Personally Identifiable Information (PII) Breach Response Team (BRT) Charter
November 17, 2008
Personally Identifiable Information (PII) Breach Response Team (BRT) Charter
Table of Contents
The following revisions are made to the April 15, 2008, issuance of the HHS-OCIO-2008-0001.002C, Personally Identifiable Information (PII) Breach Response Team (BRT) Charter:
1. Section 4, Responsibilities, is changed to add bullet #6 to refer Health Insurance Portability and Accountability Act (HIPAA) compliance incidents to the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) or to Centers for Medicare and Medicaid Services (CMS) Office of E-Standards and Services (OESS), as appropriate.
2. Section 5, Membership, is changed to include a member from the Office of Human Research Protection.
Throughout the document, the term “incident” is changed to “breach,” and the term “actual breach” is changed to “confirmed breach,” for consistency of verbiage.
This charter established the HHS PII BRT (henceforth called the HHS BRT).
This revision supersedes the April 15, 2008, issuance of the HHS-OCIO-2008-0001.002C, Personally Identifiable Information (PII) Breach Response Team (BRT) Charter.
2. Vision and Mission
In response to the Office of Management and Budget (OMB) Memorandum, Recommendations for Identity Theft Related Data Breach Notification, dated September 20, 2006, HHS established this charter to institute an HHS BRT as “a core management group responsible for responding to the loss of personal information.”
This charter established the following mission for the HHS BRT:
The principal purpose of the HHS BRT is to convene in response to a suspected or confirmed breach of PII; to engage in risk analysis to determine if the security breach poses problems related to identity theft or any applicable federal laws and policies, and, if so, the level of such risk; and, where appropriate, to tailor the Department’s response to the nature and scope of the risk presented. Secondarily, the HHS BRT will engage in advanced planning to refine and improve the Department’s response to the potential loss of control of PII.
The principles, guidelines, and processes described in the HHS BRT Charter are applicable to all HHS organizational components (i.e., Operating Divisions [OPDIVs] and Staffing Divisions [STAFFDIVs]) to provide a forum in which suspected or confirmed breaches of PII are addressed by senior leadership from across several HHS organizational components. While the OMB Memorandum of September 20, 2006, is the impetus for instituting the HHS BRT, identity theft is only one of several outcomes the HHS BRT must consider. Due to the nature of the services provided by HHS, an information security breach may include a variety of Federal laws, such as the HIPAA of 1996 the Privacy Act, privacy and security regulations, and others. The HHS BRT will consider the potential applicability of other Federal laws when responding to a breach and, depending on the law and the factual circumstances, may also refer the breach to an agency or division that has additional authority to investigate or otherwise respond to the report. For example, any breach which primarily involves protected health information or electronically protected health information, as defined in 45 CFR § 160.103, will be forwarded to the HHS OCR or the CMS OESS, as appropriate.
The loss of control of PII can result from information security breaches including the loss or theft of HHS devices on which PII is stored or resides, or the loss or theft of documents containing PII. Breach details come from various sources, including a specific OPDIV/STAFFDIV, system monitoring software, an individually reported loss, or complaints submitted under HIPAA or pursuant to another federal law. These breaches are then reported directly to the HHS Information Security and Privacy Program within the Office of the Chief Information Officer (OCIO), which in turn notifies members of the HHS BRT. Regardless of the originating source, the HHS BRT will assess any breach that represents a potential failure by the Department to properly protect and control the wide variety of PII maintained across its OPDIVs and STAFFDIVs. The HHS BRT determines and advises on Department-, OPDIV-, and STAFFDIV-specific responses to the breach of PII; identifies and addresses potential legal and public relations issues; and notifies internal and external entities as required.
In addition to responding to specific breaches, the HHS BRT regularly advises the Department on ways to improve the protection of PII.
