Senior Privacy Compliance Analyst in San Francisco, CA at Integrated Resources, Inc

Date Posted: 1/11/2020

Job Snapshot

Job Description

Effective Date ER Code Approved Career Tracks Title Job Code Date Classified Analyst Initials Job Number

(The above section will be completed by the Compensation Unit following review)
Policy Covered Job Description/Employment Requisition Form
In addition to completing this form, please provide a copy of the most current departmental organization chart as it relates to this position, or reclassification. For reclassifications, please note the name and current title of the incumbent.
Name: Employee ID:
Department: Privacy Office
Career Tracks Job Family: Audit Compliance and Ethics Career Tracks Job Function: Privacy and Compliance HC
Career Tracks Category: Professional Career Tracks Job Level: Expert
Career Tracks Payroll Title: PRIVACY AND CMPLNC HC PROFL 5 Career Tracks Job Code: 6588
Career Tracks Grade: FLSA Status (Exempt vs. Non-exempt): Exempt
Career Tracks Per. Prog.: MSP Working Title: Senior Privacy Compliance Analyst
Supervisor s Name: Carol Ng-Lee Supervisor s Phone: ***
Supervisor s Title: Operations Manager & Campus Privacy Program Manager Supervisor s Email: ***
*Client Health should be entered into online ERF system
New Position: Replacement For:
Significant. Duty Changes:
Critical Position?
Click here for more info
Appointment Type
(Contract, Career, Limited, Per Diem, Floater) Physical/Health Screening Required?
Limited or Contract End Date
Work days & hours:
Percentage Time: Campus Work Location:
Resume Receiver: Phone & email:
Job Function Summary:
Involves the development, implementation and monitoring of policies and processes to ensure compliance with applicable laws and regulations in privacy and security of patient and protected health information. Develops privacy policies and systems from a strategic perspective; keeps abreast of privacy compliance issues, plans for changes and / or integration as new healthcare affiliations are assumed. Works with legal counsel, external agencies and management to manage breach incidents. Provides education and consultation to hospital and medical staff regarding the requirements, coordinates integration of standards and regulations with medical center or health system operations. (For broader healthcare regulatory compliance, see Regulatory and Compliance HC job standards.)
Generic Scope (not customizable, will not be used in the job posting/advertisement):
Recognized organization-wide expert. Has significant impact and influence on organizational policy and program development. Regularly leads projects of critical importance to the organization; these projects carry substantial consequences of success or failure. Directs programs with organization-wide impact (or may have impact beyond the University) that include formulating strategies and administering policies, processes, and resources. Significant barriers to entry exist at this level.
Custom Scope (customizable, will be used in the job posting/advertisement):
The Senior Privacy Compliance Analyst has five major scopes of responsibility: 1). Review, negotiate, approve contractual documents including but not limited to escalated Business Associate Agreements, Appendix Data Security, EHR Donation Agreements, Community Connect Agreements, Affiliation Agreements, Data Sharing Agreements and becoming a Subject Matter Expert for all Privacy related contracts, 2). Assist in the UCOP mandated Campus Privacy Program, 3). Supervise the Legal Interns for our new Privacy Legal Intern Program to keep a continuous pipeline of future Privacy Investigators, 4). Serve as the liaison for IT Apex Community Connect and other data sharing partnerships, handling the related privacy incidents/breaches, attend standing Community Connect standing meetings to represent the Privacy perspective, identify potential risks and to ensure that privacy compliance exists within this new program, 5). Special projects including but not limited to tasks associated with our Audit Program.
As Client Health continues to grow, the Privacy Office is gearing up to meet the needs of more Affiliation Agreements and the increasing volume of incoming work including the five major scopes of work described above. The complexity and the time involved on such activities have grown exponentially and the Privacy Office is creating a new position to handle the overflow of agreements for review and decrease risk. The Privacy Office also needs an experienced Privacy Office member to represent the privacy perspective and identify potential risks as related to Community Connect/other data sharing affiliations.
