University of Chicago Medical Center - Chicago, IL
posted 9 days ago
About the position
Join one of the nation's most comprehensive academic medical centers, UChicago Medicine, as a Privacy Audit, Education, and Risk Analyst to support the Information Security and Privacy GRC Program. This position will be primarily a work from home opportunity with the requirement to come onsite as needed. Information Security and Privacy GRC Program initiatives include, but are not limited to, investigations of privacy concerns, system access audits, development and training of internal protocols, policies, guidance documents, and tools, and oversight of internal and external third-party privacy risk functions to support all the UCM health system workforce and its federal, state, and international regulatory obligations. The program contributes to the enhancements of existing privacy and security compliance initiatives by developing new methods to identify areas of privacy risk and develop best practices for risk reduction, privacy and security regulatory compliance, and risk remediation efforts. Customers include patients, faculty, residents, all levels of leadership, clinical and non-clinical staff, and students at the University of Chicago Medicine Heath System as well as the larger community. The Privacy Audit, Education, and Risk Analyst supports the Privacy Program mission by developing an enterprise-wide audit, education, and risk work plan, performing access audits, handling and lead all aspects of training and education, and reducing privacy risks within the enterprise.
Responsibilities
- Develop written standard procedures, plan, and perform access audits of electronic medical record systems, business applications, internal data repositories, and databases.
- Identify areas of privacy enterprise risk and prepare, then implement, corrective action plans and risk mitigation steps.
- Perform access audits across multiple record repositories, technology systems, and databases to identify irregularities or impermissible accesses.
- Utilize privacy electronic audit tools and manual processes to perform audits.
- Implement corrective action plans with follow up to mitigate potential privacy risks.
- Conduct, document, and follow up on enhanced audit capability outside of the electronic health record, specifically those with a technology focus.
- Develop new and update current privacy education and trainings, including materials such as but not limited to, slides, policies, and guidance documents.
- Be the primary presenter of organization-wide training throughout differing internal levels.
- Develop new and update current trainings and educational materials.
- Present education initiatives based upon developed training.
- Identify new education initiatives based upon risks identified through audits, metrics, and educational outcomes.
- Develop and prepare spreadsheets, metrics, dashboards, and reports to support program and enterprise risk strategy.
- Develop new and manage opportunities for metrics, data spreadsheets, and develop a risk dashboard.
- Identify active opportunities to strengthen privacy enterprise risk management program overall.
- Prepare and lead privacy impact assessments of internal and external technologies and vendors, privacy risk corrective action plans.
- Be an active contributor in Privacy by Design and other privacy risk principles.
- Mature data mapping and data loss prevention initiative.
- Additional project or other duties as assigned related to program oversight and efforts.
- Identify current trends and changes of landscape in privacy and information security compliance.
- Understand and make revisions to audit and education work plan related to risks identified, program metrics, audit results, and training outcomes with little oversight.
- Maintain strong knowledge of applicable federal, state, and international privacy and information security laws and monitor advancements in information privacy technologies to ensure organizational adaptation and compliance.
Requirements
- Bachelor's degree required
- Significant relevant experience in HIPAA and other Privacy and Compliance regulations is required with demonstrated proficiency with the HIPAA Privacy and Security regulations
- Academic medical center and/or health care consulting experience; additional background in privacy-related research administration highly desirable
- Current or ability to obtain with two-year privacy certification from IAPP, ISACA, HCCA, or SCCE
- Significant privacy audit experience of differing types of databases including electronic medical records and other business and research applications with ability to quickly identify action plans
- Familiarity with privacy audit software and data loss prevention tools needed, including ability to use and become proficient in review and audit of software application logs for potential privacy risks
- Proven Develop education materials and provide organizational training with ability to understand changing privacy landscape and inform workforce through strong presence and excellent public speaking skills across differing organizational levels
- Knowledge of privacy risk identification and implementation of correction action plans to correct privacy enterprise risk
- Experience in data mining, analysis, and report development required with ability to produce reports and identify new privacy projects
- High proficiency with Excel is required, along with the ability to develop reports for follow-up
- Experience in handling complex organizational projects; and excellent problem identification and solution skills to address difficult, complex issues
- Strong computer skills including the ability to effectively use software applications such as Microsoft products is important
- Ability to think abstractly and concretely and strong attention to detail
- Excellent analytical, written, and verbal presentation and interpersonal skills
- Demonstrated capacity to work independently in an organized, detailed manner while maintaining a collaborative team environment
Nice-to-haves
- Additional background in privacy-related research administration highly desirable
Benefits
- Comprehensive health insurance
- Retirement plans
- Paid time off
- Professional development opportunities
- Flexible working arrangements
