HIPAA Privacy and Information Security Officer in Denver, CO at Mental Health Center of Denver

Date Posted: 7/18/2019

Job Snapshot

Job Description


Reporting directly to the Chief Operating Officer, the Privacy/Information Security Officer will interact with all facets and levels of the organization in helping guide the organization through privacy and information security matters relating to its diverse scope of health care programs and service offerings. This position will be responsible for managing Mental Health Center of Denver’s privacy and information security programs, including upholding the organization’s policies and procedures, designing and implementing training and education programs, and being the subject matter expert on privacy and information security requirements. The Privacy/Information Security Officer will partner frequently with the Director of Compliance, the Director of Health Information Systems Management, and the Director of Information Technology.

The Privacy/Information Security Officer will serve as the organization’s HIPAA Privacy Officer and HIPAA Security Officer. Therefore, candidates for this position must have in-depth knowledge of both HIPAA privacy and security.

SALARY RANGE: $85,000/yr. - $93,000/yr.



  • Provides strategic planning and direction for privacy and information security efforts in accordance with the vision, values, and mission of the Mental Health Center of Denver. Promote and model a HIPAA-centric culture and provide education and support within the organization, as well as with key external stakeholders. 
  • Responsible for implementing, managing, and enforcing information security directives as mandated by HIPAA.
  • Ensure that the HIPAA requirements for access control, disaster recovery, business continuity, and incident response, and facility security are properly addressed.
  • Remains current on applicable federal and state privacy, confidentiality, and information security laws.
  • Collaborates with the Director of Health Information Systems Management (HISM) regarding an individual’s rights under HIPAA, including the right to inspect, amend, and restrict access to protected health information.
  • Provides guidance to staff on questions concerning use and disclosure of protected health information.
  • Assists in the administration and oversight of Business Associate Agreements (BAA), confidentiality agreements, or other contracting matters related to privacy and information security requirements.

Policies and Procedures

  • Works with Compliance Department to create, maintain, and revise privacy and information security policies, procedures, forms, notices, and associated materials. Collaborates with other departments (e.g., Human Resources, Information Systems, and Real Estate) as appropriate.

Audits and Risk Assessments

  • Conducts audits to determine if organization is complying with privacy and information security policies, procedures, and applicable regulatory standards. Collaborates with impacted parties to develop and implement action plans to address audit findings.
  • Conducts periodic risk assessments to identify, prioritize, and evaluate privacy and information security risks. Identify gaps and implement mitigation or corrective action plans that align with organizational objectives, contractual obligations, and applicable regulations.
  • Performs ongoing risk assessments and audits to ensure that information systems are adequately protected and meet HIPAA certification requirements.
  • Oversees audits and risk assessments contracted to third parties, including an annual risk assessment of the electronic health record and an annual information systems security audit.

Training/Education/Security Reminders

  • Oversees development and delivery of privacy/information security training, orientation, and on-going education.
  • Creates awareness program, to include reminders about privacy/information security requirements.


  • Receives, investigates, and responds to privacy/information security questions and concerns, including those submitted through the Confidential Incident Reporting (CIR) system. Promptly, properly, and consistently addresses issues and takes steps to prevent recurrence.
  • Provides guidance to Human Resources to promote consistent and appropriate sanctions for failure to comply with state and federal privacy and information security requirements, as well as organizational policies and procedures related to privacy/information security.
  • When required, performs a risk assessment consistent with the HIPAA Breach Notification Rule. In the event of a Breach, coordinates all notification requirements consistent with the HIPAA Breach Notification Rule and applicable state law.
  • Leads an incident response team to contain, investigate, and prevent future computer security breaches.

Job Requirements


  • Certification in health care policy, privacy, and/or information security preferred (e.g., CHPS, CHPC, CIPP, HCISPP)
  • Bachelor’s degree required.


  • Minimum of 5 years’ experience in healthcare compliance, including privacy or information security.
  • Experience managing a high work volume, managing changing priorities, and working cooperatively with a positive attitude. 
  • Experience maintaining a high degree of discretion, integrity, and sensitivity to confidentiality and privacy.
  • Experience in a behavioral health care environment highly desirable.


  • Knowledge of applicable Colorado laws preferred. Knowledge of federal regulations regarding confidentiality of substance use disorder patient records preferred (42 CFR Part 2)
  • Knowledge and understanding of the HITECH Act to safeguard and protect electronic health information and insure secure information exchange.
  • Must be able to work independently, prioritize, multi-task, and interact with individuals at all levels of the organization.
  • Strong critical thinking and decision-making skills. Ability to identify issues and develop innovative solutions.
  • Ability to communicate clearly, tactfully, and professionally both orally and in writing.
  • Consistently demonstrate a high standard of personal and professional conduct, ethics, objectivity, judgment, and discretion.
  • Knowledge of information security auditing tools and techniques.
  • Knowledge of information technology and systems.
  • Knowledge and understanding of trauma-informed care principles/practices.


MACHINES AND EQUIPMENT TO BE USED:  Computers, calculators, fax machines, copiers, telephone and a variety of other office/clerical equipment.

TYPICAL PHYSICAL DEMANDS: Requires sitting, standing, bending and reaching.  May require lifting up to 50 pounds.   Requires manual dexterity sufficient to operate standard office machines such as computers, fax machines, the telephone and other office and/or clinical equipment. 

WORKING CONDITIONS:  May require occasional evening or weekend hours.