Senior Manager, Tech GRC, HIPAA Compliance
The Peloton Enterprise Technology Team is expanding and transforming its risk management, compliance and security capabilities and resources. We are investing in these areas to address an ever increasing cybersecurity threat landscape as well as expanding regulatory compliance requirements as the company continues to grow.
The Technology Governance, Risk & Compliance (GRC) HIPAA Compliance Senior Manager role will be a critical position within the team and for the organization globally. Working closely with the Enterprise Technology, Software Engineering and Legal teams, as well as stakeholders across the organization, this position’s main responsibility will be to lead the design, build out and operation of a HIPAA compliant platform in an effort to raise the overall security and compliance posture of Peloton. This individual will be directly responsible for partnering with teams to implement the HIPAA Privacy, Security and Breach Notification Rules at an appropriate level of depth for the environment. The role will have strategy and design components, but will also be tactical and hands-on as well. The person will need to drive HIPAA specific risk management practices at the highest level and implement the approach to appropriately treat the risks. The person will need to understand HIPAA data privacy and security requirements in detail in order to appropriately translate and apply them to a highly agile and modern technology environment. The role will be customer-facing as well in order to communicate Peloton’s data privacy and security posture as part of business development.
In addition to the main focus on HIPAA, this person should also have experience working across multiple frameworks and regulatory standards including, but not limited to, NIST CSF, PCI DSS, GDPR/CCPA and SOX. This individual will need to work closely with teams across the organization to understand the control environment in place currently, how to leverage it and when new customized solutions and processes need to be implemented.
JOB DUTIES:
- The role will be responsible for cross functional collaboration with Software Engineering, Legal, Internal Audit, and Security teams in designing and operating both the technical and programmatic dependencies of a HIPAA compliant environment.
- Provide technical perspective and support on the architecture, infrastructure, and technology operations in place to manage health data risk.
- Under direction of GRC management, the role is responsible for leading the HIPAA compliance program and managing the associated projects efficiently.
- Responsibility for informing leadership of issues resulting from risk analysis and determining potential solutions that are appropriate for Peloton’s business and system architecture.
- Interacts with business and engineering stakeholders to understand risks to data by defining potential business impact with the responsibility to apply effective mitigation strategies.
- Maintains updated healthcare industry and regulatory knowledge in the fields of privacy, security, risk management and compliance related to HIPAA.
- Understanding of core risk management principles, how to calculate risk levels, determine risk tolerances and develop appropriate risk treatment plans.
- Effectively communicates our data privacy and security environment to new and existing commercial and health plan customers and capable of forging strong relationships with the risk teams of key customers.
- Understanding of security functions including: Incident Management, Secure Change Management, Identity and Access Management, and Vendor Security Risk Management.
- Stay current with healthcare industry, regulatory, and legal requirements relevant to security, compliance, and privacy.
- Bring an innovative approach to continuously improving a risk management framework that can enable business velocity while adhering to a defense-in-depth design as regulations and risk footprints evolve.
Requirements:
- 10+ years of experience working in or with the healthcare industry or healthcare related products that require compliance with HIPAA
- Strong technical knowledge of all aspects of the HIPAA regulation
- Experience designing programs that effectively rightsize risk management controls across the relevant contexts of a distributed architecture
- Experience leading an organization to become compliant with HIPAA and maintain ongoing operational compliance
- Experience leading an organization through HITRUST readiness and obtaining the certification
- Experience leading an organization through a SOC 2 + HIPAA audit
- Experience as a HITRUST external assessor is a plus
- Strong degree of comfort working alongside an agile software engineering team to provide governance over the design and architecture of systems to ensure ePHI is appropriately safeguarded
- Experience tailoring communication and collaboration in an organization that utilizes both co-located and distributed teams
- Experience with Business Development / Sales teams to communicate the company’s data privacy and security posture
- Experience working with external legal partners and auditors
- Familiar with GRC tools to track, operate and monitor a HIPAA program
- Knowledge of JIRA and Confluence preferred
- Experience working in a technology organization preferred
- Experience in one or more of the following: SOX, GDPR/CCPA, NIST CSF, PCI DSS is preferred
- One or more of the following certifications is preferred: CISA, CISSP, HITRUST CCSFP, CIPP, CIPM, CIPT
ABOUT PELOTON:
Founded in 2012, Peloton is an innovative tech company that brings members the best workouts possible, all from the convenience of their own home via the Bike,Tread and iOS App platforms. Peloton uses technology and design to connect the world through fitness, empowering people to be the best version of themselves anywhere, anytime.
Peloton believes in taking risks and challenging the status quo by continuously innovating and improving. We put our users, members, and customers first and we obsess over every touch point of the member experience – be it the studio, product or showroom. We like to hire the best and encourage all our associates to be Peloton’s brand ambassadors. Most importantly, we know that together we go far.