Enterprise Privacy, Principal

What We Provide

• Referral bonus opportunities
• Generous paid time off (PTO), starting at 30 days of paid time off and 9 company holidays
• Health insurance plan for you and your loved ones, Medical, Dental, Vision, Life Disability
• Employer-matched retirement saving funds
• Personal and financial wellness programs
• Pre-tax flexible spending accounts (FSAs) for healthcare and dependent care
• Generous tuition reimbursement for qualifying degrees
• Opportunities for professional growth and career advancement
• Internal mobility, generous tuition reimbursement, CEU credits, and advancement opportunities

What You Will Do

• Drafts, implements, and maintains HIPAA and privacy policies, including those governing the use and disclosure of PHI, minimum necessary standards, and patient rights. Maintains a regulatory reference library that is searchable and user-friendly.
• Monitors federal and state regulations pertaining to privacy, security, data governance, generative AI, and other related regulations; update policies and procedures accordingly. Acts as the interface among the Legal and Compliance teams, IT Security, and the business areas regarding the impact of regulatory changes and clarification of regulatory guidance.
• Serves as the subject matter expert on 42 CFR Part 2, ensuring compliant handling of substance use disorder (SUD) treatment records.
• Provides privacy training and guidance to workforce members, including on oral and written communications, fax transmissions, and electronic disclosures.
• Oversees administrative, technical, and physical safeguards to protect PHI, in alignment with VNS Health's policies & procedures. Monitor compliance and efficacy of these safeguards.
• Collaborates closely with the VNS Health IT Security team to ensure alignment between privacy and cybersecurity protocols, including incident response, risk assessments, and technical safeguards.
• Investigates all privacy incidents and potential breaches of PHI, including root cause analysis, documentation, and mitigation planning. Acts as internal and external lead for privacy-related projects; regularly interact and communicate with staff, patients, members, and other partners.
• Leads breach notification processes, including timely reporting to federal, state, and local government authorities as required by law. Manage the submission of all additional, applicable privacy regulatory filings.
• Maintains breach logs and ensure that all required documentation is complete and audit-ready.
• Manages the process for the issuance, development, remediation, and validation of internal and external corrective action plans (CAPs) for the privacy program. Coordinate updates to and reporting of CAPs with the Compliance department.
• Prepares privacy program reports to management, Board of Directors, and Compliance & Information Security Risk Management Committee; delivers regular updates to leadership regarding efficacy of program and related resource needs.
• Participates in special projects and performs other duties as assigned.

Licenses and Certifications:

• Certification in healthcare privacy and compliance (e.g., CHPC, CHC, CIPP/US) or related data governance, information management offerings preferred

Education:

• Bachelor's Degree in health information management, public health, or related field required
• Master's Degree in law, health information management, public health preferred

Work Experience:

• Minimum of six years healthcare privacy compliance, with demonstrated expertise in HIPAA and 42 CFR Part 2. healthcare privacy compliance, with demonstrated expertise in HIPAA and 42 CFR Part 2 required
• Strong understanding of health information management practices and electronic health record systems required
• Proven experience in breach investigation and regulatory reporting required
• Excellent organization, time management and project management skills required
• Fluent in Word, Excel, and Power Point required