Notification of Breach Routine Use Language

Notice of HHS response plan for the new requirements regarding safeguarding against and responding to the breach of personally identifiable information.

October 9, 2007

TO: HHS Privacy Act Contacts


Robert Eckert
FOI/Privacy Acts Division
Office of Public Affairs, ASPA

SUBJECT: Notification of Breach Routine Use Language

On May 22, 2007, the Office of Management and Budget (OMB) released Memoranda (M) 07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information. ( The Department of Health and Human Services (HHS) convened a leadership committee composed of members from the Office of the Chief Information Officer (OICO), the Office of Assistant Secretary for Public Affairs (ASPA), and the Office of the Assistant Secretary for Planning and Evaluation (ASPE) in order to formulate a response plan for the newly established requirements. The final response plan was signed by the HHS Chief Information Officer (CIO), Mike Carleton and submitted to OMB on September 19, 2007. It is available at:, and on the HHS intranet at

As required by the memoranda, to comply with the "Incident Reporting and Handling Requirements," all OPDIVs/STAFFDIVs must incorporate the following routine use language as part of your normal SORN review process:

"To appropriate federal agencies and Department contractors that have a need to know the information for the purpose of assisting the Department's efforts to respond to a suspected or confirmed breach of the security or confidentiality of information maintained in this system of records, and the information disclosed is relevant and necessary for that assistance."

If you have any questions, please contact Maggie Blackwell, Privacy Officer, at (202) 690-7453 or

Page last reviewed October 2014
Page originally created October 2007
Internet Citation: Notification of Breach Routine Use Language. Content last reviewed October 2014. Agency for Healthcare Research and Quality, Rockville, MD.