As part of the 2015 initiative by UC Office of the President, each UC campus will be tasked with implementing a comprehensive Privacy program geared towards higher education needs. The Senior Privacy Compliance Analyst will assist the Campus Privacy Program Manager & Operations Manager with building a thorough Privacy program tailored for higher education and analyzing its effectiveness. The program will be a delicate balance of ensuring academic freedoms while protecting individual s Privacy needs.
The new Privacy Legal Intern Program was born from the need to train a continuous pipeline of legal students with interest in Privacy Investigations. Privacy Investigations are a niche skillset and very difficult to recruit for. The new Client Privacy Legal Intern Program meets this need for the Client Privacy Office and any other privacy organizations outside of Client. The Senior Privacy Compliance Analyst will assist in setting up the program, tapping into our connections at USF Law and UC Hastings Law initially. The Senior Privacy Compliance Analyst will also oversee the interns, serve as a resource for them, and partner with the Operations Manager/Campus Privacy Program to complete evaluations. It is required by the Bay Area Consortium of Externships that the a licensed attorney supervise the work of the legal interns.
As a recognized privacy and compliance expert, applies comprehensive knowledge of professional concepts and industry practices to evaluate all aspects of the privacy program and suggest improvements to data management, documentation processes, and health system policies to ensure all departments maintain compliance regarding privacy of patient health information.
Department Overview (please write a brief description of your department/unit that you would like to be included in the job posting/advertisement)
The scope of responsibility for the Client Privacy Office and subsequently the Campus Privacy Program fall under the direction of the Chief Privacy Officer and includes all Client Campus Departments, the Client Health System, Langley Porter Psychiatric Institute, Client Fresno, Office of Research, Academic Affairs, Advancement & Planning, Administration & Finance, Benioff Children s Hospital Oakland, UBCP (Client Benioff Children s Physicians) and Client Members at Affiliate Organizations.
This position reports directly to the Operations Manager/Campus Privacy Program Manager.
The Senior Privacy Compliance Analyst will oversee Legal Interns in the new Client Privacy Legal Interns Program.
Note: If this is a reclassification request or a replacement with significant changes, please briefly describe (no more than 2 paragraphs) the significant changes that have taken place since the position was last reviewed. Additionally, please provide a copy of the former job description for the position.
Key Responsibilities
List key functions and the estimated percentage of time spent performing each of the responsibilities. Indicate which responsibilities are considered "Essential" to the successful performance of the job as defined by the EEOC: Essential functions are the basic job duties that an employee must be able to perform. You should carefully examine each job to determine which functions or tasks are essential to performance.
25% Essential Performs basic design, development, modification and debugging of software. Evaluates basic software for functional areas. Analyzes existing software or works to formulate logic for basic systems, prepares basic specifications and performs coding.
of time Essential Function (Yes/No)
Key Responsibilities
(To be completed by Supervisor)
20 Yes CONTRACTS: The Senior Privacy Compliance Analyst will provide the Privacy Office with expert level contractual competence with various contracts by completing the following:
Review, negotiate, approve, provide alternate language for edits to contractual documents including but not limited to escalated Business Associate Agreements, Appendix Data Security, EHR Donation Agreements, Community Connect Agreements, Affiliation Agreements, Data Sharing Agreements,
Will become the Subject Matter Expert for all contracts with a Privacy perspective.
Will assist Operations Manager/Campus Privacy Program Manager with annual HIPAA BAA training for BCHO, Client Campus, and *** Contract Officers.
Oversees the new Privacy Legal Intern program which will entail:

Assist Operations Manager/Campus Privacy Program Manager in collaborating with USF Law School and UC Hastings to continue the new program
Oversee the work being produced by the Legal Interns
Serve as an expert resource to the Legal Interns
In conjunction with the Operations Manager/Campus Privacy Program Manager, conduct performance evaluations with each Intern
It is required by the Bay Area Consortium of Externships that a licensed attorney supervise the work of the Legal Interns.

