Corporate - Director of Privacy

About The Position

Requirements

• Bachelor’s degree in healthcare administration, law, public health, or a related field required
• 8–12+ years of experience in healthcare privacy, compliance, or regulatory roles
• Deep knowledge of HIPAA and 42 CFR Part 2
• Familiarity with electronic medical record (EMR) systems and privacy controls
• Demonstrated experience supporting privacy programs in multi-site/multi-state healthcare organizations, including joint ventures or affiliated networks
• Strong understanding of data governance, data sharing frameworks, and regulatory risk in complex organizational structures
• Experience conducting privacy investigations, risk assessments, and audits
• Ability to interpret complex regulations and translate them into practical, operational guidance
• Strong analytical, problem-solving, and decision-making skills
• Excellent written and verbal communication skills, with the ability to influence across all levels of the organization
• Proven ability to work independently and exercise sound judgment in a fast-paced healthcare environment

Nice To Haves

• Experience in Behavioral Health or Substance Use Disorder compliance preferred
• CIPP/US, CHC, CHPC certifications preferred

Responsibilities

• Lead the development, implementation, and continuous improvement of the organization’s enterprise-wide privacy program across all facilities and affiliated entities
• Establish scalable governance structures, including defined roles, responsibilities, and accountability across corporate and facility-level operations
• Develop and maintain privacy policies, procedures, and standardized workflows aligned with regulatory requirements and operational needs
• Build frameworks to support privacy oversight in a multi-site, multi-state environment
• Ensure compliance with applicable laws and regulations, including: Health Insurance Portability and Accountability Act (HIPAA), 42 CFR Part 2, State-specific privacy and behavioral health confidentiality laws
• Interpret and operationalize complex regulatory requirements in environments involving shared services and cross-entity data flows
• Conduct enterprise-wide HIPAA risk assessments and implement mitigation strategies
• Monitor regulatory developments and update organizational practices accordingly
• Manage software systems used to intake, investigate, and resolve privacy incidents and potential breaches
• Conduct breach risk assessments and determine notification obligations
• Coordinate with legal, compliance, IT/security, and affiliated entities on privacy incident response and remediation
• Identify root causes and implement corrective actions to prevent recurrence
• Advise on privacy implications of strategic initiatives, including: New service lines and facility expansions, Joint ventures and partnership arrangements, Digital health, telehealth, data analytics, and artificial intelligence initiatives
• Review and structure data use agreements, authorizations, and minimum necessary determinations
• Provide practical, risk-based guidance to enable compliant data use while supporting business objectives
• Design and execute privacy monitoring and auditing activities, including system access reviews and compliance with data sharing restrictions
• Track, analyze, and report privacy risks, trends, and key performance indicators to senior leadership
• Identify systemic issues and drive enterprise-wide corrective actions
• Develop and deliver privacy training programs tailored to clinical, operational, and affiliated entity staff
• Administer and maintain privacy policies in Acadia’s policy management system, ensuring all privacy-related codes, policies, and procedures are current, accurately documented, and accessible to employees
• Promote a culture of privacy awareness and accountability, particularly in behavioral health settings
• Provide ongoing guidance and real-time support to leadership and frontline teams
• Partner with compliance, legal, IT/security, clinical leadership, operations, and business development to align privacy practices with organizational goals
• Support enterprise initiatives requiring privacy input, including system implementations, integrations, and partnerships
• Design and implement privacy frameworks for joint ventures, partnerships, and affiliated entities
• Determine appropriate entity classifications (e.g., covered entity vs. business associate) and structure compliant data sharing arrangements
• Establish governance models for privacy oversight across partially owned or managed entities
• Identify and mitigate risks related to: Cross-entity data sharing, Shared systems (e.g., EMRs), Blurred operational boundaries (e.g., shared staff or services)
• Partner with legal and business development on transaction structuring, diligence, and post-close integration
• Maintain productive working relationships and treat fellow employees with respect.
• Review and synthesize complex regulations and data into clear, actionable reporting
• Support Acadia Healthcare's mission to provide high-quality behavioral healthcare services while maintaining the highest standards of compliance and ethics

Benefits

• Competitive Base Salary commensurate with experience
• Comprehensive Medical, Dental, and Vision Insurance
• 401(k) Plan with Company Match
• Paid Time Off (PTO) and recognized holidays
• Company-paid Basic Life and AD&D Insurance
• Employee Assistance Program (EAP) and mental wellness resources
• Equity Eligible
• Opportunities for professional growth and advancement within Acadia’s nationwide network