The HHS BRT analyzes breaches as they are reported to evaluate the level of risk of identity theft and, as necessary, provides guidance for further response. The primary roles and responsibilities of the HHS BRT are to:
- Evaluate breaches or suspected breaches of PII and decide which actions should be taken;
- Provide input to and approve breach response activities for breaches involving PII not covered by HIPAA;
- Assess the responsible organization’s proposed course of action, risk assessments, response plan, and proposed notification activities, provide feedback, and make recommendations for improvement or course corrections in a timely manner;
- Ensure proper reporting, notification, and follow-up actions to stakeholders across relevant HHS organizational components when a breach involving PII occurs;
- Work closely with the HHS Information Security and Privacy Program to coordinate Department response activities and data collection;
- Refer HIPAA compliance breaches to HHS OCR or CMS OESS, as appropriate;
- Notify appropriate internal HHS stakeholders, including the following: OPDIV Security Offices; HHS Records Officer; building physical security; the HHS Assistant Secretary for Preparedness and Response (ASPR); the Office of the Inspector General (OIG); HHS OCR; and CMS OESS; as well as appropriate external entities such as the United States Computer Emergency Readiness Team (US-CERT) and law enforcement; and,
- Provide notification and assessments of information breaches to the HHS Risk Management and Financial Oversight Board (RMFOB).
Chair – The HHS BRT Chair provides direction to the team to carry out the roles and responsibilities outlined in this charter. The HHS Chief Information Officer (CIO), who is also the designated HHS Senior Agency Official for Privacy (SAOP), (1) serves as the HHS BRT Chair. The Chair’s role is to facilitate communications among the Department’s many formal and logical sub-organizations for effective and efficient response to breaches as they occur and to provide proper guidance for HHS BRT members to come to consensus.
Coordinator– To ensure the efficient performance of the HHS BRT’s duties, the role of coordinator is necessary. The primary source of breach information and communication of breach updates will be the HHS Information Security and Privacy Program; therefore, the HHS Information Security and Privacy Program representative is designated as the Coordinator. The Coordinator has the following responsibilities:
- Serves as the liaison to the HHS Information Security and Privacy Program, the HHS BRT, and the OPDIV/STAFFDIV for additional information collection after the initial notification is made to the HHS Information Security and Privacy Program;
- Serves as an information security and privacy subject matter expert on the HHS BRT;
- Reviews breaches reported to the HHS Information Security and Privacy Program for applicability to the HHS BRT;
- Coordinates meetings, communications, reports, and other interactions with and between HHS BRT members;
- Identifies and manages issues, notifications, and escalations necessary for HHS BRT activity and success;
- Coordinates the production of reports on breaches and on HHS BRT activities for the RMFOB, the RMFOB Chair, and the HHS Chief Financial Officer (CFO);
- Coordinates tasks identified by the HHS BRT Chair, requests made by HHS BRT members, and requests made by RMFOB;
- Ensures the HHS Information Security and Privacy Program staff are used appropriately in support of the HHS BRT and that they have appropriate access to related information; and,
- Ensures the appropriate handling of PII as it relates to the performance of all HHS BRT activities.
Membership – The HHS BRT includes senior leadership representatives with expertise in information technology, legal requirements, privacy, law enforcement, and information security. These individuals are responsible for initiating necessary follow-on activities within their organization. The HHS BRT is comprised of named representatives from the following areas within HHS:
- HHS Office of the Chief Information Officer
- HHS Office of the General Counsel
- HHS Office of the Assistant Secretary for Planning and Evaluation
- HHS Office for Civil Rights
- HHS Office of the Assistant Secretary for Public Affairs
- Centers for Medicare and Medicaid Services
- Office of Inspector General
- Office for Facilities Management and Policy
- Office of the Assistant Secretary for Legislation
- Office for Human Research Protection
A list of alternates who are granted full authority to act on the members’ behalf shall be available to the Chair.
The HHS BRT will meet quarterly, or more frequently as necessary, to fulfill the responsibilities outlined in this charter. Since HHS has a responsibility to inform US-CERT within one hour of learning of a suspected or confirmed PII data breach, as well as to notify impacted citizens when the loss of control of PII is suspected or confirmed, the timeliness of any response is extremely important. For this reason meetings are expected to be conducted both formally and informally as in-person meetings, teleconferences, and/or email conversations. The HHS BRT will convene a meeting when members receive notification of a breach that involves the suspected or confirmed loss of control of PII. Any member may convene a meeting by notifying the Chair who will then notify other members.
The primary goal of each meeting is to achieve consensus on recommended actions as soon as possible and to communicate these recommendations to the HHS Information Security and Privacy Program. This coordination will enable quick action by the appropriate OPDIV/STAFFDIV and Department stakeholders. As necessary, the HHS BRT will require the OPDIV/STAFFDIV or business owner to provide a detailed breach report.
