Chief Risk and Privacy Officer

  • St. Joseph's Healthcare Hamilton
  • Apr 01, 2021
Full time Other

Job Description

Corporate Profile
As a premier academic and research healthcare organization, St. Joseph’s Healthcare Hamilton (SJHH) is committed to making a difference in people’s lives and creating a lasting future for our community through integrated health services and internationally recognized programs. Our threefold mission is to provide dynamic research,

revolutionary methods in health sciences education, and the highest standard of clinical care in a spirit of compassion, innovation and commitment.

SJHH is a member of the St. Joseph’s Health System (SJHS), and is affiliated with McMaster University, Mohawk College.

SJHH has earned a national reputation for outstanding patient care and innovative medical and surgical treatments. The Hospital is particularly well known for excellence in respiratory care, kidney and urinary care, mental health and addictions, surgical services, cancer surgery and women’s and infants’ care.

Role Profile
As a senior leader, the Chief Risk & Privacy Officer (CRPO) provides expert advice, leadership and support to stakeholders across St. Joseph’s Healthcare Hamilton (SJHH) in the effective management of enterprise risks, protection of privacy, and appropriate access to information.  Building on the organization’s existing Enterprise Risk Management program, the CRPO drives ongoing program enhancements to support the robust ongoing identification, reporting, assessment, and mitigation of risks, in accordance with leading practices.
The CRPO is responsible for the Hospital’s privacy and information access program, which supports the protection of privacy and enables appropriate sharing and access to information to meet business requirements.  The CRPO is integral to the collaborative design and implementation of SJHH’s innovative cross-organizational healthcare delivery and digital information sharing initiatives, enabling appropriate rights of access to information while ensuring protection of privacy.
The CRPO is also responsible for key corporate services and functions required for effective risk management, including legal, insurance, internal audit and collaborating with St. Joseph Health System (SJHS) member organizations on risk and privacy activities.

Enterprise Risk Management

  • Oversee the Hospital’s Enterprise Risk Management (ERM) program to support comprehensive and rigorous management of organizational risks. 
  • Lead and direct ERM processes and resources, including ongoing enhancements to support robust ongoing identification, reporting, assessment, and mitigation of risks, in accordance with leading practices. 
  • Oversee the systematic management of all risk incidents, working in close collaboration with the Quality, Safety & Patient Relations department and the Medical Affairs Office to support management of clinical incidents involving legal and insurance resources. 
  • Lead development and delivery of ERM reports to SJHH senior leaders, Board and Committees and coordinate reports from SJHS member organizations to SJHS Board and Committees.


  • Oversee the Hospital’s privacy and information access program to support protection of privacy and enable appropriate sharing and access to information to meet business requirements. 
  • Lead and direct the ongoing implementation of policies and procedures to support compliance under PHIPA and FIPPA within SJHH and in the course of working with other healthcare organizations, government ministries and agencies, community partners, researchers and third parties. 
  • Act as the delegated head of the institution responsible for FIPPA compliance and decision making in respect of FIPPA requests, advise key stakeholders and direct activities relating to release of information.
  • Act as primary liaison with the Information and Privacy Commissioner/Ontario (IPC), direct and oversee management of potential or actual privacy breaches, including notification of affected parties, manage response to complaints or requests for review by the IPC, and argue appeals of access decisions in oral and written submissions before the IPC. 
  • Advise stakeholders and direct activities relating to Privacy Impact Assessments and contract provisions, to enable appropriate collection, use, and sharing of information within and beyond the Hospital, in compliance with PHIPA. 
  • Coordinate ongoing privacy reporting from SJHS member organizations to SJHS Board and Committees.

Insurance/Claims Management/Legal

  • Oversee the Hospital’s insurance program as an integral part of the organization’s ERM program.  Promote and facilitate awareness and optimal use of insurance products, services, and resources across the Hospital, to support management and mitigation of financial and reputational exposures.
  • Oversee the Hospital’s claims management process to ensure effective defense and settlement of medical and corporate liability, as well as property claims.  Lead and direct key activities and consultations with hospital stakeholders, legal counsel and insurers.  In close collaboration with the Medical Affairs Office and the Quality, Safety & Patient Experience Department, direct management of medical-legal and clinical incident claims. 
  • Oversee the Hospital’s legal services requirements and resources to support appropriate and efficient access to legal resources required for both general corporate and specialized service needs.  Act as primary contact and manage relationships with contracted legal firms, including leading the ongoing evaluation and effective use of legal services


  • Minimum 7-10 years progressive management experience in Enterprise Risk, Privacy and Information Access in a Healthcare setting
  • Undergraduate degree in a related field. Degree in law/legal training is an asset
  • Risk Management certification from a recognized program (e.g. OHA certificate in Risk Management, Canadian Risk Management designation, Certified Patient Safety Specialist, ASHRM (American Society for Healthcare Risk Management), etc.) preferred
  • CIPP or CIPP/C in good standing with IAPP (International Association of Privacy Professionals)
  • Strong working knowledge of the Health Care Consent Act, Public Hospital Act, Mental Health Act, Excellent Care for All Act, Quality of Care Information Protection Act, PHIPA, FIPPA, and data sharing provisions in other applicable legislation
  • Excellent grasp of data governance
  • Ability to provide practical solutions to address complex privacy and information access issues
  • Experience reviewing project materials, data architecture and advising interdisciplinary teams on privacy and risk management in the execution of Digital Health projects and programs
  • Knowledge and experience working with insurance providers and working with key stakeholders to ensure the scope and quality of services, coverage, and support meet business requirements
  • Excellent oral and written skills with experience presenting and engaging directly with senior leaders and governors, including providing trusted, practical advice in a corporate and/or healthcare environment
  • Experience advising and assisting senior management in preparing for public appearances and hearings related to privacy, information access and disclosure
  • Experience reviewing contracts and service level agreements and participating in contract negotiations
  • Experience tracking and reviewing changes to legislation and regulations, determine impacts on the business and ensure ongoing compliance and risk mitigation
  • Understanding of disclosure and production requirements for legal proceedings
  • Judgement and experience to determine which legal matters are to be handled internally and those which should be assigned to external counsel and experience overseeing the efficient and effective provision and high quality of legal services to the organization

Hours Monday - Friday days

Job Category



Hamilton, ON