In This Section:

HIPAA Privacy Officer

University of Arizona

Mariette Marsh, MPA, CIP
P: 520-626-7575

The University of Arizona has an immediate opening for a HIPAA Privacy Officer.  The HIPAA Privacy Officer oversees all compliance activities related to the development, implementation and enhancement of policies and procedures for the protection of individually-identifiable health information used for clinical, business, and research purposes.  The HIPAA Privacy Officer will have extensive knowledge of federal and state laws and other standards that regulate or otherwise involve privacy, data security, and breach notification requirements.  The HIPAA Privacy Officer will have substantial experience in the development of privacy and security policies, procedures, training programs, audits, risk analyses, and compliance monitoring programs.

This position reports to the Director, Human Subjects Protection & Privacy Program in the office of Research, Discovery & Innovation. The Officer will work closely with the University’s Information Security Office, the Office of the General Counsel, senior University administrators, Deans, Department Heads, faculty members and researchers. The position will require close coordination with multiple colleges and departments within the University, including but not limited to Campus Health Services and Colleges within Arizona Health Sciences Center.  The position will also require regular and frequent communication and coordination with affiliated health care entities, including Banner Health and Dignity Health.

About the University of Arizona HIPAA Privacy Program

The University of Arizona HIPAA Privacy Program is led by the HIPAA Privacy Officer, who oversees all ongoing activities related to UA’s implementation of HIPAA policies and procedures and is the office primarily responsible for ensuring UA’s HIPAA compliance. The UA HIPAA Privacy Officer is the Privacy Officer for designated UA departments and clinics and is responsible for developing and implementing relevant procedures, training and educational materials, and investigating and responding to privacy breaches.

UA is a Hybrid Entity and has designated Health Care Components.  These Health Care Components must comply with the HIPAA Privacy, Security, and Breach Notification Rules and the HIPAA Privacy Officer is responsible for the oversight and management of Health Care Components’ compliance.

Duties and Responsibilities:

  • Serves as the University’s designated HIPAA Privacy Official with the responsibility of notifying and cooperating with applicable governmental agencies in response to external compliance reviews and investigations.
  • Responsible for organizing and developing a HIPAA Privacy and Security compliance-related committee.
  • Engage with our affiliated and community-based health care partners in their compliance-related activities and committees as necessary.
  • Coordinate with other University business units on HIPAA privacy issues, including the Information Security Office, the Health Sciences Colleges, Contracting & Research Support, the Office of General Counsel and Human Subjects Protection Program.
  • Review and appropriate identification of Health Care Components and management of HIPAA privacy compliance for each Component.
  • Oversee the development and implementation of policies, procedures and forms related to HIPAA privacy and breach notification, as applicable to the University, its researchers, and Covered Health Care Components, which include those units and/or programs engaged in HIPAA covered functions, as well as those units and/or programs that provide services (internally and externally) as Business Associates.
  • Perform periodic internal privacy impact assessments and compliance audits.
  • Support the Information Security Office (ISO) in the performance of institutional security risk analyses and development policies, procedures and processes around HIPAA Security.
  • Investigate and respond to complaints regarding alleged breaches of institutional privacy policies, including recommending and implementing corrective action plans.
  • Provide subject matter expertise on HIPAA privacy and breach notification requirements to University constituents, including students, faculty, researchers and staff.
  • Coordinate with the privacy officers and other compliance staff for the University’s affiliated healthcare entities, including Banner Health and Dignity Health.
  • Direct, deliver and provide updates to annual privacy training and orientation to covered workforce members, including employees, students, volunteers, medical and professional staff.
  • Review and track all institutional Business Associate Agreements (BAAs).
  • Develops effective and measurable quality improvement initiatives.
  • Oversee and update the privacy office records retention program.

Minimum Qualifications:

  • Bachelors’ Degree in healthcare administration, health information management, or a related field with at least 3 years of directly related experience in interpreting, operationalizing, and applying laws, regulations and policies related to information privacy and security, and the confidentiality of health information. 
  • Sound working knowledge of current federal and state healthcare and privacy laws, agency regulations, and accreditation requirements (e.g., OCR, OIG, HIPAA, FISMA, NIST, etc.)
  • Experience working well and collaboratively with researchers, medical and non-medical personnel, and administrative staff at all levels.
  • Experience developing training modules, compliance assessment, and monitoring tools and techniques.
  • Ability to clarify and communicate complex legal and regulatory requirements, so that they are understood by a variety of audiences.
  • Excellent organizational abilities and outstanding written and oral communications skills.
  • Motivated to excel, takes initiative, respects others, and inspires collaboration.
  • High degree of personal integrity.

Preferred Qualifications:

  • Advanced degree in law, research area or related field
  • Experience working within a university research or academic medical center compliance office, or a healthcare organization with significant university research contracts, is highly preferred.
  • Nationally-recognized compliance certification (e.g., CHPC; CIPP/US, CHPS, RHIA; or RHIT credentials) preferred (or able to obtain within six months of hire).