Manager, Privacy & Compliance

Job Summary

Compliance (85%+/- of time)

The Manager of Compliance develops compliance programs inclusive of performance metrics, policies, reporting, evaluation and practices for the business and department. They ensure that all activities follow regulatory requirement related to the governance of the business as well as industry-specific laws. There is active review of internal controls and auditing systems and monitoring and reporting regulated activities and processes. Responsible for implementing risk-based compliance testing of existing procedures and controls to identify, detect and correct non-compliance. Additionally, the Manager evaluates and implements changes to compliance procedures due to new or amended regulations. Delivers communications and training initiatives that inform stakeholders about compliance requirements. Actively manages a team who works to fulfill client and government requirements.

Privacy (15%+/- of time)

The privacy manager is responsible for performing ongoing activities related to the development, implementation, maintenance of, and adherence to policies and procedures covering the privacy of, and access to, customer health information in compliance with federal and state laws and the healthcare organization’s information privacy practices. Serves as corporate resource for implementation of the privacy requirements under the Health Insurance Portability and Accountability Act (HIPAA) and state laws. Accountable for overseeing the development and implementation of corporate-wide privacy principles, policies, and practices. Provides direction in the implementation of administrative, technical, and physical procedures to protect the privacy of protected health information (PHI). Guides assessment of the current state of privacy practices, conducts risk/gap analysis, develops new policies and procedures and training materials. Monitors the implementation of HIPAA-compliant privacy practices for Wellcove. Advocates and protects customer privacy by serving as a key privacy advisor for customers, handling disputes and managing customer requests regarding their medical records. Works with corporate departments, and corporate leadership to assure that public communications and public understanding of privacy safeguards is appropriately communicated.

Supervisory Responsibilities:

  • Hires, trains and manages the performance and development of individual team members to ensure targets are met
  • Oversees the daily workflow and schedules of the department.
  • Conducts performance evaluations that are timely and constructive.
  • Handles discipline and termination of associates in accordance with company policy.

The Manager will carry out supervisory responsibilities in accordance with the organizational policies/procedures and applicable laws. Responsibilities include interviewing, hiring, and training associates; planning, assigning, and directing work; appraising performance; rewarding and disciplining associates; addressing complaints and resolving problems/issues.

Duties/Responsibilities:

Compliance

  • Communicates daily, weekly, and monthly inventories and Service Level Agreement (SLA) metrics
  • Develops and oversees compliance programs and efforts to ensure that the organization adheres to the applicable laws and regulations. Programs must also meet client contractual requirements and maintain TPA licensing in all states and US territories
  • Establishes an internal compliance review process and readies the organization for external compliance audits and tests.
  • Provides leadership with guidance and training to minimize the risk of non-compliant behavior and increase the awareness of industry standards and best practices.
  • Works with all departments to develop a strategy to continuously improve compliance throughout the organization.
  • Encourages all people managers to create a safe work environment for associates to report uncompliant or unethical behavior.
  • Collaborates with Human Resources and Legal teams to smoothly enforce compliance obligations and define appropriate disciplinary actions.
  • Keeps fully informed on changes to applicable laws and regulations and periodically revises programs and efforts to continue a high level of organizational compliance.
  • Reports and presents the current progress and any new developments regarding compliance efforts to leadership and board members.
  • Represents organization during audits and may provide necessary documents and information.
  • Responsible for vendor management program
  • Partners with Information Security to deliver on enterprise programs and activities like internal audit, risk management program, cyber awareness training, etc.
  • Other duties as assigned

Education and Formal Training

  • Bachelor’s degree from an accredited university or college. Master’s degree preferred
  • An individual with a combination of the following: medical records/health information management background, information systems/technology background; compliance, legal or performance improvement background
  • Demonstrated advanced knowledge and understanding of Health Insurance Portability and Accountability Act (HIPAA) including Breach Notification Requirements, as well as applicable federal regulations and laws affecting the management of confidential protected health information (PHI). Extensive knowledge of federal (CFR 42 Part 2, HIPAA, HITECH) and states privacy, security, and compliance issues related to using and disclosure of protected health information

Work Experience 

Six (6) years of experience in healthcare data privacy incident investigation and response, preferably in conducting healthcare investigations, health information management, monitoring standards, regulatory compliance, or related experience in the healthcare industry/managed care. Experience leading the day-to-day operations of a program and/or team.

