Vice President, Chief Privacy Officer and Data Protection - Hybrid

About the position

The Vice President, Chief Privacy Officer and Data Protection for Option Care Health (OCH), including its subsidiaries, affiliated companies, and joint ventures, will oversee the strategy, development, and continuous improvement of Option Care Health's Privacy and Data Protection program to adhere to legal and regulatory requirements, the Company's Code of Business Conduct and Company policies and procedures. At the direction of the Chief Compliance Officer, this individual will build a strategic and comprehensive Privacy and Data Protection program that defines, develops, maintains and implements policies and processes that enable consistent, effective privacy practices which minimize risk and ensure the confidentiality of protected health information (PHI) and other sensitive information while enabling business objectives. This role will partner with key stakeholders to implement privacy compliance programs and will closely collaborate with Information Security to ensure operational alignment between information security and privacy programs.

Responsibilities

• Develop a vision and strategic plan that will guide the direction of the Privacy and Data Protection program and align with the overall strategic initiatives of Option Care Health.
• Develop and implement short- and long-term planning, outlining recommended enhancements and prioritizing steps to continuously improve the program, governance structure, and frameworks.
• Ensure that the OCH Privacy and Data Protection program includes the privacy components of the Health Insurance Portability and Accountability Act (HIPAA), state privacy laws and regulations, protection of the organization's proprietary data, employee data privacy as well as other relevant and emerging privacy requirements including but not limited to the Telephone Consumer Protection Act (TPCA).
• Work effectively and collaboratively with executive leadership, Information Security, and Compliance leaders to establish and maintain effective management and governance for the Privacy and Data Protection program.
• Act as the Privacy and Data Protection liaison to Information Security and Information Technology functions.
• Assess the current state of privacy and data protection and identify potential vulnerabilities and opportunities for enhancements within the program.
• Develop and coordinate ongoing privacy risk assessments and compliance monitoring to optimize the security posture of the organization, including conducting privacy audits, identifying and testing existing controls to ensure they are effective and sustainable, identifying potential gaps, documenting results and recommendations and monitoring implementation of corrective actions to ensure effective future risk mitigation.
• Review all system-related information security plans, risk and impact assessments to ensure alignment between security and privacy practices.
• Monitor systems development and operations for security and privacy compliance.
• Assure that the use of technologies maintains privacy protections on use, collection and disclosure of personal information.
• Serve as a partner to the business (e.g., operations, commercial, clinical, research, records retention, contracting, billing) to identify, document, and mitigate privacy risks arising from key business activities and ensure new initiatives undergo applicable privacy review.
• Monitor changes in healthcare laws and regulations, assess the impact on the organization, and update privacy programs and policies accordingly.
• Lead and participate in privacy-related committees (e.g., Data Governance Committee), address and evaluate emerging risks, and serve as an expert resource.
• Review and advise on legal agreements regarding the collection, protection, de-identification, transfer, and use of regulated and/or sensitive data, offering guidance on methods to minimize privacy compliance risk.
• Develop and manage procedures for vetting and auditing vendors for compliance with the privacy and data security policies and legal requirements.
• Participate in the implementation and ongoing compliance monitoring of all trading partner and business associate agreements, to ensure all privacy concerns, requirements and responsibilities are addressed.
• Lead the privacy incident and breach response processes including performing prompt and timely investigation in partnership with appropriate stakeholders, including Information Security, Legal and Clinical Risk Management.
• Conduct root cause analysis, corrective action plans and reporting obligations.
• Serve as liaison with federal and state oversight agencies.
• Oversee use of our third-party incident management system (RADAR).
• Lead the development of privacy policies, procedures, training materials and other communications to increase employee understanding of company privacy policies, data handling practices and legal obligations.
• Develop strategic role-based privacy training course content for target audience(s) as identified through Privacy audits, reviews and risk assessments.
• Work cross-functionally to ensure the organization has and maintains appropriate privacy and confidentiality consent, authorization forms and information notices and materials reflecting current organization and legal practices and requirements.
• Work with all company personnel involved with the release of protected information to ensure coordination with the organization's policies, procedures and legal requirements.
• Oversee the framework and procedures to facilitate individual requests for release or disclosure of personal and/or protected information.
• Manage the organization's records retention, storage and destruction program.
• Periodically revise the privacy and data protection program to address changes in laws, regulations or company policy.
• Coordinate with the appropriate regulating bodies to ensure that programs, policies and procedures involving civil rights, civil liberties and privacy considerations are addressed in an integrated and comprehensive manner.
• Collaborate effectively with representatives of the U.S. Department of Health and Human Service's Office for Civil Rights (OCR), state regulators and/or other legal entities as well as appropriate internal partners and outside counsel during privacy incident response or government-initiated privacy or data security related reviews, audits or investigations.
• Work effectively with compliance leaders, information security, legal counsel, and other related parties to represent OCH information privacy interests with external parties (state or local government bodies) that adopt or amend privacy legislation, regulations, or related expectations.
• Monitor advancements in emerging technologies, including but not limited to Artificial Intelligence (AI), to ensure that the use of such technologies maximizes value for the organization while complying with applicable privacy and data security obligations.
• Lead and/or serve as subject matter expert with privacy due diligence and integration initiatives with new business models and M&A activity.
• Build, mentor, and develop a best-in-class privacy team.
• Manage, hire and retain staff and be accountable for the performance of the team.

Requirements

• At least 12 years of professional experience in privacy, data protection or related experience required.
• Professionally licensed or certified as an attorney or privacy professional.
• Bachelor's degree in business, health care administration or relevant field required.
• Proven experience designing and operating healthcare related privacy programs, including expertise with HIPAA.
• Beyond HIPAA, demonstrated current working knowledge of other relevant and emerging privacy and data protection laws and regulation, including but not limited to, TCPA.
• Knowledge of data processing operations within healthcare.
• Familiarity with computer security system infrastructure.
• Demonstrated expertise acting as a representative of the company and interacting with senior level management, board members, and federal and state regulators on compliance and privacy matters.
• Experience at a fast-paced company, and successful management of projects.
• Experienced and supportive people leader to manage, develop and mentor teams and work cross-functionally with other key stakeholders.

Nice-to-haves

• One or more of the following privacy or data protection related certification is preferred: CIPP, CIPM, HCISPP, CDP or CHPC.
• Preference for direct experience in home infusion services, pharmacy, provider settings and/or nursing.
• Experience with privacy incident management tools, such as RADAR or other governance, risk and compliance (GRC) software.

Benefits

• 401k
• Dental Insurance
• Disability Insurance
• Health Insurance
• Life Insurance
• Paid Time off
• Vision Insurance