What are the responsibilities and job description for the Compliance & Privacy Officer position at Central Montana Medical Center?
Department Compliance Exempt
Immediate Supervisor TBD
Supervisor next CEO Workweek 40
in line
POSITION SUMMARY
The Compliance & Privacy Officer is responsible for the development, implementation, oversight, and continuous
improvement of ’s Corporate Compliance Program and Privacy Program in
accordance with CMS Conditions of Participation, OIG Compliance Program Guidance, and HIPAA regulations.
This position serves as the designated Compliance Officer and HIPAA Privacy Officer and has responsibility and
authority to ensure the organization operates in accordance with all applicable federal, state, and local laws and
regulations.
The Compliance & Privacy Officer maintains independent access to the Board of Trustees, providing regular reports at
least quarterly regarding program effectiveness, risks, investigations, and corrective actions.
The position has the authority to conduct independent investigations, access all necessary records, and recommend
corrective and disciplinary actions in alignment with organizational policy and regulatory requirements.
Continued employment and raises in this position are dependent upon 's
fiscal viability and:
- Actions and communications that contribute to a team concept and create a positive environment for all
- Acceptable performance of essential and all job duties
- Acceptable attendance record
- Accountability for safety to self, patients, visitors and all customers, and care of equipment and building
- Adherence to departmental and facility policies and procedures, education requirements, compliance monitoring
- Accountability for the consequences of own actions
- Physical and emotional ability to perform essential functions
- Acceptable background investigation results if required for position
Minimum Education, Experience, Licensure, Certification required:
Qualifications:
- Bachelor’s degree in healthcare administration, business, nursing, legal studies, health information
- Equivalent combination of education and relevant experience in healthcare, compliance, privacy, quality, or
- Working knowledge of healthcare regulations, privacy laws, and compliance principles preferred
- Certification in healthcare compliance or privacy (e.g., CHC, CHP) preferred or willingness to obtain within a
Experience:
- Minimum of two (2) years of experience in healthcare, regulatory, compliance, privacy, quality, health
- Experience in policy development, auditing, investigations, education, or regulatory processes preferred
- Prior leadership, coordination, or project management experience is beneficial but not required
ESSENTIAL FUNCTIONS/DUTIES:
(Must be able to perform with or without accommodation)
1 Supports and demonstrates ’s Vision, Mission and Values Statements.
MANAGEMENT
2 Policy Development and Implementation:
- Develops, implements, and maintains written compliance and privacy policies, procedures, and
- Ensures policies reflect current regulatory requirements including CMS Conditions of Participation and
- Oversees periodic review and revision of the Notice of Privacy Practices and the CMMC Code of
3 Program Oversight and Governance:
- Oversees and administers the Corporate Compliance Program consistent with OIG’s Seven Elements of
- Serves as the organization’s designated HIPAA Privacy Officer and oversees compliance with HIPAA
- Provides regular reports (at least quarterly) to the Board of Trustees regarding compliance and privacy
- Maintains independence and authority to execute duties without undue influence.
- Coordinates compliance activities across departments including Risk Management, Quality, Health
4 Staff Training and Education:
- Develops and provides ongoing compliance and privacy education for workforce members, medical staff,
- Ensures training includes HIPAA requirements, reporting obligations, and standards of ethical conduct.
5 Effective Communication and Reporting:
- Maintains a confidential and accessible reporting mechanism (e.g., compliance hotline or reporting
- Promotes a culture of non-retaliation and accountability for reporting concerns.
- Serves as a resource for staff and leadership regarding compliance and privacy questions.
6 Risk Assessment and Mitigation:
- Identify potential privacy risks and vulnerabilities within the organization.
- Implement measures to mitigate risks and prevent unauthorized access or breaches.
7 Monitoring, Auditing and Risk Assessments:
- Conducts ongoing compliance and privacy auditing and monitoring activities.
- Performs periodic risk assessments, including HIPAA Security and Privacy risk analyses.
- Conducts Privacy Impact Assessments (PIAs) for new systems and processes.
- Tracks, trends, and reports compliance and privacy metrics to leadership.
8 Enforcement and Disciplinary Standards:
- Works with Human Resources and leadership to enforce compliance and privacy standards through
- Recommends corrective actions when violations occur, up to and including disciplinary measures in
9 Response, Investigation, and Corrective Action:
- Leads and documents investigations of alleged compliance or privacy violations.
- Implements corrective action plans and ensures timely resolution of identified issues.
- Oversees breach notification and reporting in accordance with HIPAA Breach Notification Rule
- Maintains documentation of all investigations, findings, and resolutions.
MANAGEMENT
10 HIPAA Privacy Program Responsibilities:
- Ensures patient rights under HIPAA are upheld, including access, amendment, and accounting of
- Oversees processes related to authorization, consent, and release of information.
- Ensures Business Associate Agreements (BAAs) are implemented and maintained.
- Monitors vendor and third-party compliance with privacy requirements.
11 Operational and Leadership Responsibilities:
- Serves as a compliance and privacy resource to Administration, Department Leaders, and Medical Staff.
- Participates in committees including Compliance Committee, Quality Committee, and others as
- Assists in development of facility-wide policies and regulatory strategies.
- Supports integration of compliance with patient safety, quality improvement, and risk management
- Completes employee evaluations and supports development of staff if applicable.
15. Completes other duties as assigned
Knowledge, Skills, Abilities:
Knowledge of:
CMS Conditions of Participation
OIG Compliance Program Guidance (Seven Elements)
HIPAA Privacy, Security, and Breach Notification Rules
Healthcare regulatory environment and accreditation standards
Local, State and Federal regulations/requirements
Knowledge and experience in information privacy and security laws, access, release of information, and release
control technologies
Operations of the health care industry
Leadership and Education principles
Skills:
Human relations and oral/written communications skills
Excellent communication and training skills.
Analytical and problem-solving abilities.
Attention to detail and organizational skills.
Ability to work collaboratively with cross-functional teams.
Computer skills
Collection and analysis of data
Preparing and presenting information in a meaningful manner
Developing constructive relationships
Ability to:
Develop and implement policies and procedures
Research information
Coordinate and conduct education
Understand, interpret and educate
Analyze complex privacy issues and develop effective solutions
Communicate effectively with diverse stakeholders, both orally and in writing
Work independently and as part of a team, demonstrating strong interpersonal skills
Adapt to changing regulations and organizational needs
Prioritize and manage multiple tasks in a fast-paced environment
Utilize office equipment and technology as it advances
Collect, abstract, tabulate, aggregate, analyze and display data and statistics
OCCUPATIONAL EXPOSURE for this position:
Category I Direct contact with blood or other bodily fluid to which universal
precautions apply
MANAGEMENT
Category II Activity performed without blood/bodily fluids exposure, but exposure
may occur in emergency
Category III Task/activity does not ordinarily entail predictable exposure to
blood/bodily fluids
OTHER EXPOSURE for this position:
Radiation
Noise
Other (Specify) Poor ventilation system, artificial lighting.
PHYSICAL DEMANDS:
(Essential functions strength rating for position - see Job Analysis)
Sedentary Exert up to 10# occasionally or negligible force frequently
Light Exert up to 20# occasionally, < 10# frequently or negligible force
constantly
Medium Exert up to 50# occasionally, up to 25# or up to 10# constantly
Heavy Exert up to 100# occasionally, up to 50# frequently or up to 20#
constantly
Very Heavy Exert > 100# occasionally, > 50# frequently or
> 20# constantly