Sr. Legal Risk Manager

Privia Health™ is a technology-driven, national physician enablement company that collaborates with medical groups, health plans, and health systems to optimize physician practices, improve patient experiences, and reward doctors for delivering high-value care in both in-person and virtual settings. The Privia Platform is led by top industry talent and exceptional physician leadership, and consists of scalable operations and end-to-end, cloud-based technology that reduces unnecessary healthcare costs, achieves better outcomes, and improves the health of patients and the well-being of providers.

Overview of the Role: Reporting to the Chief Information Security Officer (CISO) the Third-Party Enterprise Risk Manager is responsible for managing and growing a comprehensive third-party risk management program across the organization. This role is responsible for ensuring that Privia Health's information assets are safeguarded against cyber threats originating from third and fourth parties. The position involves leading the Third Party Access Committee (TPAC), driving compliance with federal and state regulations (such as HIPAA, SOX, HITRUST, and state privacy laws), and implementing industry best practices for vendor risk management. The manager will collaborate cross-functionally to identify, evaluate, and mitigate risks associated with all third-party engagements, contributing to the organization's strategic objectives and security posture.

Essential Job Duties:

• Maintain and grow the Third-Party Risk Management (TPRM) Framework: Design, implement, and continuously improve the organization's TPRM framework, policies, and procedures, including the management and governance of:

  • Third Party Access Committee (TPAC) and oversee the review and approval process for all third parties.

  • Third-party review process, ensuring that qualifying vendors submit required documentation in a timely manner and that our evaluation process complies with industry standards and Privia’s administrative, technical, and cybersecurity controls.

  • Maintain the Approval / Revocation List for internal and external stakeholders and appropriate communications when vendors change status

• Be the TPRM team liaison to the AI Governance Committee and work with the Privacy Officer, The Chief Technology officer and other key members of the organization to ensure that AI is incorporated into our Third-Party Risk Management processes and is aligned to organizational objectives.

• Work with organizational stakeholders to ensure the TPRM is comprehensive and inclusive of all types of third parties, that stakeholders understand how to engage with TPAC, and that the appropriate mechanisms exist for ongoing training and awareness, and meet changing business needs and demands. Establish alignment between TPAC vendors and national operating teams.

• Evaluate third-party access requests in collaboration with the committee to ensure Privia Policies, federal, state laws, and industry best practices. Ensure the third parties have the appropriate cybersecurity controls and liability insurance so that they do not present undue risk.

• Track and maintain records of all TPAC submissions, approvals, and denials, and publish a list of approved solutions on PriviaConnect.

• Coordinate periodic reviews of approved third parties at least every two years, or for the term of the contract, if shorter, and manage corrective action plans when necessary.

• Collaborate with the Privacy & Data Analyst to review reports of API activity in the EMR and present findings to TPAC 

• Work with the Cybersecurity Analyst and other IT Security teams to ensure comprehensive third-party inventory and robust security controls are in place and aligned with industry standards 

• Oversee the implementation and maintenance of Third-Party Risk Management (TPRM) software solutions to streamline assessment, monitoring, and reporting processes. Maintain existing systems and processes.  

• Work with senior and executive leadership on new business models, including potential vendor partner models that may involve developing a preferred vendor program or savings guides.

• Develop and maintain an inventory of all third parties, including all data exchanges and validating its completeness and accuracy annually by comparing it against systems actively connected to the EMR.

• Manage cybersecurity risks associated with third-party vendors and service providers, including implementing security requirements in vendor contracts.

• Perform other duties as assigned.

• Education: Bachelor's Degree in Information Technology, Cybersecurity, Risk Management, or a related field, or equivalent work experience preferred.

• Years of experience: 5+ years of progressive experience in third-party risk management, information security, or a related field, with at least 2 years in a lead role.

• Experience with/ Technology being used:

  • Demonstrated experience managing Third-Party Risk Management (TPRM) software.

  • Strong knowledge of security frameworks (e.g., NIST, HITRUST) and regulatory compliance requirements (e.g., SOX, HIPAA).

  • Experience in conducting risk assessments and developing mitigation strategies.

  • Experience managing vendors and third-party relationships.

  • Familiarity with EHR/EMR systems (e.g., athenaOne) is a plus.

  • Experience with data inventory and auditing processes.

  • Proficiency in analytical tools (e.g., Excel, Google Sheets) for data analysis and reporting.

  • Experience with Monday.com or Form Assembly a plus

  • Excellent written and oral communication skills, with the ability to articulate complex concepts to various stakeholders.

  • Strong project management skills and a collaborative mindset.

  • Ability to work independently and with a team in a fast-paced environment, managing multiple competing priorities.

  • Must comply with HIPAA rules and regulations and other State and Federal rules, regulations, and statutes.

The salary range for this role is $125,000.00-$155,000.00 in base pay and exclusive of any bonuses or benefits (medical, dental, vision, life, and pet insurance, 401K, paid time off, and other wellness programs). This role is also eligible for an annual bonus targeted at 15% and restricted stock units. The base pay offered will be determined based on relevant factors such as experience, education, and geographic location. 

All your information will be kept confidential according to EEO guidelines.

Technical Requirements (for remote workers only, not applicable for onsite/in office work):

In order to successfully work remotely, supporting our patients and providers, we require a minimum of 5 MBPS for Download Speed and 3 MBPS for the Upload Speed. This should be acquired prior to the start of your employment. The best measure of your internet speed is to use online speed tests like https://www.speedtest.net/. This gives you an update as to how fast data transfer is with your internet connection and if it meets the minimum speed requirements. Work with your internet provider if you have questions about your connection. Employees who regularly work from home offices are eligible for expense reimbursement to offset this cost.

Privia Health is committed to creating and fostering a work environment that allows and encourages you to bring your whole self to work. We understand that healthcare is local and we are better when our people are a reflection of the communities that we serve. Our goal is to encourage people to pursue all opportunities regardless of their age, color, national origin, physical or mental (dis)ability, race, religion, gender, sex, gender identity and/or expression, marital status, veteran status, or any other characteristic protected by federal, state or local law.