Privacy Incident Response Team (PIRT) Charter

Table of Contents 

Nature of Changes

1. Purpose
2. PIRT Mission and Vision
3. PIRT Scope
4. Responsibilities
5. Membership
6. Meetings
7. Agenda Items
8. Reports
9. Approval

Deputy Assistant Secretary for Information Technology and.Senior Agency Official for Privacy

Nature of Changes

The following revisions are made in the January 6, 2011 issuance of the HHS-OCIO-2010-0001.001C, HHS-OCIO Privacy Incident Response Team (PIRT) Charter.

1. The Table of Contents is changed to reflect editorial and page number changes.
2. The entire document is changed to reflect editorial and administrative updates.
3. The entire document is changed to reflect the name change from “Breach Response Team” to “Privacy Incident Response Team.”
4. Section 1 is changed to reflect that this charter is a reissuance.
5. Section 2 is changed to make trend analysis and risk management a key activity of the PIRT. 
6. Section 3 is updated to reflect legislative changes and clarify the scope of incidents outside the purview of the PIRT.
7. Section 5 is updated to reflect administrative changes to HHS offices and to incorporate voting membership (Section 9 in the previous issuance).
8. Section 6 is updated to provide a capability for the PIRT Chair to convene an ad-hoc Advisory Panel for incidents requiring immediate response and to allow for a PIRT appeals process.
9. Section 8 is changed to alter the delivery date of the Annual PIRT Report to the Risk Management Financial Oversight Board.

 

This charter is a reissuance and rebrands the HHS-OCIO Personally Identifiable Information Breach Response Team (HHS PII BRT) as the HHS-OCIO Privacy Incident Response Team (HHS PIRT). The HHS PIRT is the core management group responsible for responding to the loss of personally identifiable information[1] (PII) under the purview of HHS and those acting on its behalf. The HHS PIRT operates on behalf of and reports to the Risk Management and Financial Oversight Board (RMFOB) and fulfills the function mandated by the Office of Management and Budget (OMB) Memorandum, Recommendations for Identity Theft Related Data Breach Notification dated September 20, 2006.

This revision supersedes and obsoletes the HHS-OCIO-2008-0001.003C, Personally Identifiable Information (PII) Breach Response Team (BRT) Charter, dated November 17, 2008.

The mission of the HHS PIRT is to reduce the risk associated with the loss of PII of the public and HHS employees and to oversee response efforts to privacy incidents. The HHS PIRT plays an integral role in protecting the reputation and mission of HHS, and building and maintaining the trust between the Department and the American public.

The HHS PIRT will achieve this mission by collaborating with the HHS Computer Security Incident Response Center (CSIRC), Operating Divisions (OPDIVs), Staff Divisions (STAFFDIVs) and other stakeholders to ensure effective procedures for identifying suspected or actual breaches; overseeing or directly managing Departmental response efforts to incidents involving PII including validating risk and reviewing and approving response plans and communications; performing analysis on incident data in order to recommend strategies to effectively refine and improve the Department’s response to the potential loss of PII; championing privacy and security solutions that can reduce the potential loss of PII; and monitoring the privacy and security environment to raise awareness of threats to PII within the Department. 

The HHS PIRT Charter sets forth the mission and responsibilities of the HHS PIRT. The HHS PIRT has oversight of all HHS organizational components (i.e., OPDIVs and STAFFDIVs) as it relates to privacy incident response. The HHS PIRT has oversight of any incident that involves PII that is collected, processed, or maintained directly by HHS or on its behalf.

Although the PIRT Charter does not document processes and procedures for managing incidents, the PIRT does maintain standard operating procedures to address the handling of the various types of incidents within HHS.

Designated healthcare components within HHS must comply with HHS policy and procedures as well as their obligations under Federal and state law, including the Health Insurance Portability and Accountability Act (HIPAA) and any breach notification rules issued pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009. Privacy incidents that fall outside of the scope of the HHS PIRT include incidents classified as a “breach of unsecured protected health information”[2] that do not involve an HHS designated healthcare component operating as a covered entity or business associate (e.g., private health plans). 

