If you are a healthcare privacy and security attorney who feels passionate about the prospect of helping to support and grow a mission-driven, healthcare technology company, this role is for you! As a direct report to the Deputy General Counsel/Chief Compliance Officer, you will serve as the Company’s privacy officer and contribute to or oversee cross-functional initiatives that address the company’s most complex security, privacy, and compliance challenges.

This role works cross-functionally with other members of the Legal and Compliance teams and with business teams including Security, Engineering, Product, Customer Experience, and Analytics. Because we are both a technology company and a healthcare company, comfort and reasonable proficiency with technology partnerships, data models, and technical concepts is required.

In this role you will:

• Act as privacy officer for Collective Health
• Provide clear, practical, actionable legal guidance and support for privacy and security matters for Collective Health leaders and business teams including Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH), U.S. state privacy laws, EU GDPR, PDPA, and all other relevant laws, regulations
• Ensure compliance with HIPAA, HITRUST, and comprehensive state privacy and data security laws.
• Help create and guide effective internal policies, processes, disclosures, procedures, and compliance monitoring, balancing the need for rigorous compliance with pragmatic, creative advice to move the business forward.
• Support assessments, audits, privacy and security reviews against a wide variety of security and privacy regulatory and compliance frameworks and best practices, including but not limited to HIPAA, HITRUST, NIST, and state and federal privacy laws
• Collaborate with business teams to identify and mitigate privacy and security risks
• Investigate incidents in which a breach of PHI may have occurred, report breaches as necessary.
• Remain current on evolving privacy and security laws, rules, and regulations and apply them proactively to provide practical compliance and privacy support to the business, and its leadership.
• Support the business in RFP’s and customer security and privacy requests
• Review and provide guidance for BAAs, DPAs, DUAs, SOWs, and other legal agreements as they pertain to privacy and security
• Review, draft, and provide input on privacy, risk, and compliance related matters in business agreements generally
• Work with colleagues to develop education programs that build trust, awareness, and compliance with relevant privacy, risk, and compliance guidelines and internal controls, including ongoing training and awareness activities.
• Support security compliance with administrative, technical, and physical safeguards requirements
• Support and participate in meetings, as requested or required, and forge effective working relationships with your counterparts at customer and partner companies
• Support third party risk management, including due diligence, contracting, and ongoing monitoring
• Liaise with regulators, law enforcement, outside counsel, and other stakeholders on matters concerning information privacy, risk, and compliance

Qualifications:

• J.D. with U.S. state bar admissions in good standing in any jurisdiction
• 9+ years in healthcare privacy
• Intimate knowledge of healthcare privacy, security, legal and regulatory frameworks including of HIPAA, HITECH, NIST, and industry best practices, certifications, and reviews, and experience with implementing them in a fast-paced, entrepreneurial environment
• Ability to interpret new and existing privacy and security legal requirements and to develop and operationalize process to support regulatory compliance
• Proven ability to build relationships and to collaborate effectively with a broad range of stakeholders and departments to drive compliance-friendly and business-friendly outcomes
• Non-alarmist, pragmatic approach to risk assessment and mitigation, married with creative problem solving and execution at the highest level.
• Experience identifying and mitigating new risks in heavily regulated or emerging technology areas
• Understanding and experience with relevant health care privacy and security issues (e.g., audits, investigations, breach mitigation, incident response, etc.)
• Prior direct experience in healthcare industry (plan, provider, vendor, TPA, HIT, etc.) required
• Outstanding judgment, business acumen, and integrity
• Excellent communication and presentation skills
• Understanding and experience with IT systems and clinical IT development
• General healthcare regulatory knowledge and experience preferred
• The highest standards of integrity, ethics, service, discipline, responsiveness, and accountability
• Passion for Collective Health and our mission

Bonus Qualifications:

• Relevant experience at a rapidly growing technology or healthcare company
• Privacy, security, and/or healthcare compliance certifications preferred (CIPP/US, CIPT, CHC, CHPC, CISSP, CISSP, HCISPP, Security+, CCSP)
• Track record of taking initiative, having the ability to work independently, and being Relevant experience in in-house setting preferred

Pay Transparency Statement

This job can be performed in a location where we have an office: San Mateo, CA, Chicago, IL, or Lehi, UT, or hired for remote work in the following states: CA, CO, CT, FL, GA, IL, MA, MI, MN, NJ, NY, NC, OH, OR, TX, UT, or WA. The actual pay rate offered within the range will depend on factors including geographic location, qualifications, experience, and internal equity.

In addition to the salary, you will be eligible for stock options and benefits like health insurance, 401k, and paid time off. Learn more about our benefits at https://jobs.collectivehealth.com/#benefits.