Director, Privacy & Security OfficerDirector, Privacy & Security Officer

Why This Role is Important to Us:
Under the direction of the Senior Director of Regulatory Affairs & Compliance, the Privacy and Security Officer directs and manages Commonwealth Care Alliance’s (CCA) efforts to ensure compliance with laws, regulations and policies that govern information privacy and security including, but not limited to: Health Insurance Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health Act (HITECH), Omnibus Rulemaking, MA 201 CMR 17 (Massachusetts Privacy Law) and International Organization for Standardization (ISO) 27000 requirements.
What You'll Be Doing:
  • Coordinate all CCA activities with information privacy and security implications.
  • Investigate, document and reporting as needed all suspected information privacy and security incidents.
  • Oversee the development, implementation and maintenance of CCA information privacy and security policies and procedures.
  • Chair and oversee CCA’s Information Privacy and Security Committee.
  • In collaboration with the Senior Auditor, develop and enhance CCA’s Annual Information Security Risk Assessment process.
  • In collaboration with the Senior Auditor, implement methodology to solicit and collect information security risks from across the organization, including about the potential impact and likelihood of the risk occurring.
  • Systematically and objectively rank identified risks according to potential impact and likelihood within the context of regulatory priorities and organizational goals.
  • Present ranked risks to the Compliance Officer for consideration for inclusion in the Information Privacy and Security Plan.
  • In consultation with the Information Privacy and Security Committee, develop and implement the annual Information Privacy and Security Plan.
  • Collaborate with IT and other departments as necessary to implement the annual Information Privacy and Security Plan.
  • Monitor ongoing activities related to the availability, integrity and confidentiality of member, provider, employee and CCA business information in compliance with CCA’s information privacy and security policies and procedures, and all applicable laws and regulations.
  • Be primarily responsible for periodic HIPAA Privacy Audits at CCA and CCC facilities including but not limited to conducting audits, collecting data and preparing the final report for distribution
  • Facilitate the exploration, development and implementation of best practices and standards for CCA’s information privacy and security efforts.
  • Serve as an information privacy and security subject matter expert and provide guidance, advice and resource for questions and concerns.
  • Serve as key advisor for issues regarding member rights as stipulated in HIPAA.
  • Maintain current knowledge of all applicable federal and state information privacy and security laws and monitor advancements in information privacy and security requirements.
  • Collaborate with other departments, such as general counsel, IT, clinical, quality, clinical analytics, operations, and claims to maintain compliance with federal and state laws regarding information privacy and security, electronic transactions and the protection of information resources.
  • Collaborate with Regulatory Affairs and Compliance Department on monitoring and auditing CCA’s compliance with information privacy and security accountabilities; respond to detected offenses with appropriate corrective action.
  • Collaborate with other members of the Regulatory Affairs and Compliance Department on training and effective communication related to information privacy and data security.
  • Initiate, facilitate and promote activities to foster information security and privacy awareness within CCA and its affiliates.
  • Establish and maintain a system that includes the routine use of risk assessments and risk management planning related to the information security features of systems, networks and related administrative activities.
  • Ensure CCA’s disaster recovery plan addresses relevant information privacy and security issues.
  • Assist with the development and preparation of corrective action plans, maintain compliance with benchmarks/deadlines and prepare written reports of audits.
  • Work with General Counsel and the Compliance Officer to ensure that CCA has the appropriate information privacy and confidentiality consents, notices and other necessary materials.
  • Participate in the development and ongoing compliance monitoring of all business associate agreements to ensure that all information privacy concerns, requirements and responsibilities are addressed.
Secondary Responsibilities
  • Serve as Regulatory Affairs and Compliance liaison with key internal departments
    • Provide guidance and assistance as requested
    • Hold meetings with department leadership at agreed upon intervals
    • Attend department staff meetings and present information as requested
    • Assist in development of regulatory tool-kits and instruction materials as needed to assist departments with regulatory projects and process implementation
    • Support business units in interpretation of regulations related to their applicable areas as well as provide assistance in developing appropriate tools to ensure compliance
    • Provide consultation with business owners in developing policies and procedures and/or building internal workflows to ensure internal controls of high risk regulatory requirements are in place and working effectively
  • Prepare and coordinate regulatory filings as required
  • Project Manage communications, data collection, organization and submission of materials for external reviews and audit requests, as required
  • Assist in the oversight of the corporate Compliance Plan and identification of compliance risks
  • Assist in maintaining an effective compliance plan at CCA by promoting compliance with all compliance plan elements
  • Develop new processes and/or programs as directed.

What We're Looking For:
  • Bachelor's Degree or higher
  • 5+ years of experience
  • Certification in either or both Healthcare Information Privacy and Security preferred
  • Extensive knowledge of HIPAA, HITECH, Massachusetts Privacy Law and other Federal and State privacy and security laws and regulations
  • Strong background in information security, including program analysis, development, risk analysis and testing requirements
  • Knowledge about information technology, medical records and other medical information, privacy and confidentiality and release of information
  • Ability to identify issues, problems and critical factors, and develop methods for corrective action 6. Experience with Medicare and Medicaid required.
  • Comfort working with Microsoft Office Suite
  • High degree of professional integrity
  • Strong written, verbal, listening and communication skills – having the ability to understand and communicate appropriately to the targeted audience.
  • Creativity in problem resolution is required.
  • Strong analytical skills – having the ability to identify an issue, conduct an analysis to determine business impact (including gap analysis), troubleshoot and identify solutions.
  • Strong project management skills - having the ability to effectively manage multiple priorities simultaneously by maintaining established timeframes, adhering to work plans and communicating changes effectively;
  • Candidate must be able to prioritize work and use independent judgment.
  • Ability to initiate and develop new solutions to problems, to identify new opportunities; and have organizational perspective to see how the pieces fit and reflect that perspective in day-to-day decisions.
  • Attention to detail and organizational skills are critical.