Flatiron Health is seeking a Privacy Officer to oversee all activities related to the development, implementation, oversight, and continuous improvement of Flatiron’s policies and procedures regarding the privacy of personal information (including PHI), particularly in the context of clinical research, in compliance with international, federal and state laws and regulations.
Together with Flatiron’s Privacy team, the Privacy Officer will be accountable for Flatiron’s privacy framework, plans and strategic direction for protecting Flatiron’s data assets, program compliance monitoring, incident and breach investigation and tracking, and compliance with applicable privacy laws and regulations. The Privacy Officer is the subject matter expert in all areas of data privacy and is capable of providing principled, practical guidance and solutions when issues arise that relate to Flatiron’s sensitive information.
The Privacy Officer will report to the General Counsel and will interact with all levels of management and multiple departments throughout the company as well as outside counsel, regulators, customers, vendors, and industry groups.
With the support of Flatiron’s Privacy team and in collaboration and consultation with Legal, Compliance, Security, Quality and other key stakeholders, the Privacy Officer will:
- Develop, promote, oversee and maintain Flatiron’s privacy policies, procedures and related documentation.
- Collaborate closely with the security, engineering and other business teams to build in privacy safeguards and ensure awareness of best practices on privacy and data security issues.
- Review all system-related information security plans to ensure alignment between security and privacy practices, and regularly liaise with the Security and IT teams.
- Deliver or ensure delivery of privacy and related trainings to all employees, contractors, and other appropriate third parties. Initiate, facilitate and promote activities to foster a company-wide culture of information privacy awareness and compliance.
- Develop and implement policies and procedures for responding to privacy incidents and privacy breaches including, without limitation, investigation of and response to such events and appropriate notification of clients, affected individuals and government agencies.
- Assist with negotiation of agreements related to data privacy and advise on the regulatory implications of Flatiron’s products and services.
- Participate in the development, implementation, and ongoing compliance monitoring of vendors for compliance with privacy- and data security-related policies and legal requirements.
- Perform periodic risk assessments and conduct related ongoing compliance monitoring activities to evaluate the potential risks associated with privacy-related policies, procedures and practices.
- Oversee and optimize compliance with privacy practices and consistent application of sanctions for failure to comply with privacy policies for all staff and vendors, in cooperation with People Operations, Security, Quality and Legal, as applicable.
- Work with senior management to establish a cross-functional Privacy Committee and serve in a leadership role for the Privacy Committee’s activities.
- Cooperate with the Office of Civil Rights, other government, and corporate functions on external and internal audits.
- Lead and manage team of privacy and compliance staff, specialists, and managers.
- Maintain current knowledge of applicable privacy-related state, federal and international laws and regulations and associated best practices, advise stakeholders on potential impact, and ensure organizational compliance.
- Represent Flatiron in interactions with external stakeholders, including governmental bodies and media, in regards to Flatiron’s privacy position and efforts.
- Deep understanding of federal, state and international information privacy laws, including but not limited to HIPAA, HITECH, Common Rule, Privacy Shield and GDPR. In-depth understanding of data aggregation and de-identification.
- 10+ years of experience creating and implementing health care privacy programs, including experience with the privacy implications of research activities, in the academic medical center, health system and/or private practice settings.
- Excellent judgment and a principled, practical, collaborative and solutions-oriented approach to problem-solving.
- Ability to provide sound, clear and succinct recommendations and analysis to senior management, legal and business teams.
- Demonstrated organization, facilitation, communication, presentation and people management skills.
- Ability to multi-task, work under tight time pressures, prioritize work, and react quickly to changing business needs and demands all in a fast-paced, high-growth business environment.
- Juris Doctor degree, optional
- CIPP (Certified Information Privacy Professional), CHPC (Certificate in Healthcare Privacy Compliance) or CHPS (Certificate in Healthcare Privacy & Security)