Senior Director Privacy & Security
CenterX is hiring for an experienced Senior Director Privacy & Security to work full-time with our team located in Madison, WI.
Be part of a rapidly growing team focused on improving healthcare outcomes. You will develop software for doctors, pharmacists, and health plans so that patients might comfortably and confidently adhere to prescription therapy plans.
What you will be doing
Under HIPAA (the Health Insurance Portability and Accountability Act of 1996) every healthcare organization must designate a privacy official and a security official . The privacy and security officials may have other titles and duties in addition to his/her privacy or security official designation in a typical practice or organizational setting. The privacy official shall oversee all ongoing activities related to the development, implementation and maintenance of the practice/organization's privacy policies in accordance with applicable federal and state laws. The security official shall oversee and ensure compliance with both the required and addressable, technical, administrative and physical safeguards in accordance with applicable federal and state laws, especially the HIPAA Security Rules. HIPAA for purposes of this document includes HIPAA, HITECH and Omnibus requirements.
The Privacy and Security Officer is responsible for the organization's Privacy Program including but not limited to daily operations of the program, development, implementation, and maintenance of policies and procedures, monitoring program compliance, investigation and tracking of incidents and breaches and insuring patients' rights in compliance with federal and state laws. In addition, is responsible for including but not limited to daily operations of the IT security program, oversight of the annual and ongoing risk assessment process, development, implementation, and maintenance of policies and procedures, ensuring the confidentiality, integrity and access of electronic protected health information and of monitoring program compliance as well as investigation and tracking of incidents and breaches and in compliance with federal and state laws.
- Maintains a strategic and comprehensive privacy and information security program that defines, develops, maintains and implements policies and processes that enable consistent, effective privacy practices which minimize risk and ensure the confidentiality of protected health information (PHI), paper and/or electronic, across all media types. Ensures privacy and information security forms, policies, standards, and procedures are up-to-date.
- Works with organization senior management and corporate compliance officer to establish governance for the privacy program.
- Serves in a leadership role for privacy compliance.
- Ensure alignment between security and privacy compliance programs including policies, practices, investigations, and acts as a liaison to the information systems department.
- Maintains and performs ongoing process to track, investigate and report inappropriate access and disclosure of protected health information. Monitor patterns of inappropriate access and/or disclosure of protected health information.
- Performs or oversees initial and periodic information privacy risk assessment/analysis, mitigation and remediation.
- Conducts related ongoing compliance monitoring activities in coordination with the organization's other compliance and operational assessment functions.
- Takes a lead role, to ensure the organization has and maintains appropriate privacy and confidentiality consents, authorization forms and information notices and materials reflecting current organization and legal practices and requirements.
- Oversees, develops and delivers initial and ongoing privacy training to the workforce.
- Participates in the development, implementation, and ongoing compliance monitoring of all business associates and business associate agreements, to ensure all privacy concerns, requirements, and responsibilities are addressed.
- Oversees Covered Entity responsibilities to the Business Associate and patient as applicable, with regards to patient protected health information rights. Manages all required breach determination and notification processes under HIPAA and applicable State breach rules and requirements.
- Administers process for investigating and acting on privacy and security complaints.
- Performs required breach risk assessment, documentation, and mitigation. Works with Human Resources to ensure consistent application of sanctions for privacy violations
- Initiates, facilitates and promotes activities to foster information privacy awareness within the organization and related entities.
- Maintains current knowledge of applicable federal and state privacy laws and accreditation standards.
- Works with organization administration, legal counsel, and other related parties to represent the organization's information privacy interests with external parties (state or local government bodies) who undertake to adopt or amend privacy legislation, regulation, or standard.
- Cooperates with the U.S. Department of Health and Human Service's Office for Civil Rights, State regulators and/or other legal entities in any compliance reviews or investigations.
- Serves as information privacy resource to the organization regarding release of information and to all departments for all privacy related issues.
- Initiates, facilitates, and promotes activities to foster information security awareness within the organization.
- Creates a culture of cyber security both with the IT organization and driving behavioral changes for the business.
- Evaluates security trends, evolving threats, risks and vulnerabilities and applies tools to mitigate risk as necessary.
- Manages security incidents and events involving electronic protected health information (ePHI)
- Ensure that the disaster recovery, business continuity, risk management and access controls needs of the facility are addressed.
- Is responsible for initial and periodic information security risk assessment/analysis, mitigation and remediation. Responsible for development and implementation of security risk management plan.
- Ensure organization has audit controls to monitor activity on electronic systems that contain or use electronic protected health information.
- Oversee periodic monitoring and reviewing of audit records to ensure that activity is appropriate. Such activity would include, but is not limited to, logons and logoffs, file accesses, updates, edits and printing.
- Ensure the organization has and maintains appropriate system use and disclosure / confidentiality statement.
- Oversees, develops and/or delivers initial and ongoing security training to the workforce. Initiates, facilitates and promotes activities to foster information security awareness within the organization and related entities
- Participates in the development, implementation, and ongoing compliance monitoring of all BA's and business associate agreements, to ensure -security concerns, requirements, and responsibilities are addressed.
- Ensures the institution/organization complies with the administrative, technical and physical safeguards.
- Communicates Effectively
- Drives for Results
- Ensure Accountability
- Functional Knowledge
- Instills Trust
- Interpersonal Savvy
- Manages Ambiguity
- Plans and Aligns
- Performs related duties as assigned.
What your background should look like (minimum qualifications)
- Baccalaureate degree in health information management, information systems, or a related healthcare field.
- Knowledge and experience in state and federal information privacy and security laws, including but not limited to HIPAA, HITECH, and NIST
- Demonstrated organization, facilitation, written and oral communication, and presentation skills.
- Recommended privacy certification such as Certified in Healthcare Privacy and Security (CHPS) and/or other healthcare industry related credential, e.g. RHIA, RHIT.
- Knowledge and experience in obtaining or maintaining third party comprehensive privacy and security compliance assessments, such as SOC II or HITRUST CSF.
- Demonstrated skills in collaboration, teamwork, and problem-solving to achieve goals
- Demonstrated skills in verbal communication and listening
- Demonstrated skills in providing excellent service to customers
- Excellent writing skills
- A high level of integrity and trust
- Extensive familiarity with health care relevant legislation and standards for the protection of health information and patient privacy
- Health care legal, operational, and or financial skills.