Due to the nature of the services provided by HHS, a privacy incident may be governed by a variety of Federal laws and regulations, such as the Privacy Act, HIPAA, HITECH, and OMB guidance. The HHS PIRT will consider the potential applicability of these and any other Federal laws when responding to an incident and (depending on the law and the factual circumstances) may also refer the incident to an agency or division that has additional authority to investigate or otherwise respond to the report. 

The loss of control of PII can result from a variety of scenarios including, but not limited to, the loss or theft of HHS devices in which PII is stored, the loss or theft of documents containing PII, human error, or the exploitation of vulnerabilities within a technology. Incident details come from various sources, including a specific OPDIV/STAFFDIV, system monitoring software, an individually reported loss, or complaints submitted under HIPAA or pursuant to another Federal law. Incidents are reported to the HHS CSIRC within the HHS Cybersecurity Program of the Office of the Chief Information Officer (OCIO). The HHS CSIRC then notifies members of the HHS PIRT. Regardless of the originating source, the HHS PIRT will oversee incident response for any incident that represents a potential failure by the Department to properly protect and control the wide variety of PII maintained across its OPDIVs and STAFFDIVs. In consultation with the responsible Department component, the HHS PIRT determines and advises on any OPDIV/ STAFFDIV risks associated with the incident; directs and advises specific responses to the breach of PII; identifies and addresses potential legal and public relations issues; and notifies or manages notifications to internal and external entities as required. 

In addition to managing incident response efforts, the HHS PIRT regularly advises the Department on ways to improve the protection of PII through analysis of HHS incident data, development of recommendations to enhance protections, review and approval of OPDIV/STAFFDIV incident response plans related to the mitigation of risks associated with the reoccurrence of an incident, and environmental monitoring for threats that could potentially impact the Department’s protection of PII.

The HHS PIRT oversees privacy incident management activities to confirm incidents and breaches are evaluated based on the level of risk and applicable legal requirements and to verify response activities are proportionate and relevant. All responsibilities, but particularly those related to responding to a specific incident, must be carried out in a timely manner without unreasonable delay.

The primary roles and responsibilities of the HHS PIRT are to:

• Oversee OPDIV/STAFFDIV incident management activities for suspected or actual breaches of PII;
• Evaluate breaches or suspected breaches of PII and decide what actions should be taken;
• Provide input to and approve incident response activities for incidents involving PII;
• Assess the responsible organization’s proposed course of action, risk assessments, response plan, and proposed notification activities; provide feedback; and make recommendations for improvement;
• Notify appropriate internal HHS leadership of a suspected or actual breach per HHS PIRT standard operating procedures;
• Ensure proper reporting, notification, and follow-up actions to stakeholders by the responsible organization across relevant HHS organizational components when an incident involving PII occurs;
• Ensure healthcare components are managing incidents according to breach notification rules issued pursuant to the HITECH Act;
• Work closely with the HHS Cybersecurity Program to coordinate Department response activities and data collection;
• Ensure incidents are coordinated with appropriate external entities, such as law enforcement or other Federal agencies;
• Coordinate incident response capabilities with the HHS CSIRC to ensure effective management of incident identification, escalation, mitigation, and closure data;
• Conduct analysis of incident data to identify trends and make recommendations on enhancements to the protection of PII; and
• Develop and maintain standard operating procedures to effectively manage potential or suspected incidents.

HHS PIRT Chair – The HHS PIRT Chair (hereafter “PIRT Chair”) provides direction to the team to carry out the roles and responsibilities outlined in this charter. The HHS Chief Information Officer (CIO), who is also the designated HHS Senior Agency Official for Privacy (SAOP),[3] serves as the PIRT Chair. The PIRT Chair’s role is to facilitate communications among the Department’s many administrative and operational sub-organizations and to provide proper guidance for HHS PIRT members to come to consensus. In the event that the PIRT Chair cannot perform assigned duties, the PIRT Chair can designate an individual to be the acting PIRT Chair.

