Apply on Employer Site

Included Health · 5 hours ago

Sr. Manager, Governance Risk and Compliance

United States

Full-time

Remote

Senior Level

$138K/yr - $254K/yr

7+ years exp

Included Health is a healthcare company focused on delivering integrated virtual care and navigation. The Sr. Manager, Governance Risk and Compliance (GRC) will oversee regulatory compliance, risk management, and governance programs, ensuring adherence to healthcare regulations and building a robust GRC framework to protect PHI.

Health CareHospitalMedicalmHealth

Responsibilities

Manage the complete third-party risk management (TPRM) program, from initial assessment to ongoing monitoring

Conduct security risk assessments for all vendors, especially those handling protected health information (PHI)

Collaborate with Legal to review security language in vendor contracts and Business Associate Agreements (BAAs)

Maintain the vendor risk register, track remediation of risks, and report on vendor risk exposure

Demonstrate success developing third-party risk governance programs with Legal, Security, and Procurement to increase efficiency and reduce friction across stakeholders

Experience implementing tiered vendor risk models and reassessment cycles to reduce manual tracking workload

Manage all internal and external audits, including planning, evidence collection, and coordinating with auditors

Serve as the main point of contact for external auditors (e.g., for SOC 2, HIPAA)

Oversee security controls (technical and procedural) to ensure continuous compliance with HIPAA, HITECH, and SOC 2 frameworks

Translate complex regulatory requirements into actionable security controls and procedures for technical and business teams

Track and manage the remediation of all audit findings

Experience creating standardized audit playbooks and evidence repositories

Experience owning an organization-wide compliance program to comply with audit framework(s)

Strong ability to translate audit outcomes into business-oriented insights that directly impact risk reduction and process improvement

Manage the enterprise risk management program, including conducting annual risk assessments and maintaining the risk register

Develop, maintain, and test the company's incident response (IR) plan

Run security awareness programs, such as phishing simulations and tabletop exercises

Track remediation efforts for all identified risks

Produce concise, executive-ready risk reports that inform strategic decisions across departments

Lead responses to client and prospect security questionnaires, RFPs, and assessments

Develop and maintain a knowledge base of standard security responses and supporting documentation

Act as the security subject matter expert to support the sales and partnership teams

Coordinate and manage client-facing security audits and reviews

Extensive experience creating, reviewing, and maintaining clear security policies, standards, and procedures

Create, review, and maintain clear security policies, standards, and procedures

Ensure all policies align with regulatory requirements (HIPAA, SOC 2) and industry best practices

Communicate policies and procedures to all employees and contractors

Experience embedding compliance checkpoints within existing or new operational processes (e.g., change management, onboarding)

Qualification

Governance RiskComplianceThird-Party Risk ManagementHIPAA ComplianceSOC 2 AuditsRisk AssessmentIncident Response PlanningSecurity Policy DevelopmentTechnical WritingClient EngagementLeadershipCommunication SkillsTeam CollaborationProblem Solving

Required

7+ years of experience in GRC, compliance, risk management, or information security roles, with at least 4 years in a management or leadership capacity

Demonstrated experience managing a full-cycle third-party risk management (TPRM) programs, including conducting vendor risk assessments and reviewing security terms in contracts

Hands-on expertise leading external audits for major compliance frameworks, specifically SOC 2 Type 2 and HIPAA

Proven ability to build and manage an enterprise risk program, including conducting formal risk assessments (e.g., NIST-based) and developing/testing incident response plans

Direct experience serving as a security subject matter expert in a client-facing role, including leading responses to security questionnaires, RFPs, and customer audits

Exceptional technical writing skills with a history of creating, implementing, and maintaining a comprehensive set of security policies, standards, and procedures

Preferred

Bachelor's degree in Computer Science, Information Security, Business Administration, or related field (or equivalent experience)

Deep expertise in healthcare compliance regulations including: HIPAA Privacy Rule, Security Rule, and Breach Notification Rule

HITECH Act and meaningful use requirements

SOC 2 Type 2 (preferably with hands-on audit management experience)

Professional certifications such as: CISSP, CISM, CRISC, CISA, GRCP, CHPS, CIPP/US

Experience with additional compliance frameworks such as: ISO 27001/27002, ISO 27701, HITRUST, CSF, FedRAMP, State RAMP, PCI-DSS, State privacy laws (CCPA, CPRA, VCDPA, etc.)

Experience with GRC platforms such as Vanta, Drata, OneTrust, LogicGate, Archer, ServiceNow GRC, or similar

Knowledge of cloud security and compliance (AWS, GCP)

Experience managing security awareness platforms (KnowBe4, Proofpoint, NINJIO, etc.)

Benefits

Remote-first culture

401(k) savings plan through Fidelity

Comprehensive medical, vision, and dental coverage through multiple medical plan options (including disability insurance)

Full suite of Included Health telemedicine (e.g. behavioral health, urgent care, etc.) and health care navigation products and services offered at no cost for employees and dependents

Generous Paid Time Off ("PTO") and Discretionary Time Off ("DTO")

12 weeks of 100% Paid Parental leave

Up to $25,000 Fertility and Family Building Benefit

Compassionate Leave (paid leave for employees who experience a failed pregnancy, surrogacy, adoption or fertility treatment)

11 Holidays Paid with one Floating Paid Holiday

Work-From-Home reimbursement to support team collaboration and effective home office work

24 hours of Paid Volunteer Time Off ("VTO") Per Year to Volunteer with Charitable Organizations