Director Privacy & Compliance Operations

Luminis Health

Title: Director – Privacy and Compliance Operations

Reports to: Chief Compliance Officer

FLSA Status: Exempt

Position Objective:

The Director of Privacy and Compliance Operations is responsible for the organization's Privacy Program and related compliance operations functions including, but not limited to, daily operations of the program, development, implementation and maintenance of policies and procedures, education, monitoring program compliance, investigation and tracking of incidents and breaches and insuring patients' rights in compliance with federal and state laws across Luminis Health. The Director reports directly to the Chief Compliance Officer (CCO).

Essential Job Duties:

1. Governance and structure: Works with CCO to establish governance for the privacy program. Serves as the Privacy Officer for Luminis Health and co-chairs the Compliance and Privacy Committee with the Director of Corporate Compliance. Performs or oversees initial and periodic privacy risk assessment/analysis, mitigation and remediation. Conducts ongoing compliance monitoring activities in coordination with other compliance and operational assessment functions across Luminis Health. Maintains current knowledge of applicable federal and state privacy rules, laws and accreditation standards to ensure confidentiality of protected health information (PHI). Conducts periodic audits of the System's privacy program and compliance with applicable federal and state privacy rules, laws, and accreditation standards

2. Collaboration: Collaborates with the Chief Information Security Officer, or designee, to ensure alignment between privacy and security compliance programs including policies, practices, investigations, and acts as a liaison to the information systems department and the Cybersecurity team. Co-lead incident response teams for data breaches and security events involving PHI or sensitive personal information. Ensure privacy considerations are integrated into IT security governance, vendor assessments, and digital health initiatives. Works with the Director of Corporate Compliance and Human Resources to ensure consistent application of sanctions for privacy violations. Works with leadership across all departments of Luminis Health including legal counsel to follow up on investigations, provide education, and ensure compliance with privacy policies and procedures.

3. Investigations and complaints: Establishes and administers a process for intake, investigation, action, and reporting of privacy and security complaints. Conducts high level or sensitive investigations and interviews as needed. Manages all required breach determination and notification processes under HIPAA and

applicable State breach rules and requirements. Completes timely reporting of breaches to and cooperates with the U.S. Department of Health and Human Service's Office for Civil Rights, State regulators and/or other legal entities in any compliance reviews or investigations.

4. Data breach and security event responsibilities: Serves as the incident command leader for any large scale event involving exposure of PHI, coordinates with contracted resources including Breach Coach, establishes Incident Response Team structure and communication, concludes investigation, completes notification and reporting, and ensures capture of all event documentation.

5. Security Access Audits: Establishes an ongoing process to track, investigate and report inappropriate access to systems that contain PHI. Monitor patterns of inappropriate access and/or disclosure of protected health information. Takes ownership of software and vendor relationship for security access monitoring tools.

6. Policies and Forms related to Privacy: Ensures the organization has and maintains appropriate privacy and confidentiality references for patients, consents, authorization forms and information notices and materials reflecting current federal and state laws and regulatory requirements.

7. Education: Develops, delivers, and maintains initial and ongoing privacy training to the workforce. Owns, updates, and tailors education materials including Privacy Office intranet site, storyboards, and presentations to meet revised requirements and educational needs. Serve as subject matter expert and strategic advisor to leadership.

8. Metrics: Establishes and maintains best practice tracking of metrics for all aspects of privacy office activity and reports metrics to committees and leadership as appropriate across Luminis Health.

9. Performs special projects and other duties as assigned.

Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions.

Educational/Experience Requirements:

The minimum level of education for this position includes:

• Bachelor's Degree, Required

Required Minimum Experience:

• Four years’ experience in Health Compliance or Privacy Role or equivalent experience required.
• Four years’ experience with Privacy regulations required.

Required License/Certifications:

• Certified HIPAA professional (CHP or CHPS), or certification in Healthcare Privacy Compliance (CHPC) to be obtained within 12 months.

Knowledge, Skills, Abilities:

• Ability to interpret and apply privacy and security requirements including Office for Civil Rights (OCR) Privacy and Security Rules, State of Maryland (COMAR), Health Information for Technical and Economic Health (HITECH), Cures Act, Substance Abuse and Mental Health Services Administration (SAMHSA), and laws governing privacy of mental health records.
• Working knowledge of electronic health records and strong command of Microsoft Office suite. Experience with Epic, Protenus, and/or NavexGlobal desired.
• Strong communication skills including the ability to communicate with employees, patients, visitors, and general public at a level each group can digest.

TCB Framework:

Luminis Health is committed to providing high-quality care across the region to realize our vision of: Living Healthier Together. We expect all leaders to serve as an example and to abide by the Team, Change, Business (TCB) Leadership Framework, which includes the following competencies:

Team:

• Experienced leading high performing diverse teams and achieving quality results.
• Prioritizes coaching and mentoring techniques to support, grow and sustain employees leading to a positive impact on employee retention.
• Provide leadership duties as needed to support a 24/7 healthcare operation.
• Demonstrates and encourages collaboration and teamwork to achieve goals.
• Communicates clearly and effectively with people inside and outside the organization.
• Role models self-wellbeing: and supports organizational efforts to encourage employee well-being.
• Seeks opportunities to be present and visible in the organization.

Change:

• Embraces the need for change and the connection to being innovative and competitive in the healthcare market.
• Leads with a collaborative approach that encourages trust, scholarship and a culture of inquiry amongst peers, directs and executive leadership.
• Champions change throughout the system and anticipates the need for innovation while developing and supporting strategies to obtain the desired outcomes.
• Has professional knowledge of the healthcare environment and advises on appropriate strategies.
• Demonstrates transformational and creative approaches to work.
• Establishes high expectations for continuous learning, performance improvement and sustainable growth.

Business:

• Advances Luminis Health’s business interests while ensuring compliance and development of policies, procedures and practices and abiding with laws and regulations.
• Demonstrates strong business acumen and utilizes strategic insight to optimize organizational goals.
• Leads with a deliberate focus on achieving financial and annual operating goals.
• Creates and sustains accountability across the team to meet organizational priorities.
• Successfully manages all Information systems within span of control and partners with internal and external stakeholders to achieve goals.
• Operates with a high and appropriate level of urgency while making decisions based on organizational priorities, goals and objectives.
• Uses data and analytics to drive decision making.

Working Conditions, Equipment, Physical Demands:

Light work. Exerting up to 20 pounds of force occasionally, and/or up to 10 pounds of force frequently, and/or a negligible amount of force constantly to move objects. If the use of arm and/or leg controls requires exertion of forces greater than that for sedentary work and the worker sits most of the time, the job is rated for light work.

There is reasonable expectation that employees in this position will not be exposed to blood-borne pathogens.

The above is intended to describe the general content of and requirements for the performance of this job. It is not to be construed as an exhaustive statement of duties, responsibilities or requirements.