Under the direct supervision of the Senior Director of Corporate Compliance, the Manager of Privacy/Privacy Officer is responsible for the organization's Privacy Program including but not limited to daily operations of the program, development, implementation and maintenance of policies and procedures, education, monitoring program compliance, investigation and tracking of incidents and breaches and insuring patients' rights in compliance with federal and state laws across Luminis Health.
Essential Job Duties:
- Governance and structure: Works with the Senior Director of Compliance and Chief Corporate Compliance Officer to establish governance for the privacy program. Serves as the Privacy Officer for Luminis Health and co-chairs the Privacy and Security Committee. Performs or oversees initial and periodic privacy risk assessment/analysis, mitigation and remediation. Conducts ongoing compliance monitoring activities in coordination with other compliance and operational assessment functions across Luminis Health. Maintains current knowledge of applicable federal and state privacy rules, laws and accreditation standards to ensure confidentiality of protected health information (PHI).
- Collaboration: Collaborates with the information security officer to ensure alignment between privacy and security compliance programs including policies, practices, investigations, and acts as a liaison to the information systems department. Works with the Senior Director of Corporate Compliance and Human Resources to ensure consistent application of sanctions for privacy violations. Works with leadership across all departments of Luminis Health including legal counsel to follow up on investigations, provide education, and ensure compliance with privacy policies and procedures.
- Investigations and complaints: Establishes and administers a process for intake, investigation, action, and reporting of privacy and security complaints. Conducts high level or sensitive investigations and interviews as needed. Manages all required breach determination and notification processes under HIPAA and applicable State breach rules and requirements. Completes timely reporting of breaches to and cooperates with the U.S. Department of Health and Human Service's Office for Civil Rights, State regulators and/or other legal entities in any compliance reviews or investigations.
- Large scale breach event responsibilities: Serves as the incident command leader for any large scale event involving exposure of PHI, coordinates with contracted resources including Breach Coach, establishes Incident Response Team structure and communication, concludes investigation, completes notification and reporting, and ensures capture of all event documentation.
- Security Access Audits: Establishes an ongoing process to track, investigate and report inappropriate access to systems that contain PHI. Monitor patterns of inappropriate access and/or disclosure of protected health information. Takes ownership of software and vendor relationship for security access monitoring tools.
- Policies and Forms related to Privacy: Ensures the organization has and maintains appropriate privacy and confidentiality references for patients, consents, authorization forms and information notices and materials reflecting current federal and state laws and regulatory requirements.
- Education: Develops, delivers, and maintains initial and ongoing privacy training to the workforce. Owns, updates, and tailors education materials including Privacy Office intranet site, storyboards, and presentations to meet revised requirements and educational needs.
- Metrics: Establishes and maintains best practice tracking of metrics for all aspects of privacy office activity and reports metrics to committees and leadership as appropriate across Luminis Health.
Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions.
Required Minimum Education. The minimum level of education for this position includes:
- Master's degree, preferred in related field
Required Minimum Experience:
- Four years' experience in Health Compliance or Privacy Role or equivalent experience required.
- Four years' experience with Privacy regulations required.
- Certified HIPAA professional (CHP or CHPS), or certification in Healthcare Privacy Compliance (CHPC) to be obtained within 24 months.
- Certified HIPAA Professional (CHP) required or to be obtained within 24 months.
Knowledge, Skills, Abilities:
- Ability to interpret and apply privacy and security requirements including Office for Civil Rights (OCR) Privacy and Security Rules, State of Maryland (COMAR), Health Information for Technical and Economic Health (HITECH), Cures Act, Substance Abuse and Mental Health Services Administration (SAMHSA), and laws governing privacy of mental health records.
- Working knowledge of electronic health records and strong command of Microsoft Office suite.
- Strong communication skills including the ability to communicate with employees, patients, visitors, and general public at a level each group can digest.
Working Conditions, Equipment, Physical Demands:
Light work. Exerting up to 20 pounds of force occasionally, and/or up to 10 pounds of force frequently, and/or a negligible amount of force constantly to move objects. If the use of arm and/or leg controls requires exertion of forces greater than that for sedentary work and the worker sits most of the time, the job is rated for light work.
There is reasonable expectation that employees in this position will not be exposed to blood-borne pathogens.
The above is intended to describe the general content of and requirements for the performance of this job. It is not to be construed as an exhaustive statement of duties, responsibilities or requirements.