This position works with the CEO and Executive to ensure the corporate Privacy and Records Management program and its holdings of personal health information, personal information, and all corporate information are met with regard to compliance, intra-organizational, and regional collaboration, agent training, public relations, program improvement, data governance, third party contracts, and incident response. This is accomplished by the regular assessment, development, coordination and execution of implementation plans dealing with international, federal and provincial privacy legislation.
Within this role the employee is accountable for contributing to the delivery of the Kingston Health Sciences strategy, for demonstrating an awareness of and actively promoting and supporting patient and family centered engagement and care. The employee is also accountable for modeling KHSC values and guiding principles within a culture of safety, continuous quality improvement, risk awareness, and learning.
RESPONSIBILITIES & DUTIES INCLUDE:
- This position is accountable to fulfill responsibilities of the Hospital by Board delegation under the Freedom of Information Protection of Privacy Act.
- Serves in a leadership role to the corporate Privacy and Records Management team and provides advice and guidance as a privacy consultant to its business and regional partners
- Prepares, evaluates, monitors and submits annual budget for the Privacy and Records Management program to the EVP, CIO ensuring adequate human resources, supplies and capital equipment are available and controlled.
- Ensures all activities related to the development, implementation, maintenance of, and adherence to the Hospital’s policies and procedures covering the privacy, confidentiality and security of corporate information are in place for its full lifecycle, as well as information for which the Hospital is the Health Information Network Provider, or other provider as indicated in PHIPA or under appropriate agreement.
- Primary contact/liaison with the Information Privacy Commissioner of Ontario and other regulatory bodies.
- Coordinates regulatory monitoring efforts by liaising with regulatory bodies in compliance with privacy reviews or investigations.
- Engages and works with Labor Relations on privacy or performance-related incidents and recommends actions.
- Develops processes to ensure mandatory compliance is met and that reports are provided to Board and Executive.
- Develops corporate mandatory privacy and records management training materials and other communications to increase employee, learner and volunteer understanding of Hospital privacy policies, data handling practices and procedures and legal obligations.
- Ensures the establishment and administration of processes for receiving, documenting, tracking, investigating and taking effective action on all public, patient and employee complaints concerning the corporate privacy and records management policies and procedures in coordination and collaboration with other similar functions and when necessary, legal counsel or other authorities.
- Conducts on-going activities to foster information privacy and security awareness within the Hospital and its business/regional partners.
- Serves in a leadership role for privacy matters in Hospital and regional groups and committees to ensure the ongoing development, implementation and sustainment of corporate privacy programs for the Hospital and our business partners.
- Assists other business units with development of tools and methodologies to ensure on-going privacy compliance.
- Performs privacy risk assessments, and conducts related ongoing compliance monitoring activities in coordination with the Hospital’s other compliance and operational needs.
- Participates in the development, implementation, and ongoing compliance monitoring of all business partner and associate agreements to ensure that privacy and security concerns, requirements and responsibilities are addressed.
- Establishes with management and operations a mechanism to track patient and employee access to corporate information, within the purview of the Hospital and as required by law to allow qualified individuals to review or receive a report on such activity.
- Maintains current knowledge of relevant international, federal and provincial privacy laws and standards and maintains awareness of advancements in privacy enhancing technologies to ensure Hospital adaptation and compliance.
- Manages the human resources needs of the Department by recruitment and selection of adequate, competent staff and ensures staff receives appropriate Hospital/Departmental orientation training for their jobs. Maintains required daily staffing levels through appropriate scheduling and approval of vacations or leaves of absence. Administers performance management and attendance awareness as per Hospital policy.
- Ensures accurate and current job descriptions are maintained for all positions in the Department.
· Supports the professional growth of self and others through attendance at education seminars, conferences, continuing education, etc.
*NOTE: The above duties are representative but are not to be construed as all-inclusive.
- Undergraduate degree in Records and Information Management, Library Science or health information management, health informatics or in a healthcare discipline preferred; professional certification for privacy, or equivalent combination of education and pertinent experience. Professional privacy certification from a body such International Association of Privacy Professionals (CIPP/C).
- Current certification with the Canadian Health Information Management Association (CHIMA)
- 7 – 10 years’ experience in progressive management in a healthcare environment of which at least five years are privacy-related.
- Excellent knowledge of, and experience in researching and applying relevant information privacy laws, regulations, jurisprudence as established by the Information and Privacy Commissioner of Ontario and risk countermeasures.
- Excellent knowledge of privacy and security and records management lifecycle concepts, trends, and issues. This will include an understanding of their impact on business processes, as well as skill with interpretation and communication of principles and compliance requirements.
- Excellent knowledge of privacy risk assessment processes, methodologies and tools.
- Demonstrated excellence in leadership, organizational, investigative, de-escalation, facilitation, and communication and presentation skills.
- Knowledge and ability to interpret and apply Ontario’s information privacy laws (PHIPA, FIPPA) and their respective regulations and related jurisprudence.
- Familiarity with federal Personal Information Protection and Electronic Documents Act (PIPEDA).
- Knowledge of compliance requirements, tools and measures.
- Understanding of related disciplines, such as IT security, IT system design, policy development (privacy and, or security), business architecture, legal processes, risk and project management.
- Knowledge of and experience in conducting privacy impact assessments (PIA), knowledge of, and experience with privacy enhancing best practices.
- Knowledge and ability to understand data flow diagrams and business process diagrams.
- Knowledge of information technology concepts and processes that impact the protection of personal information.
- Knowledge of, and experience with the development of policies and procedures within healthcare organizations (e.g. business case development, project approvals and policy development).
- Experience in developing privacy risk assessment tools, methodologies, policies and procedures to effectively manage personal and confidential information.
- Knowledge of policies, directives, standards, business rules, procedures and guidelines relating to records management including classification, retention and disposition of information.
- Experience providing education and training related to privacy and records management.
- Satisfactory CPIC with vulnerable sector search