Massachusetts Veterans Jobs

Why This Role is Important to Us:

Position Summary:

Reporting to the Chief Risk, Compliance & Ethics Officer, the Vice President, Chief Privacy & Security Officer ("CPSO") serves as the enterprise-wide subject matter expert on all data privacy and security laws, regulations, contractual requirements, and standards. The CPSO oversees and manages the strategy, planning, implementation, oversight, auditing, monitoring, and ongoing operation of CCA's privacy and security compliance assuring that it meets all requirements of applicable federal and state regulations not limited to: Health Insurance Portability and Accountability Act ("HIPAA"), Health Information Technology for Economic and Clinical Health Act ("HITECH"), the Genetic Information Nondiscrimination Act (GINA), Omnibus Rulemaking, State law, and International Organization for Standardization (ISO) 27000 requirements, among other relevant federal, state, municipal and international laws and regulations.

Serves as the corporate-wide subject matter expert to CCA's owned and related entities including, but not limited to, CCA's insurance entities, clinical assets, provider practices, health care facilities, Accountable Care Organization(s), and corporate subsidiaries.

Provides guidance, direction, and practical translation of privacy requirements (legal, regulatory, contractual and, as applicable, those emanating from national accreditation and standard setting organizations).

Leads organization-wide responses to investigations and responses to data breaches and security incidents in collaboration with the CISO, with all impacted departments, and with CCA's legal and executive leadership team.

The CPSO Is responsible for the design, implementation, and operational efficacy of CCA's privacy and security compliance program, as well as for leading the privacy and security team within the Corporate Risk & Compliance Department. Supervises both direct and indirect reports, and may have dotted line and/or regulatory/governance oversight responsibility of other relevant areas.

Supervision Exercised:

• Yes, which includes but is not limited to providing leadership, work direction, and performance feedback to subordinate staff.

What You'll Be Doing:

Essential Duties & Responsibilities:

THE PROGRAM

• Assists in the development and ongoing review and oversight of the privacy and security components of CCA's Corporate Risk & Compliance Plan, Code of Conduct, and Compliance Program description and identification of compliance risks.

• Creates and executes CCA's annual privacy & security compliance workplan.

• Collaborates with CCA's regulatory compliance team and the CISO to respond quickly, effectively, and transparently to any inquiries, compliance reviews, or investigations by the Department of Health and Human Services' Office of Civil Rights, CMS, MassHealth, and/or other state and federal regulators.

• Establishes and administers a process for receiving, documenting, tracking, investigating, and taking action on all complaints concerning the organization's privacy and security policies and procedures in coordination and collaboration with IT, Compliance, Legal and operations.

• Assists in selection and ongoing training of Privacy & Security Liaisons ("Champions") for each CCA functional area and/or entity, as appropriate.

• Co-chairs the company's privacy and security committee with the company's Chief Information Security Officer (CISO)

• Supports the privacy and security related activities of the CCA Executive Leadership Compliance, Audit & Enterprise Risk ("CAER") Council and the Board of Directors' Audit, Compliance & Enterprise Risk Committee.

• Develops, reviews and administers relevant and timely privacy and security policies and procedures, and oversees that the relevant business, operational and functional areas have relevant privacy-related or -required policies and procedures.

• In collaboration with the CISO, representatives of Human Resources (HR) and other members of the Compliance team, oversees the development, delivery, and ongoing improvement of CCA's privacy and security compliance training and education programs.

• Develops, reviews and administers relevant and timely communications and awareness programs and campaigns.

• Develops, reviews and administers relevant and timely monitoring, auditing, testing, sampling, tracking, and reporting initiatives, activities and programs.

• Develops, reviews and administers relevant and timely control/process gap remediation and enhancement activities, initiatives and programs in response to privacy/security data breaches, standard privacy and security investigations, and general ongoing CCA business and operations.

• In partnership with Information Security and Legal, among other relevant areas, leads and manages the privacy/security data breach and incident response protocol(s) across the organization.

• In cooperation with the CISO and Legal, advises the Chief Risk & Compliance Officer, Human Resources, and executive leadership on appropriate disciplinary actions for failure to comply with CCA's privacy & security policies.

• Collaborates with the CISO to deliver third-party attestation report for controls related to the security, availability, or processing integrity of a system, and/or the confidentiality or privacy of the information processed by that system (SOC-2 reporting).

PRIVACY

• Works across the organization to respond to any release of protected health information ("PHI") and other personally identifiable information, and to ensure full coordination and cooperation consistent with CCA's policies and procedures and legal and regulatory requirements.