Serves as liaison between Client and the Privacy Office to independently respond to and resolve investigations, grievances, and consults, including complex fraud, ethical, research, and legal issues related to privacy, in a multidisciplinary and collaborative manner, and to document per Privacy Office procedures.
Responds to Office of Civil Rights and other legal entities in any compliance reviews or investigations related to Privacy Office activities including Root Cause Analyses (RCAs) or Whistleblower or I Group review as appropriate.
Independently coordinates correction action plans with relevant compliance/audit and administrative units and assures appropriate follow up and/or service recovery for mitigation and remediation strategies which are compliant with the regulatory agencies and regulations.
Independently works with appropriate departments, clinicians, and leadership to identify trends in non-compliance, to collaborate on methodologies for prevention and recurrence of the future privacy incidents; Collaborates or leads as assigned on the revision of policies, guidelines, and consent and authorization forms and other documents for Client enterprise.
Responsible for documentation related to internal audits and complaint resolution.
Applies expertise in risk assessment and privacy policies to propose a process for investigating, adjudicating, and taking action on all privacy related issues and complaints. Leads taskforces to respond to the highest profile complaint cases and / or those with significant potential impact to the organization. Advises on issues without precedence. Provides industry benchmarks.

Ensures management corrective actions are in place following complex and / or politically sensitive investigations without direct supervision. Confirms appropriate monitoring controls are utilized. Responsible for the most sensitive of investigation subjects.

Participates in revising or developing policies and procedures, including departmental and health system policies. Applies industry expertise to provide input on proposals to guide and support a broader strategic direction for the health system. Advises management on innovative ways to mitigate compliance risks.
15 Yes Campus Privacy Program:
Assist the Operations Manager/Campus Privacy Program Manager with the UCOP mandated Campus Privacy Program.

Assist with building a new and comprehensive Campus Privacy program tailored for higher education, including developing goals, deliverables, timelines.
Assist with creating and implementing a Campus Privacy Assessment to identify gaps, weaknesses and risks.
Identify Campus data stewards and oversee the identification of the Campus data systems.
Assist with developing Privacy policies and practices for Restricted Information.
Coordinates with the Education/Policy Manager for an education program to include Restricted Information for individuals including staff, students and faculty.
Measures effectiveness of the new program.
Provides continuous improvement and ongoing efforts.
Assist with the Campus Privacy Program Subcommittee meetings and activities.
Responsible for analyzing, handling all FERPA related privacy and security incidents/breaches and inquiries in conjuction with the Client Registrar..
Serve as the expert level liaison for all Community Connect / other data sharing partnerships, affiliations
Handle the related privacy incidents/breaches,
Serve as sole representative and attend standing Community Connect meetings (and all other data sharing partnership meetings) to represent the Privacy perspective,
Identify potential risks and formulate plans to mitigate
Ensure that privacy compliance exists within these new programs
Create parameters (in conjunction with the Client Business Intelligence Analyst) for the Auditing and Monitoring program and BCHO and UBCP.,
Review edits and provide guidance on a complex Business Associate Agreement arrangement.
Interface with multiple law schools, interview and select candidates for a legal internship.
Provide feedback for the Community Connect program with regards to potential privacy risks and how to mitigate them.
Determine the type of relationship of the data sharing recipient and ensure the appropriate contractual documents are put in place (EHR Donation Agreement, Reverse BAA, etc.)
Unauthorized release of data by a Community Connect partner (to be analyze under HIPAA regulations)
A Client staff member falling prey to a phishing attack and student information is compromised (to be analyze under FERPA regulations)
Demonstrates service excellence by following the Everyday PRIDE Guide with the *** standards and expectations for communication and behavior. These standards and expectations convey specific behavior associated with the Medical Center's values: Professionalism, Respect, Integrity, Diversity and Excellence, and provide guidance on how we communicate with patients, visitors, faculty, staff, and students, virtually everyone, every day and with every encounter. These standards include, but are not limited to: personal appearance, acknowledging and greeting
All patients and families, introductions using AIDET, managing up, service recovery, managing delays and expectations, phone standards, electronic communication, team work, cultural sensitivity and competency.
Uses effective communication skills with patients and staff; demonstrates proper telephone techniques and etiquette; acts as an escort to any patient or family member needing directions; shows sensitivity to differences of culture; demonstrates a positive and supportive manner in which patients / families/ colleagues perceive interactions as positive and supportive. Exhibits team work skills to positively acknowledge and recognize other colleagues, and uses personal experiences to model and teach Living PRIDE standards.
Exhibits tact and professionalism in difficult situations according to PRIDE Values and Practices
Demonstrates an understanding of and adheres to privacy, confidentiality, and security policies and procedures related to Protected Health Information (PHI) or other sensitive and personal information.
Demonstrates an understanding of and adheres to safety and infection control policies and procedures.
Assumes accountability for improving quality metrics associated with department/unit and meeting organizational/departmental targets.
Keeps working areas neat, orderly and clutter-free, including the hallways. Adheres to cleaning processes and puts things back where they belong. Removes and reports broken equipment and furniture.
Picks up and disposes of any litter found throughout entire facility.
Posts flyers and posters in designated areas only; does not post on walls, doors or windows.
Knows where the Environment of Care Manual is kept in department; corrects or reports unsafe conditions to the appropriate departments.
Protects the physical environment and equipment from damage and theft.

