Massachusetts Green Jobs

MassHire JobQuest Logo

Job Information

Commonwealth Care Alliance Director, Privacy (Remote) in Boston, Massachusetts

Why This Role is Important to Us:

The Director, Privacy will play a key role in building, operationalizing and sustaining an effective and robust Privacy Program. Reporting to the Chief Privacy Officer, the role will ensure that the organization complies with relevant and applicable privacy laws, regulations, contractual requirements, and standards. The role will be responsible for developing and maintaining privacy-related policies and procedures, training, communications and awareness, monitoring and tracking, investigation, remediation, and corrective action planning documents, processes and protocols for the organization and all of its subsidiaries, affiliates and entities. The role will also ensure that all potential and reported privacy violations are fully investigated, including but not limited to the organizational security breach incident response protocol, partnering closely with Information Security, Legal and others. The role will additionally compile and develop relevant, timely and high-quality privacy reporting (including all relevant metrics) for both internal and external stakeholders, including but not limited to senior leadership, the Board and Audit Committee, and regulatory entities, among others. As part of the broader CCA Risk & Compliance Department and set of integrated GRC programs, the role will also foster and facilitate an organizational culture of openness, trust and transparency in ensuring integrity-based dealings with all internal and external stakeholders.

What You'll Be Doing:


  • Develops and maintains all Privacy policies and procedures, ensuring timely, relevant and high-quality work product

  • Develops and maintains Privacy training, communications, education and awareness campaigns, plans and materials, ensuring timely, relevant, engaging and high-quality work product

  • Develops and maintains Privacy monitoring, tracking, reporting, metrics, dashboarding, and auditing programs and protocols, ensuring timely, relevant and high-quality work product, reviews and reports

  • Develops and maintains Privacy investigation and security/privacy data breach incident response protocols, reports and deliverables, partnering with all relevant cross-organizational areas, including those related to vendors, service providers, third-parties and downstream entities (i.e., both internal and external incidents)

  • Develops and maintains Privacy and Security-related control remediation and corrective action planning (CAP) protocols and reports, including relevant CAP issuance, guidance and closure

  • Develops and maintains all Privacy-related vendor, service provider, third-party, downstream entity, and similar oversight controls and protocols, including but not limited to Business Associate Agreements and other contractual reviews, mechanisms and activities

  • Develops and maintains highly effective and high-quality protocols for all internal and external Privacy reporting, including relevant and timely metrics, for senior leadership, the Board and Audit Committee, and regulatory entities, among others

  • Develops and maintains highly effective and high-quality protocols for timely and promptly evaluating new Privacy laws, regulations, contractual requirements and standards, and for effectively and proactively guiding and advising all relevant business, operational and clinical areas to adequately operationalize such new requirements, activities and change management protocols

  • Coordinates privacy activities overseeing the establishment, implementation, and adherence to corporate policies on individual privacy, confidentiality, and release of confidential information

  • Chair/Co-Chair of the Privacy & Security Compliance Committee

  • Develops and manages HIPAA project teams, including Privacy Liaisons; serves as a privacy resource for CCA departments and entities

  • Provides leadership in the planning, design, and evaluation of CCA privacy-related projects

  • Serves as a liaison to regulatory and accrediting bodies for matters relating to privacy

  • Responsible for documenting and communicating the progress of the implementation of the HIPAA privacy and security compliance program at CCA including affiliates and related entities

  • Works with legal counsel, management, operational departments, and committees to ensure CCA has and maintains appropriate confidentiality consent, authorization forms and information notices

  • Works with the Legal Department to review new or revised healthcare laws and regulations (federal and state) pertaining to individual privacy, and determine whether modifications or revisions of policies and procedures are needed

  • Provides direction and guidance in special investigations or special projects. Reviews results and recommends actions in coordination with key internal/external stakeholders

  • Works closely with IT Security, members of the electronic medical record implementation/informatics team, and other information technology personnel to ensure that the organization’s privacy and security protections keep pace with technological advances

  • Coordinates with management, IT security, and others to assure physical safeguards to guard data integrity, confidentiality, and availability

  • Coordinates with senior management, operational managers, the Chief Information Security Officer, IT managers, and business support services to provide for a business continuity plan and disaster recovery service. Ensure CCA’s disaster recovery plan addresses relevant information privacy and security issues.

  • Reviews all system-related information privacy and security plans throughout CCA’s network to ensure alignment between security and privacy practices

  • Provides concise and timely summaries to senior management of complex and detailed regulatory publications and prepares operational impact statements

  • Assist in the development of the Compliance and Privacy Workplans through effective identification of privacy-related compliance risks

  • Facilitates prompt, relevant, timely and high-quality responses to regulatory inquiries, audits and requests for information, either liaising directly with regulators, as warranted and appropriate, or partner with other CCA areas (e.g., CCA Compliance, CCA Legal, CCA Regulatory Audit Management, etc.)