Preferred: 

  • Experience with Third Party Administrators
  • Experience with global teams
  • Ability to obtain and maintain a professional certification(s) such as Certified in Healthcare PrivacyCompliance (CHPC), Certified Information Privacy Professional (CIPP), Certified in Healthcare Compliance(CHC), Registered Health Information Administrator (RHIA), or similar certification

Physical Requirements: 

  • Sit, read, write, speak, use computer keyboard
  • Able to travel to corporate meetings
  • Flexibility with work schedule to meet needs

Complaints System

  • Establishes and administers, as appropriate, corporate process for receiving, documenting, tracking, investigating, identifying the root cause, and taking action on all complaints, including but not limited to remediation and correspondence to the policyholder and required stakeholders a) concerning the organization’s privacy policies and procedures MEDICAL RECORDS MANAGEMENT AND DISCLOSURES, andb) complaints from policyholders and 3 rd parties on behalf of policyholders for other, non-privacy related reasons.
  • Develops and implements procedures for requests to access that reasonably verifies the identity of the individual or entity requesting access or disclosures, and /or legal authority to request the protected health information
  • Implements and oversees the development and application of corrective action procedures that are designed to mitigate any deleterious effects of use of disclosure of PHI by members of the entitvs workforce or business partners
  • Establishes policies/procedures that ensures that record custodians correctly protect and archive customer information
  • Works cooperatively with corporate leadership in establishing system to meet customer rights to inspect, amend, and restrict access to protected health information

Training

  • Responsible for the development and delivery of privacy training and awareness
  • Develops and implements a system-wide privacy training program and, in conjunction with the Security Official or other individuals charged with security oversight, a cyber security awareness and training program that includes the following components
    • Initial training of all associates related to the privacy and cyber security program
    • Privacy training to all members of the workforce, including all associates, volunteers, trainees, and other persons under the direct control of the entity on an on an unpaid basis, who are not business partners but are likely to have contact with PHI
    • Upon changes in corporate privacy policy or procedure, retraining of directly affected associates
    • Mandated privacy retraining for all associates on a periodic basis, but, at a minimum annually

Privacy Sanctions

  • Works with senior management to develop and apply appropriate sanctions against associates who fail to comply with the organization’s privacy/security policies and procedures
  • In cooperation with Human Resources, the Information Security Official, administration, and legal counsel, as applicable, ensures consistent application of sanctions for failure to comply with privacy policies for all individuals in the organization’s workforce, extended workforce, and for all business associates
  • Coordinates with HR to ensure no intimidating, discriminatory, or other retaliatory actions occur against a person who files, testifies, assists, or participates in any investigation, compliance review, proceeding, or hearing related to a privacy violation, or opposes any unlawful act or practice.

Certificates and Audits

Client audits

  • Establishes an audit program to ensure enterprise-wide compliance with client contractual requirements
  • Provides support and aids coordination efforts with internal and external client teams to understand scope and timing of audit
  • Effective and timely communication with teams to ensure completion and next steps on potential findings and remediation

Internal audits

  • Establishes an internal privacy audit program to ensure enterprise-wide compliance to corporate privacy policies
  • Works with departmental managers to assure that there is adequate auditing and monitoring of systems’ access and activity and processes in place to identify potential security violations
  • Directs or conducts independent reviews and evaluations of any and all operations and activities to appraise:
  • Compliance with current regulations of federal, state, and other regulatory bodies
    • Possible errors and omissions that may violate current or future compliance
    • Compliance with internal policies, plans or standards which could impact compliance with external regulatory bodies
  • Establishes a corporate-wide privacy program certification/recertification process
  • Cooperates with the Office of Civil Rights, other legal entities, and organization officials in any compliance reviews or investigations
  • Participates in the development, implementation, and ongoing compliance monitoring of all trading partner and business associate agreements (BAAs), to ensure all privacy concerns, requirements, and responsibilities are addressed
  • Aids legal, operational managers and associates during enforcement activities, surveys, and external investigations. Assists in the preparations of required documentation required by external agencies, corrective action plans, and future monitoring or auditing to assure compliance
  • Maintains communications with external regulatory or review organizations and accrediting agencies to assure proper interpretations of regulations and impacts on operations. Coordinates work with others within the organization that have responsibility for process improvement, accreditation surveys or other regulatory activities
  • Responds quickly to incidents and violations to reduce the risks to the organization

Public-Client Relations

  • Provide information in response to internal and external inquiries regarding the entitvs corporate privacy policies and procedures or notice of information practices
  • Initiates, facilitates and promotes activities to foster information privacy awareness within the organization and related entities.

Privacy

  • Coordinates corporate privacy activities which includes overseeing the establishment, implementation, and adherence to corporate policies on customer privacy, confidentiality and release of customer information
  • Coordinates HIPAA project activities as required to include: Project management, HIPAA consultant liaison,Process change management, Policies and procedures assessment and development,
  • Provides leadership in the planning, design, and evaluation of the organization’s privacy and security related projects
  • Serves as a liaison to regulatory and accrediting bodies for matters relating to privacy and security
  • Responsible for documenting and communicating the progress of corporate HIPAA privacy implementation
  • Works with legal, management, departments, and committees to ensure the organization maintains appropriate privacy and confidentiality consent, authorization forms and information notices
  • Works with the Legal Department to review new or revised healthcare laws and regulations (federal and states) pertaining to customer privacy and determine whether modifications or revisions of policies and procedures are needed
  • Leads special investigations or special projects. Reviews results and recommends actions in coordination with other interested internal and external parties
  • Works closely with the Security Official, members of the electronic medical record implementation team, and other information technology personnel to ensure that the organization’s privacy protections keep pace with technological advances
  • Coordinates with management, Information Security Official, facility security managers and others to assure physical safeguards to guard data integrity, confidentiality, and availability
  • Coordinates with senior management, operational managers, the IS Security Official, IT managers, and business support services to provide a business continuity plan and disaster recovery service at minimum on an annual basis, meeting any state and client requirements and deadlines
  • Reviews all system-related information security plans throughout the organization’s network to ensure alignment between security and privacy practices, and acts as a liaison to the information systems department
  • Provides concise summaries to senior management of complex and detailed regulatory publications and prepares operational impact statements