Identifies issues across the organization and develops methods and systems to mitigate risk and improve overall compliance. Performs extensive research and collaborates in addressing complex system-wide issues with privacy and compliance that have significant impact. Identifies privacy compliance issues of importance to the medical center and / or health system, which frequently cross organizational lines. Develops appropriate analytical and procedural framework for addressing the issues in the organization. Utilizes privacy compliance knowledge to guide departments and providers across the medical center on high profile, broad-based or highly complex concerns. Consults departments on systems and structures to operate efficiently while still maintaining compliance.

Develops methods and seeks opportunities to increase manager and staff awareness of privacy and compliance programs and associated processes. Participates in developing curriculum and materials and teaching in periodic training information and education
Researches and proposes new audit methodologies and tools. Conducts high profile and / or sensitive audits. Establishes mechanisms to monitor compliance with privacy policies, such as through periodic site visits and surveillance of users' access to protected health information, as required by law. Identifies, facilitates and leads special projects related to industry studies, medical center privacy incident analysis and literature research to assist the department in meeting annual privacy program goals.
100% (To update total %, enter the amount of time in whole numbers (without the % symbol - e.g., 15, 20) then highlight the total sum (e.g., 1%) at the bottom of the column and press F9. The total sum should add up to 100%.)
00 iance (moved to section 4 above) (moved to section 5 above).
Knowledge Skills and Abilities (KSAs)
Required qualifications must be possessed by any candidate to be considered for the position. These qualifications will be included in the job posting/advertisement and will be used to screen applicants. Note: Only objective, specific and quantifiable (KSAs) will be used when screening (i.e. 6 months of event planning experience vs. prior event planning experience). Preferred qualifications are those skills or abilities that an ideal candidate possesses, but are not required in order for a candidate to be considered for the position.
Please list:
Knowledge, Skills and Abilities Req / Pref
Advanced knowledge on current HIPAA regulations, state medical and public agency privacy laws, and medical center and UC procedures. Expert knowledge of the clinical and operational issues regarding compliance and assessing risk. Maintains current knowledge of applicable state and federal laws related to Privacy, Confidentiality and Security of Protected Health Information (PHI), Personally Identifiable Information (PII) and other Restricted Information, Client enterprise policies and state and federal regulations. Req
Ability to exercise professional judgment in handling sensitive and confidential issues with discretion. Demonstrated sensitivity to political situations and confidential issues. Role models excellent interpersonal, communication, and problem solving skills. Presents professional demeanor and is a customer service role model in interactions with internal and external customers; patients, families, visitors, hospital/health system personnel, outside vendors, external organizations, and physicians. Req
Highly-skilled communicator in both verbal and written format; applying critical thinking and advising skills. Persuasive ability to change the thinking of, or gain acceptance from management in privacy compliance. Req
