Position Classification Description

Position Class Code / Title: A7072 / Privacy Officer/HIPAA Privacy
Recruitment Tier: Tier 1
FLSA: Exempt
Grade: 17
HR Review/Approval:COMP

This is a description of a Staff Position Classification. It is not an announcement of a position opening. To view descriptions of current openings, please go to UNMJobs and Search Postings to view positions that are currently accepting applications.

The following statements are intended to describe, in broad terms, the general functions and responsibility levels characteristic of positions assigned to this classification. They should not be viewed as an exhaustive list of the specific duties and prerequisites applicable to individual positions that have been so classified.


Oversees all activities associated with the development, implementation, and administration of the policies and procedures of the University's health care components designated in Exhibit A to Regents Policy 3.8 and any of the University's affiliated entities who are themselves covered entities under HIPAA (Each, a "Health Care Component", and, collectively, the "Health Care Components") which cover the privacy of, and access to, patient health information. Monitors and ensures organizational compliance with Federal and State laws, regulations, and standards including, without limitation, the HIPAA Standards as defined in Regents Policy 3.8.

Duties and Responsibilities

  1. Oversees the establishment, implementation, maintenance of, and adherence to privacy policies and procedures for the Health Care Components; continually ensures that policies and procedures are in current compliance with Federal and State laws and regulations and are consistent with overall University and Health Care Component policies.
  2. Coordinates with other Health Care Component departments and constituencies, including any Organized Health Care Arrangement in which one or more of the Health Care Components may participate, regarding the review of practices that may impact on Heath Care Component compliance with the Privacy Rule of the Health Insurance Portability and Accountability Act (HIPPA).
  3. Modifies and updates all Health Care Component privacy policies and statutory communications as required, in consultation with the Office of the University Counsel and the HIPAA Oversight Committee.
  4. Performs periodic privacy risk analyses, internal audits, and assessment of Health Care Component policies and procedures, staff activities, and training programs; determines remediation priorities and resources necessary to address existing or potential privacy issues and problems.
  5. Works with legal counsel, senior management, and other key Health Care Component representatives to ensure that appropriate privacy documentation and other informational materials pertaining to Health Care Component privacy policies and legal requirements, are distributed and maintained throughout all Health Care Components. Serves as principal point of contact with respect to receipt and disposition of privacy complaints and the provision of information regarding Health Care Component privacy practices.
  6. Participates in the establishment and application of appropriate sanctions for Health Care Component and associated faculty/staff and business associates for failure to comply with privacy policies and procedures.
  7. Establishes mechanisms to track access to patient health information, as required by law; works with internal and external agencies in the oversight of patient rights to inspect, amend, and restrict access to health records.
  8. Establishes and administers a process for receiving, documenting, tracking, investigating, and taking action on all complaints and issues pertaining to Health Care Component privacy policies and procedures.
  9. Documents all corrective action undertaken to mitigate the effects of inappropriate use or disclosure of patient health information.
  10. Participates in the development, implementation, and monitoring of all business associate agreements to ensure that all privacy concerns, requirements, and responsibilities are addressed.
  11. Directs and ensures delivery of orientation training on privacy policies and procedures to all appropriate faculty and staff, contractors, business associates, and other applicable constituencies; coordinates and provides leadership in the development, implementation, and promotion of privacy awareness programs and initiatives.
  12. Prepares and presents periodic and ad hoc reports on the current status and future requirements of the privacy compliance program on behalf of all Health Care Component departments and components.
  13. Maintains and ensures currency of all records pertaining to HIPAA policies and procedures, Notices of Privacy Practices (including any Notices of Privacy Practices of Organized Health Care Arrangements in which a Health Care Component may participate), and all related educational materials developed and implemented.
  14. Reviews all electronic information system security plans throughout all of the Health Care Component, and works with University IT and HSC IT representatives, as the case may be, to ensure that data security practices are consistent with privacy requirements.
  15. Cooperates and interfaces with the Office for Civil Rights, other legal entities, and internal officials to facilitate compliance reviews or investigations, as necessary.
  16. Serves as Chair of the HIPAA Oversight Committee; serves as member of or liaison to the HSC IRB.
  17. Performs miscellaneous job-related duties as assigned.

Minimum Job Requirements

  • Bachelor's degree; at least 7 years of experience directly related to the duties and responsibilities specified.
  • Completed degree(s) from an accredited institution that are above the minimum education requirement may be substituted for experience on a year for year basis.

Knowledge, Skills and Abilities Required

  • Ability to develop and maintain recordkeeping systems and procedures.
  • Strong verbal and written communication skills and the ability to present information effectively to groups.
  • Skill in examining and re-engineering operations and procedures, formulating policy, and developing and implementing new strategies and procedures.
  • Knowledge and understanding of HIPAA and related Federal and State privacy laws and regulations.
  • Knowledge of computerized information systems used in compliance applications.
  • Strong analytical and critical thinking skills and the ability to analyze, summarize, and effectively present data.
  • Strong interpersonal skills and the ability to effectively work with a wide range of individuals and constituencies in a diverse community.

Working Conditions and Physical Effort

  • No or very limited physical effort required.
  • No or very limited exposure to physical risk.
  • Work is normally performed in a typical interior/office work environment.

The University of New Mexico provides all training required by OSHA to ensure employee safety.

Revised Date: 11/10/2023