moving forward. 

 A quorum is required to conduct voting. A minimum of five HHS BRT members or their designated alternates constitutes a quorum. 

 At the discretion of the Chair, a vote via email may be conducted after the scheduled meeting. 

7. Meeting Minutes 

Detailed meeting minutes, denoting the speaker and content, taken at each HHS BRT meeting by the HHS Information Security and Privacy Program representative will be reviewed and approved by the Chair and Coordinator for release to the HHS BRT members for additional comments. The HHS Information Security and Privacy Program representative will incorporate any identified changes for final review by the HHS BRT members. The final copy of the minutes shall be maintained by the HHS Information Security and Privacy Program. 

8. Agenda Items 

Agenda items will be created for each HHS BRT meeting by the HHS BRT Coordinator in conjunction with the HHS Information Security and Privacy Program. Prior to each HHS BRT meeting, the Coordinator will distribute a meeting agenda for the Chair’s approval. 

9. Voting Team Members 

HHS Office of the Chief Information Officer 

 Chief Information Officer (also serves as HHS BRT Chair) 

 Chief Information Security Officer 

 Chief Enterprise Architect 

HHS Information Security and Privacy Program 

 Senior Information Security Officer 

HHS Office of the General Counsel 

 Deputy General Counsel 

HHS Office of the Assistant Secretary for Planning and Evaluation 

 Senior Advisor, Privacy Policy 

HHS Office for Civil Rights 

 Deputy Director for Health Information Privacy [2]

HHS Office of the Assistant Secretary for Public Affairs 

 Deputy Assistant Secretary for Public Affairs 

 Executive Staff Assistant, Office of the Director, Assistant Secretary for Public Affairs 

Centers for Medicare and Medicaid Services 

 Director, Office of E-Health Standards and Services 

 Deputy Director, Office of E-Health Standards and Services [3] 

Office of Inspector General 

 Special Investigations Unit 

Office for Facilities Management and Policy 

 Director HSPD-12 Project 

Office Office of Assistant Secretary for Legislation 

 Special Assistant 

10. Reports 

 Status reports prepared by the Coordinator and approved by the Chair, are prepared as necessary to keep the Secretary of HHS informed of the status of any incidents involving a PII breach. The Chair may also request additional reports as necessary from the Coordinator. 

 After the breach mitigation activities are completed, the HHS BRT will provide the OPDIV/STAFFDIV with a summary report of the event. 

 An annual report of the activities of the HHS BRT will be prepared by the Chair with review and comment by the HHS BRT members. This annual report is due to the RMFOB, and an abbreviated version specific to each OPDIV/STAFFDIV will be sent to OPDIV/STAFFDIV heads and CIOs, on January 31st of each year to report the status of the program as of December 31st of the previous year.

 

 

_______/s/ (John Teeter for)_____________________________

__April 15, 2008__

Michael W. Carleton

HHS Chief Information Officer

Designated HHS Senior Agency Official for Privacy

 

[1] Per OMB Memorandum 05-08, Designation of Senior Agency Officials for Privacy, HHS has designated the HHS CIO as the SAOP. Should this designation change, both the HHS CIO and SAOP must sit on HHS BRT, with the HHS CIO continuing to serve as HHS BRT Chair.

[2] The Office for Civil Rights is responsible for the implementation and enforcement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule.

[3] The Office E-Health Standards and Services is responsible for the implementation and enforcement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule and other HIPAA non-privacy administrative simplification requirements.

 

Date

 

 

 

 


horizontal line

Frequent Questions | Contacting HHS | Accessibility | Privacy Policy | FOIA (Freedom of Information Act) | Disclaimers | Helping America's Youth

U.S. Department of Health & Human Services · 200 Independence Avenue, S.W. · Washington, D.C. 20201