Ability to manage multiple complex assigned projects in a timely, efficient and well-organized manner. Proven ability to see high level projects through from inception to completion on schedule and ensure accuracy. Req
Highly developed organizational skills and ability to work interdependently to coordinate multiple projects. Ability to effectively focus, prioritize and manage multiple tasks and assignments. Req
Expert user of the privacy program database systems and industry application programs to evaluate the medical center's database, systems and procedures and consult management. Req
At least two years of related experience Req
Education, Licenses and Certifications:
List Education, Licenses and Certifications a candidate must possess or meet to be considered for the position. You may also select any of these attributes as being preferred. These will be included in the job posting/advertisement and will be used to screen applicants.
Education Req / Pref
Education Req / Pref
Bachelor's Degree in law, public health, healthcare, policy, or related field. Req
Master s in Public Health, Public Policy, or a related field Pref
Juris Doctorate Req
Licenses Req / Pref
Licenses Req / Pref
California State Bar License (Required for Privacy Legal Intern Program) Req
Certifications Req / Pref
Certifications Req / Pref
Certified in Healthcare Compliance Pref
Certified in Healthcare Privacy and Security (CHPS) Pref
IAPP Certification: Certified Information Privacy Professional (CIPP) or Pref
Certified Information Privacy Manager (CIPM) Pref
Special Conditions of Employment: (Statements identifying the fundamental non-negotiable job conditions and/or requirements which an individual must meet to be eligible for the position. For example, the ability to pass a background check, work in a particular environmental setting, work a flexible or irregular work schedule, etc.)
Problem Solving
Please provide 2-3 examples of problem solving for this position as described below (please be brief: 1-3 sentences for each example).
Common problems solved by the employee:
Less frequent and more complex problems solved by the employee:
Problems/situations that are referred to this employee's supervisor:
Management of Funds:
Does this position require oversight or management funds? If No: Please skip this section.
Describe the degree to which the incumbent is directly responsible for the management of funds. Indicate the variety of funding sources under the incumbent s control:
Type of Budget # of Current Budgets Current yr. expenditures $
(To update total *** enter the $ amount in whole numbers (without the $ symbol - e.g., 1,000,000) then highlight the total sum (e.g., 1%) at the bottom of the column and press F9.) ***
Complete this section ONLY if the incumbent has direct or indirect supervision.
Indicate job titles of employees supervised by this position, the number of positions and total headcount/number of positions, and total Full Time Equivalent (FTE).
Payroll Title (i.e. Blank Asst. 3, Financial Analyst 4) Direct/Indirect Total Headcount Total FTE
(i.e. 2.5)
Legal Interns Direct 2
Are there other employees that perform the same work? (optional)
Included with this Position Description are the following addendums:
Addendum A: Physical Requirements / Work Environment
Addendum B: Living Pride Standards (REQUIRED for Client Health Employees)
Addendum C: Medication Access and Storage (REQUIRED for Client Health Employees)
Please follow your department's procedures for management review and then submit to Human Resources
(Initial requests do not require signatures. Once an employee has started, or a reclassification has been approved, please submit the signed document to Human Resources.)
Supervisor Name:
Supervisor Title
Employee Signature: Supervisor Signature:
Date: Date:

