Chief Privacy Officer (CPO)

POSITION SUMMARY:

The Chief Privacy Officer (CPO) is responsible for developing, implementing, and overseeing Boston Medical Center Health Plan ("WellSense") privacy program for all products and states to ensure compliance with all applicable federal, state, and industry regulations governing the protection of personal health information (PHI) and sensitive data. This leader plays a key role in safeguarding the organization’s commitment to data privacy, upholding member trust, and minimizing privacy-related risks. The CPO will work closely with legal, compliance, IT, and operational teams to ensure adherence to data privacy laws and regulations, including HIPAA, HITECH, and other applicable standards. The position has supervisory responsibility and will oversee 1-2 direct reports.

Position: Chief Privacy Officer (CPO)        

Department: Compliance

Schedule: Full Time (primarily remote/onsite for meetings or as needed)

ESSENTIAL RESPONSIBILITIES / DUTIES:

Privacy Program Leadership and Strategy:

• Develop and implement a comprehensive privacy program, including policies, procedures, and guidelines to ensure the protection of PHI and sensitive information.
• Establish the strategic direction for privacy compliance and risk management in alignment with corporate goals and industry best practices.
• Regularly review and update the privacy program to reflect changes in regulatory requirements, organizational needs, and emerging privacy trends.

Regulatory Compliance and Policy Development:

• Ensure compliance with federal and state privacy laws, including HIPAA, HITECH
• Lead the development, implementation, and maintenance of privacy policies and procedures that support compliance and protect member data.
• Oversee the organization’s response to regulatory changes, ensuring timely adaptation of practices and communication with relevant stakeholders.

Risk Assessment and Mitigation:

• Conduct privacy risk assessments and gap analyses to identify areas for improvement in privacy practices and regulatory adherence.
• Lead initiatives to mitigate identified risks, including recommending corrective actions, preventive measures, and best practices.
• Partner with IT and security teams to assess data protection measures, evaluate privacy risks associated with new projects or systems, and monitor access controls and encryption protocols.

Incident Response and Investigations:

• Lead and manage investigations into potential privacy breaches or complaints, including documentation, root cause analysis, and resolution.
• Collaborate with the legal team on incident responses, including reporting requirements and notifications to affected individuals and regulatory agencies.
• Develop and oversee a robust incident response plan, including training and simulations to enhance response effectiveness.

Privacy Education, Training and Awareness:

• Develop and implement privacy training programs for employees, contractors, and vendors to promote awareness of privacy policies and best practices.
• Provide guidance to departments on privacy-related issues and create a culture of compliance and accountability.
• Regularly assess training effectiveness and adapt content to address evolving privacy challenges and regulatory updates.

Data Governance and Stakeholder Collaboration:

• Collaborate with IT, data governance, and security teams to ensure alignment of privacy practices with data management and cybersecurity measures.
• Serve as a privacy resource and advisor to internal stakeholders, including legal, compliance, HR, and operational teams.
• Maintain relationships with external regulatory bodies and industry organizations to stay current on privacy developments and best practices.
• Provide thought leadership and support for Responsible Artificial Intelligence Governance Committees

Monitoring and Reporting:

• Develop and manage privacy program metrics and key performance indicators (KPIs) to measure program effectiveness and identify areas for improvement.
• Provide regular privacy reports and updates to executive leadership, the board of directors, and other key stakeholders.
• Prepare documentation and reports for audits, regulatory reviews, and compliance inquiries.

(The above statements in this job description are intended to depict the general nature and level of work assigned to the employee(s) in this job. The above is not intended to represent an exhaustive list of accountable duties and responsibilities required).

JOB REQUIREMENTS

EDUCATION:

• Bachelor’s degree in law, healthcare administration, information management, or a related field required; Master’s degree or Juris Doctor (JD) preferred.

CERTIFICATES, LICENSES, REGISTRATIONS REQUIRED:

• Certified Information Privacy Professional (CIPP), Certified in Healthcare Privacy Compliance (CHPC), or related certification required or the ability to obtain one within 6 months of your date

EXPERIENCE:

• Minimum of 8-10 years of experience in privacy, data protection, and compliance, with at least 5 years in an executive leadership role in health insurance or healthcare required.

• Minimum of 5 years’ experience managing teams in privacy, data protection, and compliance required

KNOWLEDGE, SKILLS & ABILITIES (KSAs):

• Comprehensive understanding of privacy laws, regulations, and frameworks, including HIPAA, HITECH.

• Experience with privacy risk assessment, incident response, and data governance best practices.

• Strong analytical, strategic planning, and project management skills.

• Excellent communication, leadership, and interpersonal skills, with the ability to effectively communicate privacy-related issues across all levels.

Equal Opportunity Employer/Disabled/Veterans