Privacy Audit, Education, and Risk Analyst

Join one of the nation’s most comprehensive academic medical centers, UChicago Medicine, as a Privacy Audit, Education, and Risk Analyst to support the Information Security and Privacy GRC Program. This position will be primarily a work from home opportunity with the requirement to come onsite as needed.   

Information Security and Privacy GRC Program initiatives include, but are not limited to, investigations of privacy concerns, system access audits, development and training of internal protocols, policies, guidance documents, and tools, and oversight of internal and external third-party privacy risk functions to support all the UCM health system workforce and its federal, state, and international regulatory obligations. The program contributes to the enhancements of existing privacy and security compliance initiatives by developing new methods to identify areas of privacy risk and develop best practices for risk reduction, privacy and security regulatory compliance, and risk remediation efforts. Customers include patients, faculty, residents, all levels of leadership, clinical and non-clinical staff, and students at the University of Chicago Medicine Heath System as well as the larger community. The Privacy Audit, Education, and Risk Analyst supports the Privacy Program mission by developing an enterprise-wide audit, education, and risk work plan, performing access audits, handling and lead all aspects of training and education, and reducing privacy risks within the enterprise.  

Essential Job Functions 

• Develop written standard procedures, plan, and perform access audits of electronic medical record systems, business applications, internal data repositories, and databases.  

• Identify areas of privacy enterprise risk and prepare, then implement, corrective action plans and risk mitigation steps.  

• Perform access audits across multiple record repositories, technology systems, and databases to identify irregularities or impermissible accesses.  

• Utilize privacy electronic audit tools and manual processes to perform audits.  

• Implement corrective action plans with follow up to mitigate potential privacy risks.  

• Conduct, document, and follow up on enhanced audit capability outside of the electronic health record, specifically those with a technology focus. 

• Develop new and update current privacy education and trainings, including materials such as but not limited to, slides, policies, and guidance documents.  

• Be the primary presenter of organization-wide training throughout differing internal levels.  

• Develop new and update current trainings and educational materials.  

• Present education initiatives based upon developed training.  

• Identify new education initiatives based upon risks identified through audits, metrics, and educational outcomes.   

• Develop and prepare spreadsheets, metrics, dashboards, and reports to support program and enterprise risk strategy.  

• Develop new and manage opportunities for metrics, data spreadsheets, and develop a risk dashboard.  

• Identify active opportunities to strengthen privacy enterprise risk management program overall.  

• Prepare and lead privacy impact assessments of internal and external technologies and vendors, privacy risk corrective action plans.  

• Be an active contributor in Privacy by Design and other privacy risk principles.  

• Mature data mapping and data loss prevention initiative. 

• Additional project or other duties as assigned related to program oversight and efforts.  

• Identify current trends and changes of landscape in privacy and information security compliance.  

• Understand and make revisions to audit and education work plan related to risks identified, program metrics, audit results, and training outcomes with little oversight.  

• Maintain strong knowledge of applicable federal, state, and international privacy and information security laws and monitor advancements in information privacy technologies to ensure organizational adaptation and compliance. 

Required Qualifications 

• Bachelor's degree required 

• Significant relevant experience in HIPAA and other Privacy and Compliance regulations is required with demonstrated proficiency with the HIPAA Privacy and Security regulations 

• Academic medical center and/or health care consulting experience; additional background in privacy-related research administration highly desirable 

• Current or ability to obtain with two-year privacy certification from IAPP, ISACA, HCCA, or SCCE 

• Significant privacy audit experience of differing types of databases including electronic medical records and other business and research applications with ability to quickly identify action plans 

• Familiarity with privacy audit software and data loss prevention tools needed, including ability to use and become proficient in review and audit of software application logs for potential privacy risks 

• Proven Develop education materials and provide organizational training with ability to understand changing privacy landscape and inform workforce through strong presence and excellent public speaking skills across differing organizational levels 

• Knowledge of privacy risk identification and implementation of correction action plans to correct privacy enterprise risk 

• Experience in data mining, analysis, and report development required with ability to produce reports and identify new privacy projects 

• High proficiency with Excel is required, along with the ability to develop reports for follow-up 

• Experience in handling complex organizational projects; and excellent problem identification and solution skills to address difficult, complex issues  

• Strong computer skills including the ability to effectively use software applications such as Microsoft products is important  

• High proficiency with Excel is required, along with the ability to develop reports for follow up 

• Ability to think abstractly and concretely and strong attention to detail  

• Excellent analytical, written, and verbal presentation and interpersonal skills  

• Demonstrated capacity to work independently in an organized, detailed manner while maintaining a collaborative team environment 

Position Details 

• Job Type / FTE: Full - Time  

• Shift: Days 

• Job Location: Flexible (Hyde Park/Darien)  

• Unit/Department: Information Security and Privacy GRC Program
• CBA Code: Non-Union 

We’ve been at the forefront of medicine since 1899. We provide superior healthcare with compassion, always mindful that each patient is a person, an individual. To accomplish this, we need employees with passion, talent and commitment… with patients and with each other. We’re in this together: working to advance medical innovation, serve the health needs of the community, and move our collective knowledge forward. If you’d like to add enriching human life to your profile, UChicago Medicine is for you. Here at the forefront, we’re doing work that really matters. Join us. Bring your passion.

UChicago Medicine is growing; discover how you can be a part of this pursuit of excellence at: UChicago Medicine Career Opportunities.

UChicago Medicine is an equal opportunity employer.  We evaluate qualified applicants without regard to race, color, ethnicity, ancestry, sex, sexual orientation, gender identity, marital status, civil union status, parental status, religion, national origin, age, disability, veteran status and other legally protected characteristics.

Must comply with UChicago Medicine’s COVID-19 Vaccination requirement as a condition of employment. If you have already received the vaccination, you must provide proof as part of the pre-employment process. This is in addition to your compliance with the Flu Vaccination requirement as well. Medical and religious exemptions will be considered consistent with applicable law. Lastly, a pre-employment physical, drug screening, and background check are also required for all employees prior to hire.

Compensation & Benefits Overview

UChicago Medicine is committed to transparency in compensation and benefits.  The pay range provided reflects the anticipated wage or salary reasonably expected to be offered for the position.

The pay range is based on a full-time equivalent (1.0 FTE) and is reflective of current market data, reviewed on an annual basis. Compensation offered at the time of hire will vary based on candidate qualifications and experience and organizational considerations, such as internal equity. Pay ranges for employees subject to Collective Bargaining Agreements are negotiated by the medical center and their respective union.

Review the full complement of benefit options for eligible roles at Benefits - UChicago Medicine.