Addendum A: Physical Requirements / Work Environment Job Title:__________________
Working Environment: Health care (hospital, clinical, classroom setting or similar environment as the role requires).
Never Occasional
1%- - 33% Frequent 34%-66% Continuous 67%-100% Never Occasional 1-33% Frequent 34%-66% Continuous 67%-100%
Activity Activity
Body Positions Sitting Pull Pulling 0-20 lbs.
Standing Pulling 21-30 lbs.
Walking Pulling 31-60 lbs.
Squatting Pulling over 60 lbs.
Bending Hand/Arm Fine finger manipulation
Waist Twisting Gross manipulation
Kneeling Simple grasp
Crawling Power grasp
Climbing Climbing stairs Repetitive hand/arm use
Climbing ladders Loud noise
Other _________________________ Exposures Background Noise
Reaching Reaching overhead Dim or bright lighting
Reaching shoulder height Dust, fumes or gases
Reaching below shoulder height Chemicals or toxic substances
Lifting Lifting 0-20 lbs. Latex
Lifting 21 30 lbs. Radiation
Lifting 31 60 lbs. Combative Patients
Lifting over 60 lbs. Other Ability to differentiate color
Lifting up to _______ lbs. overhead Verbal communication
Lifting up to _______ lbs. above waist Operating motor vehicles
Lifting up to _______ lbs. below waist Use of protective equipment
Carrying 0-20 lbs. Other:_________________
Carrying 21- 30 lbs.
Carrying 31-60 lbs.
Carrying over 60 lbs.
Push Pushing 0-20 lbs.
Pushing 21-30 lbs.
Pushing 31-60 lbs.
Pushing over 60 lbs.
Blood/Fluid Exposure Risk: (Check the right category)
Choose an item. Category 1: Tasks involve exposure to blood, fluids or tissue.
Choose an item. Category 2: Usual tasks do in involve exposure to blood, fluids or tissues but job may require performing unplanned Category 1 tasks.
Choose an item. Category 3: Tasks involve no exposure to blood, body fluids or tissues. Category 1 tasks are not a condition of employment.
Employee Signature: Supervisor Signature:
Date: Date:

Addendum B: Living Pride Standards
Service Excellence
Work Environment

Addendum C: Medication Access and Storage
The "Medication and Auxiliary Staff Competency" must be successfully completed for Level I, Level II or Level Ill staff PRIOR to performing duties requiring medication access (including access, transport, and/or stocking activities OR access to medication storage areas for cleaning).
Access Med Storage Areas for Cleaning Access and Transport Access, Transport & Stocking
Environmental Service Personnel Drivers Anesthesia Technicians
Patient support Assistants IPSAs) Hospital Assistants (depending on specific duties; ask HR if unsure)
Hospital Unit Service Coordinators Material Services Personnel
Volunteers Medical Assistants
Nuclear Medicine Technologists
Ophthalmology Technician
Patient Care Assistants (PCAs)
Pharmacy Storekeepers
Radiology Technologists (all modalities, Ultrasound, Mammo, etc.)
After employee successfully completes the level-appropriate competency, please check the corresponding box below. Obtain the employee's and manager's signatures to attest that the competency was completed and send the signed job description to HR for the employee's personnel file.
Level 1 As a part of his/her daily activities, employees may have access to medication storage areas for cleaning only. These activities must be in compliance with the Medications and Auxiliary Staff competency for Level 1.
Level 2 As part of his/her daily activities, employee may access and transport medications. These activities must be in compliance with the Medications and Auxiliary Staff competency for Level2
Level 3 As part of his/her daily activities, employee may access, transport and stock medications. These activities must be in compliance with the Medications and Auxiliary Staff competency for Level 3.
Signature Section:
I have successfully completed the Medication and Auxiliary Staff Competency at my designated level {1, 2 or 3, in order to complete the functions of my position. I have had the opportunity to have all my questions answered.
Employee Signature Date
Manager Signature Date