• Maintains current knowledge of applicable federal and state privacy laws and accreditation standards, and monitors advancements in information privacy technologies to ensure organizational adaptation and compliance.

• Serves as the privacy subject matter expert to the Public Affairs team in representing the company's interests related to state and federal legislation, regulations, and/or standards, and in responding to press/regulatory/provider inquiries related to CCA's privacy and security practices and to increase the public's awareness of the organization's efforts to preserve member privacy and security.

• Collaborates with the CISO, IT and other operational partners to track disclosures of and access to protected health information as required by law, regulation, and contract, and, as necessary, with CCA's Regulatory Compliance team to report any and all necessary data to regulators and/or management as appropriate or required by law, regulation and/or contract.

• Performs initial and periodic information privacy risk assessments and analyses, and conducts ongoing auditing, monitoring, and testing activities in coordination with CCA's other Compliance and Enterprise Risk functions.

• Leads in collaboration with the CISO and relevant functional business owners, the review, development, implementation and ongoing compliance monitoring of all data breach and incident response policies, and procedures, third party vendor assessments, vendor guidelines, standards, and due diligence, enterprise security and privacy policies, business associate agreements and business associate oversight, and corporate record retention policies.

• Leads in ensuring all CCA-related entities maintain appropriate privacy and confidentiality consent and authorization forms, information privacy and security notices and materials, and signage reflecting, as appropriate, CCA's privacy and security policies, procedures, and standards of practice.

• Collaborates with and advises applicable organizational units in establishing, updating and monitoring compliance with policies and procedures related to the collection and use of patient/member data, advising members and patients of their rights to access, transfer, inspect, amend, and restrict access to their data, as well as complying with patient/member requests to access, transfer, inspect, amend, and restrict access to their data.

• Leads CCA records retention and management program, partnering with all relevant corporate, business and operational functions.

• Leads privacy-related consulting and advisory work related to CCA's adoption and use of artificial intelligence ("AI"), as well as data governance and data ethics issues and initiatives.

SECURITY

• Works closely with IT Security, members of the electronic medical record implementation/informatics team, and other information technology ("IT") personnel to ensure that the organization's privacy and security protections keep pace with technological advances and developing risks.

• Coordinates with management, physical plant, IT security, and others to assure physical safeguards to protect data integrity, confidentiality, and availability.

• Reviews all system-related information security plans throughout the organization's network to ensure alignment between security and privacy practices, and acts as a liaison to the Chief Information Security Officer and the information systems department.

• Collaborates with CISO and Regulatory Compliance to assure complete and effective handling, management, assessment, communications, notifications, remediation, tracking, documentation, and reporting of all breaches and security incidents, as required by applicable federal and state laws, regulations, and/or applicable contracts.

• Collaborates with the CISO and IT to develop, implement, administer, and, on an ongoing basis, audit system-wide requests for access/disclosure verification procedures that reasonably verify the identity of the individual or entity requesting access or disclosures, and /or legal authority to request the personal health information and/or other personally identifiable information.

• Collaborates with ERM, the CISO and Legal to acquire and maintain appropriate cyber insurance.

• Independently oversee and advise on information and cybersecurity compliance programs, initiatives, and activities.

BUSINESS CONTINUITY & DISASTER RECOVERY

• While business continuity and disaster recovery are owned by the relevant operational functions, collaborates with relevant operations, Regulatory Compliance, ERM, Legal, HR, CCA's Facilities team, the CISO, and IT, among others, on the privacy and security components of CCA's business resilience/continuity and disaster recovery plans. Regularly reviews and updates the privacy and security components of the business continuity and disaster recovery plans to assure consistency with applicable laws, regulations, standards, and relevant contract terms.

• While business continuity and disaster recovery are owned by the relevant functional areas, collaborates and coordinates with relevant senior management, operational areas, CCA's Facilities team, the CISO, IT managers, Regulatory Compliance, ERM, and business support services to support the development, updating and continuous improvement of CCA's business resilience and continuity policies, procedures, and protocols

Working Conditions:

• Standard office conditions.

What We're Looking For:

Required Education (must have):

• Bachelor's degree in a relevant discipline or field of study

• Juris Doctor and/or Master's degree in healthcare administration or relevant discipline

• Relevant Privacy & Security Certification(s), such as Certified Information Privacy Professional (CIPP), Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), and/or Certified Risk & Information Systems Control (CRISC), among other relevant ones

Desired Education (nice to have):

• Six Sigma Certification

• Project Management Certification

• Certification in Healthcare Compliance (CHC)

Required Experience (must have):

• 15+ years of national, multi-state, and/or global privacy and security legal and compliance experience, including substantive healthcare and health insurance experience, knowledge and exposure, preferably with government products and managed care (e.g., Medicare, Medicaid, MMP, Duals, SNP, etc.)