HHS PIRT Coordinator– The HHS PIRT Coordinator (hereafter “PIRT Coordinator”) ensures the efficient performance of the HHS PIRT’s duties. The primary source of breach information and communication of breach updates will be the HHS Cybersecurity Program; therefore, the HHS Cybersecurity Program representative is designated as the PIRT Coordinator. The PIRT Coordinator has the following responsibilities:

• Serving as the liaison to the HHS Cybersecurity Program, the HHS PIRT, and the OPDIV/STAFFDIV in order to gather any additional information after initial notification is made to the HHS PIRT; serving as an information security and privacy subject matter expert on the HHS PIRT;
• Reviewing incidents reported to the HHS Cybersecurity Program for applicability to the HHS PIRT;
• Coordinating meetings, communications, reports, and other interactions with and between HHS PIRT members;
• Identifying and managing issues, notifications, and escalations necessary for HHS PIRT activity and success;
• Coordinating the analysis of breach activities and the production of reports on breaches and on HHS PIRT activities for the RMFOB, the RMFOB Chair, and the HHS Chief Financial Officer (CFO);
• Coordinates tasks identified by the HHS PIRT Chair, requests made by HHS PIRT members, and requests made by RMFOB; and
• Ensures the appropriate handling of PII as it relates to the performance of all HHS PIRT activities.

Membership – The HHS PIRT includes senior leadership representatives from organizations across the Department with expertise in information technology, legal requirements, privacy, law enforcement, and information security. These individuals are responsible for initiating necessary follow-on activities within their organization. The HHS PIRT is comprised of named representatives from the following areas within HHS. For each member organization, the primary role and voting member has been identified:

HHS Office of the Chief Information Officer

• Chief Information Officer (also serves as HHS PIRT Chair)

HHS Cybersecurity Program

• Chief Information Security Officer

HHS Office of the General Counsel

• Deputy General Counsel

 HHS Office of the Assistant Secretary for Planning and Evaluation

• Senior Advisor, Privacy Policy

Centers for Medicare & Medicaid Services

• Director, Office of E-Health Standards and Services

HHS Office for Civil Rights

• Deputy Director for Health Information Privacy[4]

HHS Office of the Assistant Secretary for Public Affairs

• Deputy Assistant Secretary for Public Affairs

HHS Office of Inspector General

• Special Investigations Unit

HHS Office of National Security (ONS)

•  Information Security Program Manager

HHS Office of Assistant Secretary for Legislation

• Special Assistant

HHS Office of the Assistant Secretary for Health

• Human Research Programs Health Policy Analyst

The member organizations may identify alternates who are granted full authority to act on the members’ behalf. 

All members of the HHS PIRT are expected to:

• Support the mission and vision of the HHS PIRT;
• Attend regularly scheduled and ad hoc meetings;
• Provide expertise and guidance to support the mission of the HHS PIRT;
• Act as an liaison on behalf of the HHS PIRT to their respective OPDIV/STAFFDIV;
• Facilitate an environment for open discussions in a professional manner; and
• Support decisions made by the HHS PIRT.

In addition to these members, the PIRT may choose to invite various organizations or individuals (e.g., Office of Human Resources, an ethics officer) to provide unique expertise and insight to support PIRT functions for one or more meetings.

When an OPDIV experiences a significant incident or a series of incidents, the PIRT will include the OPDIV/STAFFDIV in PIRT meetings and communications to gather and share information and to validate response plans.

Meeting Frequency 

The HHS PIRT will meet monthly, or more frequently as necessary, to fulfill the responsibilities outlined in this Charter. Because HHS has a responsibility to inform the United States Computer Emergency Readiness Team (US-CERT) within one hour of learning of a suspected or confirmed PII data breach, as well as to notify impacted citizens when the loss of control of PII is suspected or confirmed, the timeliness of any response is extremely important. 

Ad Hoc Advisory Panel

Responding to a suspected or confirmed PII data breach can require rapid response, including analysis of applicable laws and guidance and coordination within the Department. The PIRT Chair can select HHS PIRT members to form an Ad Hoc Advisory Panel for the purposes of rapid response. The purpose of an Ad Hoc Advisory Panel is to quickly provide advice and counsel to the PIRT Chair on a suspected or confirmed PII breach. The use of an Ad Hoc Advisory Panel does not supplant the operations of the HHS PIRT as it relates to responding to an incident.