Privacy Expertise & Resources

  • Maintains current knowledge of applicable federal and state privacy laws and accreditation standards, and monitors advancements in information privacy technologies to ensure organizational adaptation and compliance
  • Participates in outside healthcare organizations for keeping updated on privacy developments and “best practices” for customer privacy
  • Maintains corporate library on Privacy regulations and requirements
  • Maintains documentation of corporate privacy program
  • Researches regulatory issues and is able to utilize a variety of research resources to assure that the most recent regulatory issuances and interpretations are available
  • Communicates changes in regulatory issues to senior management and to the appropriate operational managers.
  • Provides access to detailed regulations and assures that operational managers understand the regulations
  • Develops, implements, and administers a system-wide request for access/disclosure verification procedure that reasonably verifies the identity of the individual or entity requesting access or disclosures, and /or legal authority to request the protected health information
  • Implements and oversees the development and application of corrective action procedures that are designed to mitigate any deleterious effects of use of disclosure of PHI by members of the entitvs workforce or business partners
  • Establishes policies/procedures that ensures that record custodians correctly protect and archive customer information
  • Works cooperatively with corporate leadership in establishing system to meet customer rights to inspect, amend, and restrict access to protected health information
  • Responsible for the appropriate use of notices, postings, signs and information available to the public and to customers concerning corporate policies and procedures to protect individually identifiable health information and notices of restrictions that may be placed on the release of information

Required Skills and Abilities

  • Demonstrated organization, facilitation, clear communication, i.e. prepare concise detailed written reports, and presentation skills to interface with senior management, clients, peers, and subordinates
  • Excellent interpersonal skills and customer service focus
  • Strong logical, analytical, critical thinking and problem-solving skills with attention to detail and ability to work through complex situations, and interpret a variety of instructions furnished in written, oral, diagrammatic or schedule form.
  • Excellent computer skills and proficiency in Microsoft Office applications
  • Ability to work under pressure and plan personal and team’s workload effectively
  • Experience developing, measuring and reporting performance of programs, including project management skills
  • Experience with internal and external audits, consumer complaints, state licensing and reporting
  • Experience and knowledge of compliance training & awareness, and sanctions
  • Interpret a variety of instructions furnished in written, oral, diagrammatic or schedule form.
  • Ability to analyze audit trails and other reports to validate appropriate team members access of PHI.
  • Knowledge and experience in information privacy laws, access, release of information, and release control technologies
  • Experience with privacy incidents
  • Experience managing a team, preferably international teams, including making plans, monitoring and measuring the effectiveness of the activities of direct reportsExhibits emotional intelligence and professional demeanor, working with integrity, inspiring confidence and creating trust Able to learn and instruct on new department software technologies
  • Self-motivation and initiative

Education and Formal Training

  • Bachelor’s degree from an accredited university or college. Master’s degree preferred
  • An individual with a combination of the following: medical records/health information management background, information systems/technology background; compliance, legal or performance improvement background
  • Demonstrated advanced knowledge and understanding of Health Insurance Portability and Accountability Act (HIPAA) including Breach Notification Requirements, as well as applicable federal regulations and laws affecting the management of confidential protected health information (PHI). Extensive knowledge of federal (CFR 42 Part 2, HIPAA, HITECH) and states privacy, security, and compliance issues related to using and disclosure of protected health information

Work Experience 

Six (6) years of experience in healthcare data privacy incident investigation and response, preferably in conducting healthcare investigations, health information management, monitoring standards, regulatory compliance, or related experience in the healthcare industry/managed care. Experience leading the day-to-day operations of a program and/or team.

Preferred: 

  • Experience with Third Party Administrators
  • Experience with global teams
  • Ability to obtain and maintain a professional certification(s) such as Certified in Healthcare PrivacyCompliance (CHPC), Certified Information Privacy Professional (CIPP), Certified in Healthcare Compliance(CHC), Registered Health Information Administrator (RHIA), or similar certification

Physical Requirements: 

  • Sit, read, write, speak, use computer keyboard
  • Able to travel to corporate meetings
  • Flexibility with work schedule to meet needs
Apply Now