HIPAA Privacy and Security Officer in Denver, CO at Mental Health Center of Denver

Date Posted: 12/27/2019

Job Snapshot

Job Description


Reporting directly to the Chief Operating Officer, the HIPAA Privacy & Security Officer will interact with all facets and levels of the organization in managing privacy and information security compliance related to Mental Health Center of Denver’s diverse scope of health care programs and service offerings. This position will be responsible for continuing to build and maintain Mental Health Center of Denver’s HIPAA privacy and security programs, including upholding the organization’s policies and procedures, designing and implementing training and education programs, and being the subject matter expert on HIPAA privacy and security requirements. The HIPAA Privacy & Security Officer will partner frequently with the Director of Compliance, the Director of Health Information Systems Management (that is, Medical Records), and the Director of Information Technology.

Candidates for this position must have deep understanding of all aspects of the HIPAA Privacy and Security Rules, including the ability to articulate and explain them to others and apply them to Mental Health Center of Denver.


HIRING RANGE: $85,000 - $93,000




  • Provides strategic planning and direction for privacy and information security efforts in accordance with the vision, values, and mission of the Mental Health Center of Denver. Promote and model a HIPAA-centric culture and provide education and support within the organization, as well as with key external stakeholders.
  • Ensures that the HIPAA requirements for access control, disaster recovery, business continuity, and incident response, and facility security are properly addressed.
  • Possesses the knowledge and ability to apply the principles of health information management, including access, release of information, accounting of disclosures, and right to amend Protected Health Information (PHI).
  • Provides guidance to staff on questions concerning use and disclosure of protected health information.
  • Ensures alignment between HIPAA privacy and security programs, including policies and procedures, training, and investigations.
  • Other duties as assigned.


  • Works with Compliance Department to create, maintain, and revise HIPAA privacy and security policies, procedures, forms, notices, and associated materials. Collaborates with other departments (e.g., Human Resources, Information Systems, and Real Estate) as appropriate.
  • Assists in the administration and oversight of Business Associate Agreements (BAA), confidentiality agreements, or other contracting matters related to HIPAA privacy and security requirements.

 Audits/Monitoring/Risk Assessments

  • Conducts audits to determine if organization is complying with HIPAA privacy and security policies, procedures, and applicable regulatory standards. Collaborates with impacted parties to develop and implement action plans to address audit findings.
  • Conducts periodic risk assessments to identify, prioritize, and evaluate HIPAA privacy and security risks. Identify gaps and implement mitigation or corrective action plans that align with organizational objectives, contractual obligations, and applicable regulations.
  • Performs ongoing risk assessments and audits to ensure that information systems are adequately protected and meet HIPAA certification requirements.
  • Oversees audits and risk assessments contracted to third parties, including an annual risk assessment of the electronic health record and an annual information systems security audit.
  • Reviews role-based access controls, oversees audits of access to PHI, recommends appropriate action necessary as a result of audit activities.
  • Conducts HIPAA-related compliance monitoring activities in coordination with the organization’s other compliance and operational assessment functions. Manages and conducts privacy walk-throughs of clinical and residential sites.Training/Education/Security Reminder.
  • Oversees development and delivery of HIPAA privacy and security training, orientation, and on-going education.
  • Creates awareness program, to include reminders about privacy/information security requirements.



  • Establishes and administers a process for receiving, documenting, tracking, investigating and taking action on questions, concerns, and complaints regarding potential breaches of PHI. Promptly, properly, and consistently addresses issues and takes steps to prevent recurrence.
  • Provides guidance to Human Resources to promote consistent and appropriate sanctions for failure to comply with state and federal privacy and security requirements, as well as organizational policies and procedures related to privacy and security.
  • When required, performs a risk assessment consistent with the HIPAA Breach Notification Rule. In the event of a breach, coordinates all notification requirements consistent with the HIPAA Breach Notification Rule and applicable state law.
  • Leads an incident response team to contain, investigate, and prevent future computer security breaches.

Job Requirements


  • Bachelor’s degree required.
  • Certification in health care policy, privacy, and/or information security preferred (e.g., CHPS, CHPC, CIPP, HCISP



  • Minimum of 4 years’ experience in healthcare provider, payor, or other healthcare-related setting working with HIPAA regulations.
  • Experience in a behavioral health care environment highly desirable.
  • Knowledge of applicable Colorado laws preferred. Knowledge of federal regulations regarding confidentiality of substance use disorder patient records preferred (42 CFR Part 2).


  • Must be able to work independently, prioritize, multi-task, and interact with individuals at all levels of the organization. Strong critical thinking and decision-making skills.
  • Ability to communicate clearly, tactfully, and professionally both orally and in writing, and ability to understand the intended audience in order to communicate effectively.
  • Consistently demonstrate a high standard of personal and professional conduct, ethics, objectivity, judgment, and discretion.
  • Knowledge of or ability to learn and practice trauma-informed care principles/practices.
  • Possess an appreciation for information systems and an understanding of electronic health records.
  • Knowledge of information security auditing tools and techniques.


MACHINES AND EQUIPMENT TO BE USED: Computers, calculators, fax machines, copiers, telephone and a variety of other office/clerical equipment.

TYPICAL PHYSICAL DEMANDS: Requires sitting, standing, bending and reaching. May require lifting up to 50 pounds.   Requires manual dexterity sufficient to operate standard office machines such as computers, fax machines, the telephone and other office and/or clinical equipment.

WORKING CONDITIONS: May require occasional evening or weekend hours.