  • Maintains current knowledge of applicable federal and state privacy and security laws, regulations, contractual requirements and standards, and monitors advancements in information privacy and security technologies to ensure organizational adaptation and compliance

  • Participates in outside healthcare organizations to keep updated on privacy developments and “best practices”

  • Maintains regulatory library (“register”) for Privacy & Security laws, regulations and requirements pertaining to the organization

  • Maintains documentation of Privacy Program

  • Communicates changes in regulatory issues to senior management and to the appropriate operational managers


  • Establishes and administers, as appropriate, a corporate process for receiving, documenting, tracking, investigating, and acting on all complaints concerning CCA’s privacy compliance policies and procedures

  • Responds effectively to incidents and violations to reduce the risks to the organization

  • Accurately and effectively reports privacy compliance risks and trends to internal stakeholders and through compliance committee governance


  • Oversees the development, delivery, and ongoing improvement of privacy and security compliance training and awareness to include CCA staff and other entities, as required

  • Develops and implements a system-wide privacy training program and, in conjunction with the security official or other individuals charged with security oversight, a cyber security awareness and training program that includes the following components:

  • Initial training of all employees related to the privacy program

  • Privacy training to all members of the workforce, including all employees, volunteers, trainees, and other persons under the direct control of the entity on an unpaid basis, who are not business partners but are likely to have contact with PHI and/or PII

  • Upon changes in corporate privacy policy or procedure, retraining of directly affected employees

  • Mandated privacy retraining for all employees at on-boarding and annually thereafter


  • Works with senior management to develop and consistently apply appropriate discipline for employees who fail to comply with the organization’s privacy and security policies and procedures

  • In cooperation with Human Resources, the Privacy & Security Officials, administration, and legal counsel, as applicable, ensures consistent application of disciplinary action for failure to comply with privacy and security policies for all individuals in the organization’s workforce, extended workforce, and for all business associates

  • Coordinates with HR to ensure no intimidating, discriminatory, or other retaliatory actions occur against a person who files, testifies, assists, or participates in any investigation, compliance review, proceeding, or hearing related to a privacy violation, or opposes any unlawful act or practice


  • Establishes an internal privacy and security compliance audit program to ensure enterprise-wide compliance with CCA privacy and security policies

  • Works with departmental managers to assure that there is adequate auditing and monitoring of systems’ access and activity and processes in place identify potential privacy and security violations

  • Directs or conducts independent Privacy reviews and evaluations of all operations and activities to appraise:

  • Compliance with current regulations of federal, state, and other regulatory bodies

  • Possible errors and omissions that may violate current or future compliance

  • Compliance with internal policies, plans or standards which could impact compliance with external regulatory bodies

  • Cooperates with the Office of Civil Rights (OCR), other regulatory entities, and organization officials in any compliance reviews or investigations.

  • Participates in the development, implementation, and ongoing compliance monitoring of all business associate agreements, to ensure all privacy concerns, requirements, and responsibilities are addressed

  • Aids Legal, operational managers and staff during enforcement activities, surveys, and external investigations. Assists in the preparations of required documentation required by external agencies, corrective action plans, and future monitoring or auditing to assure compliance

  • Maintains communications with external regulatory or review organizations and accrediting agencies to assure proper interpretations of regulations and impacts on operations. Coordinates work with others within the organization that have responsibility for process improvement, accreditation surveys or other regulatory activities

  • Assist with the development and preparation of corrective action plans, maintain compliance with benchmarks/deadlines and prepare written reports of audits

  • Prepare and coordinate regulatory filings, as required

What We're Looking For:

Education Required:

  • Bachelor's Degree or equivalent experience

Education Desired:

  • Relevant graduate degree (e.g., Juris Doctor, MBA, Masters, etc.) in a relevant field

  • Privacy & Security certifications such as Certified in Healthcare Privacy Compliance (CHPC), Certified in Healthcare Privacy and Security (CHPS), Certified Information Privacy Professional (CIPP) and/or other Privacy related credentials

Experience Required:

  • 8-10+ years of health insurance Privacy legal and regulatory experience required

  • 6+ years of managerial and leadership experience required

Experience Desired:

  • An individual with a combination of the following: medical records/health information management background, information systems/technology background; compliance, legal or performance improvement experience

  • Health Plan experience

EEO is The Law

Equal Opportunity Employer Minorities/Women/Protected Veterans/Disabled

Please note employment with CCA is contingent upon acceptable professional references, a background check (including Mass CORI, employment, education, criminal check, and driving record, (if applicable)), an OIG Report and verification of a valid MA/RN license (if applicable). Commonwealth Care Alliance is an equal opportunity employer. Applicants are considered for positions without regard to veteran status, uniformed service member status, race, color, religion, sex, national origin, age, physical or mental disability, genetic information or any other category protected by applicable federal, state or local laws.