We use cookies. Find out more about it here. By continuing to browse this site you are agreeing to our use of cookies.
I agree and accept cookies
Main menu
Post a Job
Request a Demo
Yes
No
Both
Advanced search
#alert
Back to search results / More jobs like this
Back to search results
New
Mass General Brigham (Enterprise Services) jobs

Privacy Specialist ll

Mass General Brigham (Enterprise Services)
United States, Massachusetts, Somerville
399 Revolution Drive (Show on map)
Feb 06, 2026
Mass General Brigham is seeking a Privacy Compliance Specialist II to advance its enterprise-wide privacy compliance program across its network. The Privacy Specialist II will support the enterprise privacy program with a focus on incident response, third-party risk, technology onboarding, and compliance with the new DOJ Data Transfer Rule governing sensitive personal data and bulk data transfers. This role will partner closely with clinical, research, Digital, and business operations teams to ensure appropriate handling of PII, PHI, and other regulated data across the organization.
This role ensures compliance with health and data privacy laws, including the HIPAA Privacy and Security Rules, HITECH, 42 CFR Part 2, US state privacy laws, GDPR, international privacy laws, and the Department of Justice's Data Transfer Rule. Key responsibilities include privacy incident investigations, documentation, mitigation and notifications to affected individuals and regulators; privacy audits; Privacy Impact Assessments; system/vendor privacy evaluations; data transfer reviews, website and application privacy consults, drafting Terms of Use; and advising on AI privacy risks. The Privacy Specialist II serves as a trusted business partner and privacy subject matter expert adviser to various stakeholders throughout the organization, including Human Resources, Supply Chain, Information Security, Health Information Management, Digital, and MGB's Health Plan. The Privacy Specialist II leads privacy training presentations and partners with the Privacy Training Program leadership to design, deliver, and maintain the organization's privacy compliance training program. The Specialist also leads process improvement initiatives for the department.
Essential Functions
-Develop, update, maintain and advise on the hospital's privacy policies and procedures in alignment with federal, state, and local privacy regulations, including the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, 42 CFR Part 2, U.S. state privacy laws, U.S. Department of Justice Data Transfer rules, GDPR, and international privacy regulations.
-Conduct regular privacy training sessions for hospital staff and employees to ensure understanding and compliance with privacy policies and safeguarding PHI.
-Perform periodic privacy audits and assessments to evaluate the effectiveness of privacy controls and identify areas for improvement.
-Respond to privacy incidents and breaches, conduct investigations, and implement corrective actions to prevent future incidents.
-Conduct privacy risk assessments to identify potential vulnerabilities and develop strategies to mitigate privacy risks.
-Develop, prepare, and present privacy metrics, audit results, and data-driven insights to leadership
-Respond to patients and their families related to privacy rights and inquiries.
-Prepare and submit reports on privacy compliance to hospital leadership and regulatory authorities, as required.

Education

  • Bachelor's Degree in a related field of study required

  • Master's Degree Related Field of Study or Juris Doctor in related field of study preferred

Experience

  • 2+ years of healthcare privacy compliance experience required

  • Demonstrated experience interpreting and applying HIPAA, HITECH, and other federal, state, international privacy regulations preferred

Certifications:

  • CHPC, CIPP/US, CIPP/E, CIPM, or comparable privacy certifications preferred

Knowledge, Skills and Abilities

  • In-depth knowledge of privacy laws, regulations, and standards, including HIPAA, HITECH, and state privacy laws, as well as their application in healthcare settings.

  • Excellent communication and interpersonal skills to interact with hospital staff, patients, and regulatory authorities regarding privacy matters.

  • Strong analytical and problem-solving skills to conduct privacy risk assessments and respond to privacy incidents effectively.

  • Ability to manage multiple priorities and tasks, ensuring timely completion of privacy-related initiatives.

Regulatory Compliance & Monitoring

  • Ensure compliance with HIPAA Privacy and Security Rules, HITECH, 42 CFR Part 2, U.S. state privacy laws, GDPR, and international privacy regulations.

  • Plan for and guide implementation of emerging state privacy legislation, including the anticipated Massachusetts comprehensive privacy law expected in 2026.

  • Monitor and advise on data transfer requirements and safeguards, including developments related to DOJ-rule.

  • Monitor and implement safeguards for website privacy, geolocation data, and patient portal security.

  • Continuously track regulatory changes and translate requirements into updated policies, procedures, and controls.

Risk & Vendor Assessments

  • Conduct HIPAA/HITECH privacy risk assessments and formal Privacy Impact Assessments (PIAs) and Data Protection Impact Assessments (DPIAs), documenting findings and mitigation plans.

  • Perform vendor/business associate privacy assessments and contract reviews to ensure third-party compliance with regulatory and contractual obligations.

  • Advise on AI privacy risk assessments-evaluate data use, algorithmic transparency, model governance, and regulatory/ethical compliance in clinical and operational AI solutions.

  • Manage GDPR reporting obligations to controllers and, where applicable, supervisory authorities/Data Protection Authorities (DPAs).

Auditing & Incident Management

  • Conduct proactive EHR audits (e.g., inappropriate access, snooping, break-the-glass events) and trend monitoring to detect and prevent privacy violations.

  • Design and implement privacy safeguards and terms of use for digital health services.

  • Conduct all aspects of privacy incident investigations-including root cause analysis, containment, and remediation planning, risk assessment, documentation and ensure timely notifications to affected patients, research participants, employees, and to state/federal agencies and regulators as required.

Policy Development & Implementation

  • Develop, maintain, and operationalize privacy policies and standards tailored to healthcare provider operations

  • Embed privacy-by-design into clinical, administrative, and digital workflows;

  • Lead process improvement initiatives to strengthen privacy compliance and operational efficiency.

  • Coordinate corrective actions and remediation plans for identified compliance gaps, findings, and audit issues.

Collaboration, Analytics & Reporting

  • Partner with IT Security, Legal, Compliance, Research, HR, Health Plan Operations, and clinical leadership to align privacy practices and controls.

  • Develop privacy metrics and dashboards.

  • Prepare and present privacy metrics, audit results, and data-driven insights to leadership and regulatory bodies as needed; support committee reporting.

  • Act on behalf of the Privacy Program Manager when requested to represent the privacy function in meetings and initiatives.

Training, Communications & Education

  • Lead privacy training presentations tailored to clinical staff, administrative teams, researchers, students, interns and business associates.

  • Assist the Privacy Program Manager in designing, scheduling, and maintaining the privacy compliance training program;

  • Develop content for privacy awareness (e.g., website, newsletters, targeted communications) and foster a culture of privacy across the organization.

Performs other duties as assigned

Complies with all policies and standards



Mass General Brigham Incorporated is an Equal Opportunity Employer. By embracing diverse skills, perspectives and ideas, we choose to lead. All qualified applicants will receive consideration for employment without regard to race, color, religious creed, national origin, sex, age, gender identity, disability, sexual orientation, military service, genetic information, and/or other status protected under law. We will ensure that all individuals with a disability are provided a reasonable accommodation to participate in the job application or interview process, to perform essential job functions, and to receive other benefits and privileges of employment.
Applied = 0
MORE JOBS LIKE THIS

(web-54bd5f4dd9-lsfmg)