Privacy Manager

POSITION SUMMARY:

The Privacy Manager provides support for operations and initiatives critical to Boston Medical Center Health Systems (BMCHS) information privacy practices. It is expected that this individual will support the implementation of our information privacy strategy and goals, which includes various projects and programs central to the privacy function throughout the organization.

Reporting to the Chief Privacy Officer, the Privacy Manager is responsible for the implementation of all aspects of privacy and security breach case intake, investigations, internal reporting, monitoring and improvement efforts, and delegation of work assignments to other Privacy Analysts. This role is responsible for overseeing daily work of the Privacy Analysts on the team, providing performance management feedback, resolving more complex privacy and compliance issues, and will serve as the stand-in Chief Privacy Officer when they are out. The Privacy Manager assists with projects, external incident and breach reporting, and development of employee training and engagement material. The Privacy Manager monitors policies and procedures to align with and reflect current and future state and federal regulations (including HIPAA and HITECH).

Position: Privacy Manager       

Department: Compliance

Schedule: Full Time

Location: HYBRID

ESSENTIAL RESPONSIBILITIES / DUTIES:

The Privacy Manager will champion good information stewardship and privacy practices across BMCHS hospitals.

Prepares and completes all steps necessary to resolve privacy and security incidents. This includes:

• Manage and maintain all channels of incident reporting.
• Prepares intake documentation, contacts involved parties, conducts interviews, and researches data of privacy incidents to complete cases.
• Develop and implement standards and workflows for privacy investigations, ensuring consistent practices across the Privacy Analyst team and identifying opportunities for improvement.
• Uses risk assessment standards to determine breach and reporting requirements.
• Prepares documentation of incident review and retains in the department’s incident tracking system.
• Facilitate multidisciplinary collaboration by acting as the primary liaison between the Privacy Office and key departments such as Information Security/Information Technology, Legal and Compliance, Clinical Research and Institutional Review Board, Patient Advocacy, Quality & Safety, and Human Resources.
• Ensure consistent and thorough documentation practices across the privacy team, including the maintenance of the department’s incident tracking system and the quality of investigation records.
• Responsible for ensuring mailings to patients are accurate, timely and recorded for regulatory requirements and reporting.
• Investigate reports of inappropriate access or breach or protected health information to gauge risk and impact to patients, mitigate harm, and meet regulatory reporting requirements.
• Conducts audits of clinical records in response to patient requests or at the direction of the Chief Privacy Officer.
• Conducts proactive audits to ensure the integrity of the medical record.
• Assists in facility walkthroughs for physical audits.
• Oversee privacy analysts and manages process as necessary to complete deadlines.
• Suggests continuous improvement and solutions for Privacy Office. Identifies root causes of issues, assesses trends, recommends changes, and reports these to the Chief Privacy Officer.
• Monitor the Privacy Office phone line and email address daily.
• Serve as lead investigator on breach incident reviews.
• Provide guidance and subject matter expertise on privacy matters via consultations to the Privacy office.

Team Leadership

• Monitor intake and reports to the Compliance and Privacy office, delegating and distributing to other Privacy Analysts based on workload.
• Provide guidance as senior member to other Privacy Analysts.
• Provide feedback to the Chief Privacy Officer on performance management of Privacy Analysts
• Serve as first line of review for complex privacy and compliance incidents and escalation point and final reviewer for incident documentation and breach determinations.

Project Management:

• Identify privacy gaps and trends and develop project plan to address them.
• Develop project plans for consultation requests that require in-depth review by compliance and other stakeholders.
• Set deadlines, determine necessary stakeholders, coordinate meetings and follow projects through to completion.

Human Resources and Compliance Line:

• Take the lead in developing bi-weekly agendas for review and collaboration with Human Resources Labor Relations team.
• Prepare weekly Compliance Line complaints, track to completion all complaints in the incident management system.
• Lead investigatory reviews of any issues that require meeting with employees, document all steps and present on meetings at the Human Resources Labor Relations meeting.

