Site: Mass General Brigham Incorporated

 

Mass General Brigham relies on a wide range of professionals, including doctors, nurses, business people, tech experts, researchers, and systems analysts to advance our mission. As a not-for-profit, we support patient care, research, teaching, and community service, striving to provide exceptional care. We believe that high-performing teams drive groundbreaking medical discoveries and invite all applicants to join us and experience what it means to be part of Mass General Brigham.

 

 

Job Summary

Mass General Brigham is seeking a Privacy Compliance Specialist II to advance its enterprise-wide privacy compliance program across its network. The Privacy Specialist II will support the enterprise privacy program with a focus on incident response, third-party risk, technology onboarding, and compliance with the new DOJ Data Transfer Rule governing sensitive personal data and bulk data transfers. This role will partner closely with clinical, research, Digital, and business operations teams to ensure appropriate handling of PII, PHI, and other regulated data across the organization.

This role ensures compliance with health and data privacy laws, including the HIPAA Privacy and Security Rules, HITECH, 42 CFR Part 2, US state privacy laws, GDPR, international privacy laws, and the Department of Justice’s Data Transfer Rule. Key responsibilities include privacy incident investigations, documentation, mitigation and notifications to affected individuals and regulators; privacy audits; Privacy Impact Assessments; system/vendor privacy evaluations; data transfer reviews, website and application privacy consults, drafting Terms of Use; and advising on AI privacy risks. The Privacy Specialist II serves as a trusted business partner and privacy subject matter expert adviser to various stakeholders throughout the organization, including Human Resources, Supply Chain, Information Security, Health Information Management, Digital, and MGB’s Health Plan. The Privacy Specialist II leads privacy training presentations and partners with the Privacy Training Program leadership to design, deliver, and maintain the organization’s privacy compliance training program. The Specialist also leads process improvement initiatives for the department.

Essential Functions

-Develop, update, maintain and advise on the hospital's privacy policies and procedures in alignment with federal, state, and local privacy regulations, including the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, 42 CFR Part 2, U.S. state privacy laws, U.S. Department of Justice Data Transfer rules, GDPR, and international privacy regulations.

-Conduct regular privacy training sessions for hospital staff and employees to ensure understanding and compliance with privacy policies and safeguarding PHI.

-Perform periodic privacy audits and assessments to evaluate the effectiveness of privacy controls and identify areas for improvement.

-Respond to privacy incidents and breaches, conduct investigations, and implement corrective actions to prevent future incidents.

-Conduct privacy risk assessments to identify potential vulnerabilities and develop strategies to mitigate privacy risks.

-Develop, prepare, and present privacy metrics, audit results, and data-driven insights to leadership

-Respond to patients and their families related to privacy rights and inquiries.

-Prepare and submit reports on privacy compliance to hospital leadership and regulatory authorities, as required.

 

Education

• Bachelor's Degree in a related field of study required

• Master's Degree Related Field of Study or Juris Doctor in related field of study preferred
   

Experience

• 5+ years of experience preferred in healthcare privacy compliance

• Demonstrated experience interpreting and applying HIPAA, HITECH, and other federal, state, international privacy regulations preferred

Certifications:

• CHPC, CIPP/US, CIPP/E, CIPM, or comparable privacy certifications preferred

Knowledge, Skills and Abilities

• In-depth knowledge of privacy laws, regulations, and standards, including HIPAA, HITECH, and state privacy laws, as well as their application in healthcare settings.

• Excellent communication and interpersonal skills to interact with hospital staff, patients, and regulatory authorities regarding privacy matters.

• Strong analytical and problem-solving skills to conduct privacy risk assessments and respond to privacy incidents effectively.

• Ability to manage multiple priorities and tasks, ensuring timely completion of privacy-related initiatives.

Regulatory Compliance & Monitoring

• Ensure compliance with HIPAA Privacy and Security Rules, HITECH, 42 CFR Part 2,  U.S. state privacy laws, GDPR, and international privacy regulations.

• Plan for and guide implementation of emerging state privacy legislation, including the anticipated Massachusetts comprehensive privacy law expected in 2026.

• Monitor and advise on data transfer requirements and safeguards, including developments related to DOJ-rule.