If a breach involves a component of the Department that is a “health care component” for the purposes of the HIPAA Privacy and Security Rules and involves “protected health information” as defined by 45 CFR § 160.103, then any representative from HHS OCR shall exclude himself or herself from voting—through formal votes or informal consensus votes—on recommendations for Department corrective actions. If the breach involves a health care component of the Department and “electronic protected health information” as defined by 45 CFR § 160.103, then any representative from CMS OESS shall exclude himself or herself from voting—through formal votes or informal consensus votes—on recommendations for Department corrective actions. As appropriate, any member of the team with a dual role, such as CMS OESS or HHS OCR, will release information to the HHS BRT when possible if it is not detrimental to the investigation.
While the HHS BRT operates via consensus, there may be situations that require a vote. For example, ratification of this charter or proposing a change to the composition of the HHS BRT would require the use of a voting process. When a situation before the HHS BRT requires a vote, it will be conducted as follows:
- A vote on an issue may be called by the Chair or by any member of the HHS BRT.
- Each representative organization has a single vote.
- A simple majority vote will be required to approve a recommended action or position. In the event of a tie vote, the Chair, with advisement from the Coordinator, will determine the appropriate actions to take moving forward.
- A quorum is required to conduct voting. A minimum of five HHS BRT members or their designated alternates constitutes a quorum.
- At the discretion of the Chair, a vote via email may be conducted after the scheduled meeting
Detailed meeting minutes, denoting the speaker and content, taken at each HHS BRT meeting by the HHS Information Security and Privacy Program representative will be reviewed and approved by the Chair and Coordinator for release to the HHS BRT members for additional comments. The HHS Information Security and Privacy Program representative will incorporate any identified changes for final review by the HHS BRT members.
The final copy of the minutes shall be maintained by the HHS Information Security and Privacy Program.
Agenda items will be created for each HHS BRT meeting by the HHS BRT Coordinator in conjunction with the HHS Information Security and Privacy Program. Prior to each HHS BRT meeting, the Coordinator will distribute a meeting agenda for the Chair’s approval.
HHS Office of the Chief Information Officer
- Chief Information Officer (also serves as HHS BRT Chair)
- Chief Information Security Officer
- Chief Enterprise Architect
HHS Information Security and Privacy Program
- Senior Information Security Officer
HHS Office of the General Counsel
- Deputy General Counsel
HHS Office of the Assistant Secretary for Planning and Evaluation
- Deputy Director for Health Information Privacy (2)
HHS Office of the Assistant Secretary for Public Affairs
- Deputy Assistant Secretary for Public Affairs
- Executive Staff Assistant, Office of the Director, Assistant Secretary for Public Affairs
Centers for Medicare and Medicaid Services
- Director, Office of E-Health Standards and Services (3)
- Deputy Director, Office of E-Health Standards and Services
Office of Inspector General
- Special Investigations Unit
Office for Facilities Management and Policy
- Director of Information Technology Services Program
Office of Assistant Secretary for Legislation
- Special Assistant
Office for Human Research Protection
- Health Policy Analyst
Status reports prepared by the Coordinator and approved by the Chair, are prepared as necessary to keep the Secretary of HHS informed of the status of any breaches involving a PII breach. The Chair may also request additional reports as necessary from the Coordinator.
After the breach mitigation activities are completed, the HHS BRT will provide the OPDIV/STAFFDIV with a summary report of the event.An annual report of the activities of the HHS BRT will be prepared by the Chair with review and comment by the HHS BRT members. This annual report is due to the RMFOB, and an abbreviated version specific to each OPDIV/STAFFDIV will be sent to OPDIV/STAFFDIV heads and CIOs, on January 31st of each year to report the status of the program as of December 31st of the previous year
_________/s/_______________ November 17, 2008_______
Michael W. Carleton Date
HHS Chief Information Officer
Designated HHS Senior Agency Official for Privacy
(1) Per OMB Memorandum (M)-05-08, Designation of Senior Agency Officials for Privacy, HHS has designated the HHS CIO as the SAOP. Should this designation change, both the HHS CIO and SAOP must sit on HHS BRT, with the HHS CIO continuing to serve as HHS BRT Chair.
(2) The OCR is responsible for the implementation and enforcement of the HIPAA Privacy Rule.
(3) The OESS is responsible for the implementation and enforcement of the HIPAA Security Rule and other HIPAA non-privacy administrative simplification requirements.