Privacy Specialist
Site: Mass General Brigham Incorporated Mass General Brigham relies on a wide range of professionals, including doctors, nurses, business people, tech experts, researchers, and systems analysts to advance our mission. As a not-for-profit, we support patient care, research, teaching, and community service, striving to provide exceptional care. We believe that high-performing teams drive groundbreaking medical discoveries and invite all applicants to join us and experience what it means to be part of Mass General Brigham. Job Summary Mass General Brigham is seeking a Privacy Compliance Specialist II to advance its enterprise-wide privacy compliance program across its network. The Privacy Specialist II will support the enterprise privacy program with a focus on incident response, third-party risk, technology onboarding, and compliance with the new DOJ Data Transfer Rule governing sensitive personal data and bulk data transfers. This role will partner closely with clinical, research, Digital, and business operations teams to ensure appropriate handling of PII, PHI, and other regulated data across the organization. This role ensures compliance with health and data privacy laws, including the HIPAA Privacy and Security Rules, HITECH, 42 CFR Part 2, US state privacy laws, GDPR, international privacy laws, and the Department of Justice’s Data Transfer Rule. Key responsibilities include privacy incident investigations, documentation, mitigation and notifications to affected individuals and regulators; privacy audits; Privacy Impact Assessments; system/vendor privacy evaluations; data transfer reviews, website and application privacy consults, drafting Terms of Use; and advising on AI privacy risks. The Privacy Specialist II serves as a trusted business partner and privacy subject matter expert adviser to various stakeholders throughout the organization, including Human Resources, Supply Chain, Information Security, Health Information Management, Digital, and MGB’s Health Plan. The Privacy Specialist II leads privacy training presentations and partners with the Privacy Training Program leadership to design, deliver, and maintain the organization’s privacy compliance training program. The Specialist also leads process improvement initiatives for the department. Essential Functions -Develop, update, maintain and advise on the hospital's privacy policies and procedures in alignment with federal, state, and local privacy regulations, including the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, 42 CFR Part 2, U.S. state privacy laws, U.S. Department of Justice Data Transfer rules, GDPR, and international privacy regulations. -Conduct regular privacy training sessions for hospital staff and employees to ensure understanding and compliance with privacy policies and safeguarding PHI. -Perform periodic privacy audits and assessments to evaluate the effectiveness of privacy controls and identify areas for improvement. -Respond to privacy incidents and breaches, conduct investigations, and implement corrective actions to prevent future incidents. -Conduct privacy risk assessments to identify potential vulnerabilities and develop strategies to mitigate privacy risks. -Develop, prepare, and present privacy metrics, audit results, and data-driven insights to leadership -Respond to patients and their families related to privacy rights and inquiries. -Prepare and submit reports on privacy compliance to hospital leadership and regulatory authorities, as required.
Qualifications
Education Bachelor's Degree in a related field of study required Master's Degree Related Field of Study or Juris Doctor in related field of study preferred Experience 5+ years of experience preferred in healthcare privacy compliance Demonstrated experience interpreting and applying HIPAA, HITECH, and other federal, state, international privacy regulations preferred Certifications: CHPC, CIPP/US, CIPP/E, CIPM, or comparable privacy certifications preferred Knowledge, Skills and Abilities In-depth knowledge of privacy laws, regulations, and standards, including HIPAA, HITECH, and state privacy laws, as well as their application in healthcare settings. Excellent communication and interpersonal skills to interact with hospital staff, patients, and regulatory authorities regarding privacy matters. Strong analytical and problem-solving skills to conduct privacy risk assessments and respond to privacy incidents effectively. Ability to manage multiple priorities and tasks, ensuring timely completion of privacy-related initiatives. Regulatory Compliance & Monitoring Ensure compliance with HIPAA Privacy and Security Rules, HITECH, 42 CFR Part 2, U.S. state privacy laws, GDPR, and international privacy regulations. Plan for and guide implementation of emerging state privacy legislation, including the anticipated Massachusetts comprehensive privacy law expected in 2026. Monitor Apply tot his job Apply To this Job