University Job Title: HIPAA Privacy Officer
Bargaining Unit: None - Not included in the union (Yale Union Group)
Time Type: Full time
Duration Type: Regular
Compensation Grade: Administration & Operations
Compensation Grade Profile: Senior Manager; Senior Program Leader (27)
Work Location: Central Campus
Worksite Address: 2 Whitney Avenue New Haven, CT 06510
Work Week: Standard (M-F equal number of hours per day)
Searchable Job Family: Administration
Total # of hours to be worked: 37.5

Position Focus:

Reporting to the Chief Privacy Officer, the HIPAA Privacy Officer is charged with collaboratively developing, implementing, and administering a unified HIPAA Privacy and Security compliance program. The HIPAA Privacy Officer affects organizational change within the university context of shared governance, mission, and values, and a complex information technology infrastructure and operations.

In collaboration with the Chief Privacy Officer, the HIPAA Privacy Officer oversees all activities related to the development, implementation, maintenance, and enforcement of the university’s policies and procedures covering the privacy of protected health information (PHI). The HIPAA Privacy Officer directs the Deputy Privacy Officers assigned to the School of Medicine, School of Nursing, Yale Health, Benefits Office and Psychology Department clinics. The Deputy Privacy Officers have day-to-day responsibility for implementing and enforcing the university’s health information policies and procedures within their assigned areas; the HIPAA Privacy Officer has overarching institutional responsibility for health information privacy and breach notification compliance. The HIPAA Privacy Officer also supervises a small staff responsible for centralized HIPAA compliance activities. In collaboration with the chief information security officer and the Chief Privacy Officer, the HIPAA Privacy Officer ensures university security policies and procedures meet HIPAA standards for protecting the confidentiality, integrity and availability of electronic PHI.

Essential Duties

1. Develops and implements a comprehensive health information privacy program governing university-wide teaching, research and patient-care operations. 2. Manages the HIPAA privacy office staff. Provides oversight and guidance to deputy HIPAA privacy officers and departmental HIPAA contacts to ensure a consistent compliance program across the university. 3. In collaboration with the chief privacy officer, develops university-wide policies, procedures and practices governing the privacy and security of health information through the sophisticated analysis of data, operations, and regulatory requirements. 4. Promotes a culture of respect for patient privacy and HIPAA compliance in alignment with Yale’s teaching, research and patient care missions. 5. Directs the identification, implementation, and maintenance of PHI privacy and breach notification policies and procedures in coordination with senior leaders from the university’s health care and health plan components, the chief privacy officer, and university attorneys. Assesses, benchmarks, and revises policies and procedures related to appropriate access to PHI in accordance with legal standards and industry best practices. 6. Collaborates with strategic partners to assess the security of health-related IT systems, to manage IT-related risk, to ensure regulatory compliance, to align security and privacy practices, and to adapt policies, approaches, and standards to evolving technological challenges. 7. Establishes the parameters and standards for ongoing compliance monitoring activities in coordination with the university’s other compliance and operational assessment functions. 8. Ensures the university’s IRBs’ compliance with HIPAA privacy policies and procedures. 9. Develops and implements a robust privacy and security training and awareness program for diverse university stakeholders, including students, faculty, and medical and professional staff. 10. Analyzes university and industry data to identify incident trends related to risks to the privacy of PHI and develops strategies to manage and mitigate those risks. 11. Drives HIPAA privacy compliance efforts with affiliated entities and entities participating in an Organized Health Care Arrangement with the university. 12. Develops, implements, and monitors business associate agreements to ensure all privacy requirements are addressed. 13. Establishes and administers a process for receiving, documenting, tracking, investigating and acting on complaints concerning the university’s HIPAA privacy practices, in consultation with the chief privacy officer. Ensures HIPAA investigations are conducted in accordance with university disciplinary policies and are documented in keeping with HIPAA record retention requirements. 14. Ensures the consistent application of sanctions for failure to comply with HIPAA privacy policies, in coordination with human resources, the information security officer, the chief privacy officer, and university attorneys. 15. Other tasks as assigned.

Required Education and Experience

Bachelor’s degree and a minimum of 7 years of experience or equivalent combination of education and experience.

Required Skill/Ability 1:

Comprehensive knowledge of (i) health information privacy laws, including HIPAA, HITECH, and OCR guidance; (ii) use of health information in clinical research; and (iii) medical records management, including access, release and tracking techniques.

Required Skill/Ability 2:

Ability to work independently and leverage networks to advance programmatic goals in a decentralized environment.

Required Skill/Ability 3:

Ability to promote privacy compliance across a diverse workforce.

Required Skill/Ability 4:

Excellent leadership, project management, organizational, and communication skills.

Preferred Education, Experience and Skills:

Advanced degree in relevant area such as healthcare, healthcare administration, or law and five years of experience in managing privacy compliance, preferably at an academic medical center, or an equivalent combination of training and experience.

Weekend Hours Required? No
Evening Hours Required? No
Drug Screen: No
Health Screening: No

Background Check Requirements

All candidates for employment will be subject to pre-employment background screening for this position, which may include motor vehicle, DOT certification, drug testing and credit checks based on the position description and job requirements. All offers are contingent upon the successful completion of the background check. Please visit www.yale.edu/hronline/careers/screening/faqs.html for additional information on the background check requirements and process.

Posting Disclaimer

The intent of this job description is to provide a representative summary of the essential functions that will be required of the position and should not be construed as a declaration of specific duties and responsibilities of the particular position. Employees will be assigned specific job-related duties through their hiring departments.

Affirmative Action Statement:

Yale University considers applicants for employment without regard to, and does not discriminate on the basis of, an individual’s sex, race, color, religion, age, disability, status as a veteran, or national or ethnic origin; nor does Yale discriminate on the basis of sexual orientation or gender identity or expression. Title IX of the Education Amendments of 1972 protects people from sex discrimination in educational programs and activities at institutions that receive federal financial assistance. Questions regarding Title IX may be referred to the University’s Title IX Coordinator, at TitleIX@yale.edu, or to the U.S. Department of Education, Office for Civil Rights, 8th Floor, Five Post Office Square, Boston MA 02109-3921. Telephone: 617.289.0111, Fax: 617.289.0150, TDD: 800.877.8339, or Email: ocr.boston@ed.gov.