Corporate - Director of Privacy

Overview

Director of Privacy (HIPAA Privacy Officer)

Location:Hybrid 3 days in office 2 days remote

Our Mission

As one of the nation's leaders in treating individuals with co-occurring mood, addiction, eating disorders, and trauma, Acadia Healthcare places a strong emphasis on our admissions & intake functions to allow us to help every possible person in need.

About the Role

The Director of Privacy serves as Acadia Healthcare’s HIPAA Privacy Officer, leading the design, implementation, and oversight of the enterprise-wide privacy program. This role ensures compliance with HIPAA, 42 CFR Part 2, and state privacy laws while enabling high-quality behavioral health care, responsible data use, and organizational growth.

This leader acts as a strategic partner to Compliance, Legal, Clinical, IT/Security, Operations, and Business Development, embedding privacy-by-design principles across care delivery, data governance, joint ventures, and digital health initiatives.

 

Compensation & Benefits

We value your expertise and dedication—and we invest in your success.

• Competitive Base Salary commensurate with experience
• Comprehensive Medical, Dental, and Vision Insurance
• 401(k) Plan with Company Match
• Paid Time Off (PTO) and recognized holidays
• Company-paid Basic Life and AD&D Insurance
• Employee Assistance Program (EAP) and mental wellness resources
• Equity Eligible 
• Opportunities for professional growth and advancement within Acadia’s nationwide network

 

 

Responsibilities

What You’ll Do

Privacy Program Leadership & Governance 

• Lead the development, implementation, and continuous improvement of the organization’s enterprise-wide privacy program across all facilities and affiliated entities  

• Establish scalable governance structures, including defined roles, responsibilities, and accountability across corporate and facility-level operations  

• Develop and maintain privacy policies, procedures, and standardized workflows aligned with regulatory requirements and operational needs  

• Build frameworks to support privacy oversight in a multi-site, multi-state environment  

Regulatory Compliance & Risk Management 

• Ensure compliance with applicable laws and regulations, including:  

• Health Insurance Portability and Accountability Act (HIPAA)  

• 42 CFR Part 2  

• State-specific privacy and behavioral health confidentiality laws  

• Interpret and operationalize complex regulatory requirements in environments involving shared services and cross-entity data flows  

• Conduct enterprise-wide HIPAA risk assessments and implement mitigation strategies  

• Monitor regulatory developments and update organizational practices accordingly  

Incident Response & Investigations 

• Manage software systems used to intake, investigate, and resolve privacy incidents and potential breaches  

• Conduct breach risk assessments and determine notification obligations  

• Coordinate with legal, compliance, IT/security, and affiliated entities on privacy incident response and remediation  

• Identify root causes and implement corrective actions to prevent recurrence  

Data Use Strategy Oversight  

• Advise on privacy implications of strategic initiatives, including:  

• New service lines and facility expansions  

• Joint ventures and partnership arrangements  

• Digital health, telehealth, data analytics, and artificial intelligence initiatives  

• Review and structure data use agreements, authorizations, and minimum necessary determinations  

• Provide practical, risk-based guidance to enable compliant data use while supporting business objectives  

Monitoring and Auditing 

• Design and execute privacy monitoring and auditing activities, including system access reviews and compliance with data sharing restrictions  

• Track, analyze, and report privacy risks, trends, and key performance indicators to senior leadership  

• Identify systemic issues and drive enterprise-wide corrective actions  

Training and Education 

• Develop and deliver privacy training programs tailored to clinical, operational, and affiliated entity staff  

• Administer and maintain privacy policies in Acadia’s policy management system, ensuring all privacy-related codes, policies, and procedures are current, accurately documented, and accessible to employees 

• Promote a culture of privacy awareness and accountability, particularly in behavioral health settings  

• Provide ongoing guidance and real-time support to leadership and frontline teams  

Cross-Functional Collaboration 

• Partner with compliance, legal, IT/security, clinical leadership, operations, and business development to align privacy practices with organizational goals  

• Support enterprise initiatives requiring privacy input, including system implementations, integrations, and partnerships 

Joint Ventures and Business Development Oversight  

• Design and implement privacy frameworks for joint ventures, partnerships, and affiliated entities  

• Determine appropriate entity classifications (e.g., covered entity vs. business associate) and structure compliant data sharing arrangements  

• Establish governance models for privacy oversight across partially owned or managed entities  

• Identify and mitigate risks related to:  

• Cross-entity data sharing  

• Shared systems (e.g., EMRs)  

• Blurred operational boundaries (e.g., shared staff or services)  

• Partner with legal and business development on transaction structuring, diligence, and post-close integration  

STANDARD EXPECTATIONS: 

• Must be able to maintain productive working relationships and treat fellow employees with respect. 

• Has contact with: All levels of Acadia Healthcare employees, outside vendors/consultants, and occasionally, regulatory bodies 

• Review and synthesize complex regulations and data into clear, actionable reporting 

• Support Acadia Healthcare's mission to provide high-quality behavioral healthcare services while maintaining the highest standards of compliance and ethics 

Qualifications

EDUCATION/EXPERIENCE/SKILL REQUIREMENTS: 

• Bachelor’s degree in healthcare administration, law, public health, or a related field required  

• 8–12+ years of experience in healthcare privacy, compliance, or regulatory roles  

• Deep knowledge of HIPAA and 42 CFR Part 2 

• Familiarity with electronic medical record (EMR) systems and privacy controls 

• Demonstrated experience supporting privacy programs in multi-site/multi-state healthcare organizations, including joint ventures or affiliated networks  

• Strong understanding of data governance, data sharing frameworks, and regulatory risk in complex organizational structures  

• Experience conducting privacy investigations, risk assessments, and audits  

• Ability to interpret complex regulations and translate them into practical, operational guidance  

• Strong analytical, problem-solving, and decision-making skills  

• Excellent written and verbal communication skills, with the ability to influence across all levels of the organization  

• Proven ability to work independently and exercise sound judgment in a fast-paced healthcare environment 

• Experience in Behavioral Health or Substance Use Disorder compliance preferred 

LICENSES/DESIGNATIONS/CERTIFICATIONS: 

• PREFERRED: CIPP/US, CHC, CHPC 

SUPERVISORY REQUIREMENTS:  

​​This position is an Individual Contributor​ 

 

While this job description is intended to be an accurate reflection of the requirements of the job, management reserves the right to add or remove duties from particular jobs when circumstances  (e.g. emergencies, changes in workload, rush jobs or technological developments) dictate. 

 

We are committed to providing equal  employment opportunities to all applicants for employment regardless of an individual’s characteristics protected by applicable state, federal and local laws.

 

 

AHCORP

#LI-TB1