Corporate - Director of Privacy

Overview Director of Privacy (HIPAA Privacy Officer)

Location:

Hybrid 3 days in office 2 days remote Our Mission As one of the nation's leaders in treating individuals with co-occurring mood, addiction, eating disorders, and trauma, Acadia Healthcare places a strong emphasis on our admissions & intake functions to allow us to help every possible person in need. About the Role The Director of Privacy serves as Acadia Healthcare's HIPAA Privacy Officer , leading the design, implementation, and oversight of the enterprise-wide privacy program. This role ensures compliance with

HIPAA, 42 CFR

Part 2, and state privacy laws while enabling high-quality behavioral health care, responsible data use, and organizational growth. This leader acts as a strategic partner to Compliance, Legal, Clinical, IT/Security, Operations, and Business Development , embedding privacy-by-design principles across care delivery, data governance, joint ventures, and digital health initiatives. Compensation & Benefits We value your expertise and dedication—and we invest in your success. Competitive Base Salary commensurate with experience Comprehensive Medical, Dental, and Vision Insurance 401(k) Plan with Company Match Paid Time Off (PTO) and recognized holidays Company-paid Basic Life and AD&D Insurance Employee Assistance Program (EAP) and mental wellness resources Equity Eligible Opportunities for professional growth and advancement within Acadia's nationwide network Responsibilities What You'll Do Privacy Program Leadership & Governance Lead the development, implementation, and continuous improvement of the organization's enterprise-wide privacy program across all facilities and affiliated entities Establish scalable governance structures, including defined roles, responsibilities, and accountability across corporate and facility-level operations Develop and maintain privacy policies, procedures, and standardized workflows aligned with regulatory requirements and operational needs Build frameworks to support privacy oversight in a multi-site, multi-state environment Regulatory Compliance & Risk Management Ensure compliance with applicable laws and regulations, including: Health Insurance Portability and Accountability Act (HIPAA) 42 CFR Part 2 State-specific privacy and behavioral health confidentiality laws Interpret and operationalize complex regulatory requirements in environments involving shared services and cross-entity data flows Conduct enterprise-wide HIPAA risk assessments and implement mitigation strategies Monitor regulatory developments and update organizational practices accordingly Incident Response & Investigations Manage software systems used to intake, investigate, and resolve privacy incidents and potential breaches Conduct breach risk assessments and determine notification obligations Coordinate with legal, compliance, IT/security, and affiliated entities on privacy incident response and remediation Identify root causes and implement corrective actions to prevent recurrence Data Use Strategy Oversight Advise on privacy implications of strategic initiatives, including: New service lines and facility expansions Joint ventures and partnership arrangements Digital health, telehealth, data analytics, and artificial intelligence initiatives Review and structure data use agreements, authorizations, and minimum necessary determinations Provide practical, risk-based guidance to enable compliant data use while supporting business objectives Monitoring and Auditing Design and execute privacy monitoring and auditing activities, including system access reviews and compliance with data sharing restrictions Track, analyze, and report privacy risks, trends, and key performance indicators to senior leadership Identify systemic issues and drive enterprise-wide corrective actions Training and Education Develop and deliver privacy training programs tailored to clinical, operational, and affiliated entity staff Administer and maintain privacy policies in Acadia's policy management system, ensuring all privacy-related codes, policies, and procedures are current, accurately documented, and accessible to employees Promote a culture of privacy awareness and accountability, particularly in behavioral health settings Provide ongoing guidance and real-time support to leadership and frontline teams Cross-Functional Collaboration Partner with compliance, legal, IT/security, clinical leadership, operations, and business development to align privacy practices with organizational goals Support enterprise initiatives requiring privacy input, including system implementations, integrations, and partnerships Joint Ventures and Business Development Oversight Design and implement privacy frameworks for joint ventures, partnerships, and affiliated entities Determine appropriate entity classifications (e.g., covered entity vs. business associate) and structure compliant data sharing arrangements Establish governance models for privacy oversight across partially owned or managed entities Identify and mitigate risks related to: Cross-entity data sharing Shared systems (e.g., EMRs) Blurred operational boundaries (e.g., shared staff or services) Partner with legal and business development on transaction structuring, diligence, and post-close integration

STANDARD EXPECTATIONS

Must be able to maintain productive working relationships and treat fellow employees with respect.

Has contact with:

All levels of Acadia Healthcare employees, outside vendors/consultants, and occasionally, regulatory bodies Review and synthesize complex regulations and data into clear, actionable reporting Support Acadia Healthcare's mission to provide high-quality behavioral healthcare services while maintaining the highest standards of compliance and ethics Qualifications

EDUCATION/EXPERIENCE/SKILL REQUIREMENTS

Bachelor's degree in healthcare administration, law, public health, or a related field required 8-12+ years of experience in healthcare privacy, compliance, or regulatory roles Deep knowledge of HIPAA and 42 CFR Part 2 Familiarity with electronic medical record (EMR) systems and privacy controls Demonstrated experience supporting privacy programs in multi-site/multi-state healthcare organizations, including joint ventures or affiliated networks Strong understanding of data governance, data sharing frameworks, and regulatory risk in complex organizational structures Experience conducting privacy investigations, risk assessments, and audits Ability to interpret complex regulations and translate them into practical, operational guidance Strong analytical, problem-solving, and decision-making skills Excellent written and verbal communication skills, with the ability to influence across all levels of the organization Proven ability to work independently and exercise sound judgment in a fast-paced healthcare environment Experience in Behavioral Health or Substance Use Disorder compliance preferred

LICENSES/DESIGNATIONS/CERTIFICATIONS

PREFERRED:

CIPP/US, CHC, CHPC SUPERVISORY REQUIREMENTS

​​This position is an Individual Contributor​ While this job description is intended to be an accurate reflection of the requirements of the job, management reserves the right to add or remove duties from particular jobs when circumstances (e.g. emergencies, changes in workload, rush jobs or technological developments) dictate. We are committed to providing equal employment opportunities to all applicants for employment regardless of an individual's characteristics protected by applicable state, federal and local laws. AHCORP #LI-TB1