Research Privacy and Security Reviews:

• Collaborate with Senior Privacy Analyst on research privacy consultations.
• Establish a workflow for reviewing any researcher-initiated requests to the department.
• Develop agenda for the Research Privacy and Security meetings and see each issue through to completion.
• Proactively recommend topics to bring to the bi-weekly Research Compliance meeting with support from the Chief Privacy Officer.

Policy Management:

• Ensure all Compliance and Privacy policies are renewed at the required intervals to stay current.
• Proactively review policies in both Compliance and Privacy manuals to recommend substantive updates when regulation or operational changes warrant review.
• Identify on a monthly basis any policies that the Chief Privacy Officer should take to the hospital’s interdisciplinary Policy Committee.

Responsible for all minute taking at Privacy Office meetings or at the request of the Chief Privacy Officer. Proactively prepares draft agendas for meetings with other departments for approval by Chief Privacy Officer.

Works cooperatively with staff in Release of Information and other units in HIM to facilitate patient requests for records, amendments, and to restrict access to protected health information, when appropriate.

Assists with policy drafting and updates by tracking developments in state and federal regulations and laws.

Develops knowledge of applicable federal and state privacy laws and monitors advancements in information privacy technologies to assist with organizational adaptation and compliance.

Tracks and brings to completion all consultation requests from workforce members.

Provides metrics on incidents and consults from the incident tracking system on a quarterly basis and as needed.

Assist the Chief Privacy Officer with the preparation of quarterly reports and presentations.

Drafts Workplan for Privacy / General Compliance and reviews with team prior to submission on an annual basis.

Performs other duties as needed or assigned.

(The above statements in this job description are intended to depict the general nature and level of work assigned to the employee(s) in this job.  The above is not intended to represent an exhaustive list of accountable duties and responsibilities required).

JOB REQUIREMENTS

REQUIRED EDUCATION AND EXPERIENCE:

• Bachelor’s Degree (B.A. or B.S.) and 6-8 years of privacy and compliance experience, or equivalent combination of education and experience required or equivalent experience.

PREFERRED EDUCATION AND EXPERIENCE:

• Paralegal, Mediation, Juris Doctor or relevant Masters Degree(s) and 2-4 years of privacy and/or compliance experience.

• 1 year of leadership experience on a team

CERTIFICATES, LICENSES, REGISTRATIONS REQUIRED:

• N/A

CERTIFICATES, LICENSES, REGISTRATIONS PREFERRED:

• Certified Information Privacy Professional (CIPP), Certified in Healthcare Privacy Compliance (CHPC), Healthcare Certified Information Security and Privacy Professional (HCISPP) or Certified Mediator preferred. Efforts to obtain a relevant professional certification after hire strongly encouraged for candidates who are not certified at time of hire.

KNOWLEDGE, SKILLS & ABILITIES (KSAs):

• Expert knowledge of HIPAA Privacy and Security Rules, Omnibus Rule, Breach Notification Rule, and State privacy laws.

• Outstanding organizational and analytical skills.

• Detailed-oriented with excellent follow-through skills to drive projects to closure.

• Ability to translate regulatory requirements into practical and actionable elements.

• Excellent interpersonal skills with solid understanding of the importance of relationship-building and how to effectively influence behavior.

• Experience communicating with health care staff and patients in a professional manner.

• Skilled investigator in complex issues; ability to see nuances of situation and hone in on the underlying issues.

• Skilled “lateral thinker”. Be able to challenge assumptions and suspend judgment until appropriate.

• Strategic thinker able to map out work-flows and processes that converge with the facts then presented.

• Strong independent worker, but also team oriented.

• Ability to delegate

Equal Opportunity Employer/Disabled/Veterans

According to the FTC, there has been a rise in employment offer scams. Our current job openings are listed on our website and applications are received only through our website. We do not ask or require downloads of any applications, or “apps” job offers are not extended over text messages or social media platforms. We do not ask individuals to purchase equipment for or prior to employment.