PURPOSE: Responsible for developing, implementing, and overseeing a comprehensive and compliant privacy program in accordance with the international General Data Protection Regulations ("GDPR"), federal Health Insurance Portability and Accountability Act ("HIPAA") and Health Information Technology for Economic and Clinical Health ("HITECH") Act and state requirements, organizational and BlueCross BlueShield Association standards, policies and procedures for CareFirst, Inc. and all affiliated, subsidiary and related companies. ESSENTIAL FUNCTIONS: Risk Analysis and Management In instances of suspected compromise of electronic PHI, collaborates with the CareFirst Risk Management staff, Information Security Team and Legal Counsel to evaluate and mitigate company risk exposure. • Serves as the primary CareFirst liaison and subject matter expert during all privacy program audits, investigations, and inquiries including those from the U. S. Department of Health and Human Services Office for Civil Rights, other federal and state regulatory bodies and self-insured groups. • Serves as the CareFirst subject matter expert in the investigation of suspected non-compliance of privacy and security standards. • Makes recommendation to the Privacy Officer for the resolution of privacy-related compliance issues. • Analyzes data derived from investigations and performs risk assessments. In conjunction with company management and stakeholders, develops, explains, oversees or monitors the implementation of corrective action plans designed to address any identified risks and mitigate future occurrences. • Reports significant outcomes of any matter to the Corporate Privacy Officer, CareFirst Legal Counsel and CareFirst Executive leadership. Partners with the Corporate Privacy Officer and Legal Counsel to establish and fulfill notification requirements to all applicable stakeholders including federal and state authorities, subscribers, groups, BlueCross BlueShield Association, other Blues Plans, vendors and CareFirst associates. • Performs privacy risk analysis to ensure third party vendor compliance prior to the execution of the service contract and/or business associate agreement. • Evaluates the current state of data sharing relationships with third-party vendors and prepares and executes a plan towards strengthening data controls and ownership. • Operationalizes the General Data Protection Regulation (GDPR) through the implementation of policies and procedures, the development of training materials, the education of the workforce as measured through associate compliance. Privacy Program Management Partners with the Corporate Privacy Officer and Legal Counsel as the subject matter expert to develop, implement and manage the CareFirst Privacy program. Ensures the existence of and alignment between CareFirst’ policies and procedures and applicable privacy laws and regulations including the Health Insurance Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health (HITECH) Act, and the Privacy aspects of the General Data Protection Regulation (GDPR), the Affordable Care Act (ACA) and Gramm Leach Bliley Act (GLBA). • Reviews complex business processes, systems, policies and procedures to proactively identify, document, and elevate risks and trends within that may be non-compliant with contracts and or statutory requirements. • Stays current with relevant federal and state privacy related laws and regulations and BlueCross BlueShield Association guidelines and industry best practices. • Analyzes changes to privacy regulations, performs a comprehensive analysis of the impact to the organization, provides recommendations and assists with operationalizing any identified enhancements to current processes throughout the organization. • Upon receipt of a disclosure request or data release, evaluates to determine that all applicable safeguards (business associate agreement, data use agreement) are executed in order to achieve compliance with federal regulations and BlueCross BlueShield Association guidelines. Maintains a database of Business Associate Agreements for CareFirst, Inc. and all affiliated, subsidiary and related companies. • Ensures that CareFirst issues payments appropriately by routinely screening providers, consultants and associates against the federal debarred and excluded party listings. Reports any confirmed matches to federal agencies and advises internal stakeholders to take the necessary corrective measures. • Provides consultative support to various CareFirst workgroups including the Legislative Workgroup to ensure privacy perspective and concerns are included in the context of potential new legislation. • Manages the privacy training and education programs including new employee orientation, annual mandatory training and department-specific training. • Serves as primary privacy liaison and subject matter expert regarding compliance program audits, assessments and initiatives. • Supports the Embedded Compliance Units as primary privacy liaison and subject matter expert. Privacy Office /Oversight • Continuously analyzes and aligns the function area’s policies, procedures, workflows and systems to ensure the compliance and alignment with regulations remain updatedand current. • Manages, teaches and develops staff to ensure that permissions and restrictions to member data are processed timely and accurately and are available to internal andexternal customers. • Keeps abreast of emerging issues and developments that have direct impact on the department. • Responsible for all duties associated with a leadership position: direction and vision for policy and quality standards for all departmental work; associate performanceevaluations; tactical planning, implementation, monitoring and reporting; budgeting and expense planning and ad hoc executive management reporting. Identify trends in compliance data and proactively advise on identified internal and external risks SUPERVISORY RESPONSIBILITY: This position manages people. QUALIFICATIONS: Education Level: Bachelor's Degreein business or healthcare management. Experience: 7 years of experience working with the Health Insurance Portability and Accountability Act (HIPAA) or a minimum of 7-10 years of experience in the analysis of privacy laws including HIPAA, and 5+ years of management experience. Preferred Qualifications: Master's Degree Knowledge, Skills and Abilities (KSAs) Must be able to meet established deadlines and handle multiple customer service demands from internal and external customers, within set expectations for service excellence. Must be able to effectively communicate and provide positive customer service to every internal and external customer, including customers who may be demanding or otherwise challenging. Department Department: Equal Employment Opportunity CareFirst BlueCross BlueShield is an Equal Opportunity (EEO) employer. It is the policy of theCompany to provide equal employment opportunities to allqualified applicants without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, age, protected veteran or disabled status, or genetic information.
Job Title
Director, Privacy (Remote)