• Monitor and implement safeguards for website privacy, geolocation data, and patient portal security.

• Continuously track regulatory changes and translate requirements into updated policies, procedures, and controls.
   

Risk & Vendor Assessments

• Conduct HIPAA/HITECH privacy risk assessments and formal Privacy Impact Assessments (PIAs) and Data Protection Impact Assessments (DPIAs), documenting findings and mitigation plans.

• Perform vendor/business associate privacy assessments and contract reviews to ensure third-party compliance with regulatory and contractual obligations.

• Advise on AI privacy risk assessments—evaluate data use, algorithmic transparency, model governance, and regulatory/ethical compliance in clinical and operational AI solutions.

• Manage GDPR reporting obligations to controllers and, where applicable, supervisory authorities/Data Protection Authorities (DPAs).
   

Auditing & Incident Management

• Conduct proactive EHR audits (e.g., inappropriate access, snooping, break-the-glass events) and trend monitoring to detect and prevent privacy violations.

• Design and implement privacy safeguards and terms of use for digital health services.

• Conduct all aspects of privacy incident investigations—including root cause analysis, containment, and remediation planning, risk assessment, documentation and ensure timely notifications to affected patients, research participants, employees, and to state/federal agencies and regulators as required.
   

Policy Development & Implementation

• Develop, maintain, and operationalize privacy policies and standards tailored to healthcare provider operations

• Embed privacy-by-design into clinical, administrative, and digital workflows;

• Lead process improvement initiatives to strengthen privacy compliance and operational efficiency.

• Coordinate corrective actions and remediation plans for identified compliance gaps, findings, and audit issues.
   

Collaboration, Analytics & Reporting

• Partner with IT Security, Legal, Compliance, Research, HR, Health Plan Operations, and clinical leadership to align privacy practices and controls.

• Develop privacy metrics and dashboards.

• Prepare and present privacy metrics, audit results, and data-driven insights to leadership and regulatory bodies as needed; support committee reporting.

• Act on behalf of the Privacy Program Manager when requested to represent the privacy function in meetings and initiatives.
   

Training, Communications & Education

• Lead privacy training presentations tailored to clinical staff, administrative teams, researchers, students, interns and business associates.

• Assist the Privacy Program Manager in designing, scheduling, and maintaining the privacy compliance training program;

• Develop content for privacy awareness (e.g., website, newsletters, targeted communications) and foster a culture of privacy across the organization.

Performs other duties as assigned

Complies with all policies and standards

Working Schedule:

• Hybrid, once per week onsite at Assembly Row in Somerville, MA. Onsite presence required for trainings as needed

 

 

Remote

 

399 Revolution Drive

 

40

 

Regular

 

Day (United States of America)

 

Pay Range

$63,648.00 - $90,750.40/Annual

 

Grade

6

 

At Mass General Brigham, we believe in recognizing and rewarding the unique value each team member brings to our organization. Our approach to determining base pay is comprehensive, and any offer extended will take into account your skills, relevant experience if applicable, education, certifications and other essential factors. The base pay information provided offers an estimate based on the minimum job qualifications; however, it does not encompass all elements contributing to your total compensation package. In addition to competitive base pay, we offer comprehensive benefits, career advancement opportunities, differentials, premiums and bonuses as applicable and recognition programs designed to celebrate your contributions and support your professional growth. We invite you to apply, and our Talent Acquisition team will provide an overview of your potential compensation and benefits package.

 

0100 Mass General Brigham Incorporated is an Equal Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religious creed, national origin, sex, age, gender identity, disability, sexual orientation, military service, genetic information, and/or other status protected under law. We will ensure that all individuals with a disability are provided a reasonable accommodation to participate in the job application or interview process, to perform essential job functions, and to receive other benefits and privileges of employment. To ensure reasonable accommodation for individuals protected by Section 503 of the Rehabilitation Act of 1973, the Vietnam Veteran’s Readjustment Act of 1974, and Title I of the Americans with Disabilities Act of 1990, applicants who require accommodation in the job application process may contact Human Resources at (857)-282-7642.

 

Mass General Brigham Competency Framework