• 10+ years of increasing management, leadership and supervisory experience

• Extensive experience conducting privacy/security data breach and incident response investigations, and overseeing the coordination, drafting, and submission of responses to regulatory agencies such as the HHS OCR and other federal and state regulators

• Extensive and demonstrated experience in effectively and successfully building, re- building, and/or significantly enhancing Privacy and Cybersecurity Programs, including but not limited to strategizing, designing, implementing, operationalizing, and continuous improvement across programs, activities, initiatives, and team-building. Extensive and sustained in-house Privacy leadership experience.

• Extensive and demonstrated experience in effectively and successfully managing and interacting with all relevant internal and external stakeholders, including regulators, senior executives, the Board, the Audit Committee, and advocacy groups, among others.

• Demonstrated experience successfully managing multiple priorities simultaneously by maintaining established timeframes, adhering to work plans, and communicating changes effectively.

• Significant experience with developing policies and procedures; training, communications and awareness; monitoring, auditing, testing, sampling, tracking and reporting; and control and process remediation, as well as oversight of the implementation of procedures designed to ensure compliance with all pertinent laws, regulations, contracts and standards.

Required Knowledge, Skills & Abilities (must have):

• Excellent project management, organizational and independent decision-making capabilities

• Extensive knowledge required regarding compliance with privacy and security regulations, OCR, Federal Sentencing Guidelines, and healthcare laws and regulations (Federal, state, municipal and, as relevant, international)

• Able to utilize a variety of computerized software applications such as databases, spreadsheets, word processing, etc.

• Able to communicate clearly, make oral presentations to senior management, and prepare concise detailed written reports

• Demonstrated organization, facilitation, communication, and presentation skills.

• Able to initiate and develop innovative solutions to problems; to identify new opportunities; and have organizational perspective to see how the pieces fit and reflect that perspective in day-to-day decisions.

• Able to be self-motivated and take initiative in a positive and productive manner.

• Strong analytical skills with the ability to identify an issue, conduct an analysis to determine business impact (including gap analysis), troubleshoot, and identify solutions.

• Strong project management skills and strong verbal and written communication skills.

• Must be able to prioritize work and use independent judgment.

• Strong intellectual curiosity and natural inquisitiveness.

• Strong working relationship, partnership, consensus- and coalition-building skills, across the organization and with all levels.

• Strong self-initiative, ownership and accountability in all activities, responsibilities and undertakings.

• Dynamic and strategic thought and people leader with high intellectual and emotional intelligence and extremely strong self-awareness.

• Highly mature, positive, optimistic, open, transparent, communicative and collaborative professional.

• Extremely strong moral compass. Highly honest, integrity-based and committed to doing the right thing.

• Strong cross-organizational leadership, communication and management skills. Maze-bright in navigating and leading across the organizational byways and thoroughfares.

• Highly skilled at managing, communicating and influencing, including with those who do not report to the role either directly or indirectly.

• Highly proactive, preemptive and deliberate in both thoughts and actions. Brings people to the table, leans in, and leads with a purpose.

• Highly independent and self-sufficient strategic leader.

• Strong executive leader presence and polish in all situations and in dealing with all internal and external stakeholders, including regulators, the Audit Committee, the Board, and senior executives.

• Dynamic, engaging and strategic leader who knows how to build and foster high-performing cultures and teams, and who continuously drives and provides clarity of vision in both strategy and tactical execution.

• Independently and self-sufficiently achieves strategic goals and objectives with minimal direction, supervision, issues and entanglements.

• Strong ability to successfully and effectively compile and develop extremely high-quality and professionalized reports, updates and documentation for all stakeholders, including regulators, senior executives, the Board, and the Audit Committee. Owns and independently develops extremely high-quality work product.

• Extremely strong judgment and discretion. Highly rational, logical, deliberative, thoughtful and mindful in all interactions and situations.

Required Language (must have):

• English

Desired Knowledge, Skills, Abilities & Language (nice to have):

• Multilingual

EEO is The Law

Equal Opportunity Employer Minorities/Women/Protected Veterans/Disabled

Please note employment with CCA is contingent upon acceptable professional references, a background check (including Mass CORI, employment, education, criminal check, and driving record, (if applicable)), an OIG Report and verification of a valid MA/RN license (if applicable). Commonwealth Care Alliance is an equal opportunity employer. Applicants are considered for positions without regard to veteran status, uniformed service member status, race, color, religion, sex, national origin, age, physical or mental disability, genetic information or any other category protected by applicable federal, state or local laws.