Notification of Breach Routine Use Language

October 9, 2007

TO: HHS Privacy Act Contacts

FROM:

Robert Eckert
Director
FOI/Privacy Acts Division
Office of Public Affairs, ASPA

SUBJECT: Notification of Breach Routine Use Language

On May 22, 2007, the Office of Management and Budget (OMB) released Memoranda (M) 07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information. (http://www.whitehouse.gov/omb/memoranda/fy2007/m07-16.pdf). The Department of Health and Human Services (HHS) convened a leadership committee composed of members from the Office of the Chief Information Officer (OICO), the Office of Assistant Secretary for Public Affairs (ASPA), and the Office of the Assistant Secretary for Planning and Evaluation (ASPE) in order to formulate a response plan for the newly established requirements. The final response plan was signed by the HHS Chief Information Officer (CIO), Mike Carleton and submitted to OMB on September 19, 2007. It is available at: http://www.hhs.gov/ocio/securityprivacy/incidentmanagement/incidentresp.html, and on the HHS intranet at http://intranet.hhs.gov/infosec/policies_memos.html.

As required by the memoranda, to comply with the "Incident Reporting and Handling Requirements," all OPDIVs/STAFFDIVs must incorporate the following routine use language as part of your normal SORN review process:

"To appropriate federal agencies and Department contractors that have a need to know the information for the purpose of assisting the Department's efforts to respond to a suspected or confirmed breach of the security or confidentiality of information maintained in this system of records, and the information disclosed is relevant and necessary for that assistance."

If you have any questions, please contact Maggie Blackwell, Privacy Officer, at (202) 690-7453 or maggie.blackwell@hhs.gov.