The PIRT Chair should inform the entire HHS PIRT of the convening of an Ad Hoc Advisory Panel, the members selected, and the purpose for convening the Ad Hoc Advisory Panel. After convening, the PIRT Chair will communicate the key points of discussion to the entire HHS PIRT membership. Formal meeting minutes will be taken and distributed to the HHS PIRT membership.

Meeting Organization

Meetings are expected to be conducted both as in-person meetings, teleconferences, and/or email conversations. 

Meeting Agenda

The primary goal of each meeting is to develop and achieve consensus on recommended actions effectively and efficiently. PIRT coordination will enable quick action by the appropriate OPDIV/STAFFDIV and Department stakeholders. As necessary, the HHS PIRT will require the OPDIV/STAFFDIV or business owner to provide a detailed incident report – including proposed actions to respond to the breach – and will be invited to meetings as appropriate when agenda items are relevant to their organization.

Decisions

The HHS PIRT primarily operates via consensus; however, there may be situations that require a vote (e.g., the ratification of this charter or proposing a change to the composition of the HHS PIRT) or that require the PIRT Chair to make a decision on behalf of the HHS PIRT.

When a situation before the HHS PIRT requires a vote, it will be conducted as follows:

• A vote on an issue may be called by the PIRT Chair or by any member of the HHS PIRT.
• Each member organization has a single vote. An alternate may vote when attending on behalf of the primary voting member (listed in section 5).
• A simple majority vote will be required to approve a recommended action or position. In the event of a tie vote, the PIRT Chair (with advice from the PIRT Coordinator) will determine the appropriate actions to take moving forward.
• A quorum is required to conduct voting. A minimum of five HHS PIRT members or their designated alternates constitutes a quorum.
• At the discretion of the PIRT Chair, a vote via email may be conducted after the scheduled meeting.

If an incident involves a component of the Department that is a “health care component” for the purposes of the HIPAA Privacy and Security Rules and involves “protected health information” as defined by 45 CFR § 160.103, then any representative from HHS OCR shall exclude himself or herself from voting – through formal votes or information consensus votes – on recommendations for Department corrective actions.

If an HHS component disagrees with the recommendations of the HHS PIRT pertaining to notification, an OPDIV/STAFFDIV Head may appeal the PIRT’s decision to the RMFOB Chair within 48 hours.  

Meeting Minutes

Detailed meeting minutes, denoting the speaker and content, taken at each HHS PIRT meeting by the HHS Cybersecurity Program representative will be reviewed and approved by the HHS PIRT Coordinator for release to the HHS PIRT members for additional comments. The HHS Cybersecurity Program representative will incorporate any identified changes for final review by the HHS PIRT members. 

The final copy of the minutes, including a description of the incident and its resolution, shall be maintained by the HHS Cybersecurity Program in accordance with the National Archives and Records Administration, General Records Schedule 24, item #7, Computer Security Incident Handling, Reporting and Follow-up Records (NARA Transmittal No. 22, dated April 2010).

Agenda items will be created for each HHS PIRT meeting by the HHS PIRT Coordinator in conjunction with the HHS Cybersecurity Program. Prior to each HHS PIRT meeting, the PIRT Coordinator will distribute a meeting agenda for the PIRT Chair’s approval. 

An annual report of the activities of the HHS PIRT will be prepared by the PIRT Chair with review and comment by the HHS PIRT members. This annual report is due to the RMFOB by the first day of March of each year to report the status of the program as of the last day of December of the previous year. An abbreviated version specific to each OPDIV/STAFFDIV will also be sent to OPDIV/STAFFDIV heads and CIOs.

Annual reports are based in part on trends identified through review of individual incidents. Individual incident reports and data are maintained by the HHS CSIRC in Risk Vision in collaboration with the OPDIVs.

Status reports are prepared by the PIRT Coordinator and approved by the PIRT Chair as necessary to keep the Secretary of HHS informed of the status of any incidents involving a PII breach. The PIRT Chair may also request additional reports as necessary from the PIRT Coordinator.

__/s/ John Teeter for______________________	January 6, 2011
Michael W. Carleton HHS Chief Information Officer and Deputy Assistant Secretary for Information Technology and  Senior Agency Official for Privacy	Date

 

---