Compliance Manager (Contract Position)

Truveta is the world’s first health provider led data platform with a vision of Saving Lives with Data. Our mission is to enable researchers to find cures faster, empower every clinician to be an expert, and help families make the most informed decisions about their care. Achieving Truveta’s ambitious vision requires an incredible team of talented and inspired people with a special combination of health, software and big data experience who share our company values.

Truveta was born in the Pacific Northwest, but we have employees who live across the country. Our team enjoys the flexibility of a hybrid model and working from anywhere. 

For overall team productivity, we optimize meeting hours in the pacific time zone. We avoid scheduling recurring meetings that start after 3pm PT, however, ad hoc meetings occur between 8am-6pm Pacific time.

Who We Need 

Truveta is rapidly building a talented and diverse team to tackle complex health and technical challenges. Beyond core capabilities, we are seeking problem solvers, passionate and collaborative teammates, and those willing to roll up their sleeves while making a difference. If you are interested in the opportunity to pursue purposeful work, join a mission-driven team, and build a rewarding career while having fun, Truveta may be the perfect fit for you. 

This Opportunity

This Compliance Manager position is an individual contributor contract role who will report to our Compliance Manager Lead. You will be part of the highly respected Compliance team responsible for standing up and maintaining governance over Truveta’s internal controls environment. We are a small but mighty team, establishing baseline risk programs and a roadmap to achieving and maintaining security and privacy-related certifications and attestations, e.g., ISO 27001, 27018, 27701, Type 1 and Type 2 SOC 2, 21 CFR Part 11 and HITRUST for HIPAA and Security. We are committed to the trust of our health system members and with each other, so please come with your sleeves rolled up, ready to be accountable for business-critical assignments, tight timelines, high quality expectations, and attention to detail. You will be rewarded as a part of building something that contributes to the mission and knowing your hard work is making a significant impact.

Responsibilities will include:  

• Developing and overseeing a large inventory of business and technology-related control systems aligned with legal guidelines, internal policies and procedures, and new and future certifications and attestations, i.e., ISO 27001, ISO 27018, ISO 27701, Type 2 SOC 2, and HITRUST.
• Designated responsibility for performing key compliance rhythm of business activities that must be kept to committed timelines, e.g., controls testing, remediations, risk exceptions, information security and privacy intake requests, and risk tracking
• Standing up and maintaining internal technical controls to support security and privacy, e.g., identity management, user access, data integrity, change management, physical and logical security, privacy related to data controller and processor, and system development life cycle (SDLC) controls
• Analyzing and rationalizing targeted certification standard requirements and control gaps
• Effectively communicating the intent of certification standards to technical and non-technical control owners and performers
• Writing technical security and privacy-related risk statements, control statements, control execution steps, and suggested evidence to properly support certification requirements
• Staging and coaching control owners and performers for successful audit walkthroughs
• Testing controls and identifying gaps requiring remediation
• Implementing and maintaining compliance automation tools
• Analyzing internal and vendor business systems to ensure compliance with industry regulations and ethical standards
• Creating, modifying, updating, and assisting as needed with implementing Truveta policies and procedures
• Developing risk management strategies and performing risk assessments according to Truveta’s methodology
• Designing ongoing relevant security and privacy-related training programs for employees of the business
• Liaising with other departmental heads to ensure all business operations are in line with business policies and procedures
• Advising mid- and senior management on business operations related to investment, business objectives, certifications and attestations, risks, and other policy and procedure development.

Key Qualifications  

• Bachelor’s or higher degree supplemented by training
• 5 plus years of experience as an IT Auditor in internal or external auditing or compliance
• Report onsite to Bellevue, WA as required
• Direct experience with regulated e-PHI and/or PII data including HIPAA requirements for organizations classed as technology business associates, FDA 21 CFR Part 11 requirements, and relevant certifications and attestations, i.e., ISO 27001, 27018, 27701, Type 2 SOC 2, and HITRUST
• Experience with FDA regulations, Quality Management Systems (QMS), and the Centers for Medicare and Medicaid Services (CMS) Qualified Entity (QE) Program is highly desirable
• Experience performing HITRUST readiness self-assessments or validated assessments for a healthcare business associate organization
• Ability to effectively translate ISO, SOC 2, and HITRUST requirements to engineering and non-engineering stakeholders
• Strong experience and knowledge of cloud technology and engineering industry processes and regulations
• Proven bench strength in defining and performing technology and business risk assessments, defining control design, and measuring and monitoring control operating effectiveness
• Outstanding written and verbal communication and interpersonal abilities
• An analytical and critical-thinking mindset with excellent organizational and programmatic skills
• Proficiency in productivity tools such as Microsoft Word, Excel, and PowerPoint and the ability to learn and adopt other collaborative tools
• Ability to work effectively, accurately, and take accountability on critical compliance timelines
• Prefer career training and experience as IT Auditor, internal or external auditor or compliance consultant with healthcare data
• Pluses: current or past certification as CISA, CIA, CRISC, CISSP, CIPT, HITRUST CCSFP, or related disciplines; big four experience.

Why Truveta?

Be a part of building something special. Now is the perfect time to join Truveta. We have strong, established leadership with decades of success. We are well-funded. We are building a culture that prioritizes people and their passions across personal, professional, and everything in between. Join us as we build an amazing company together.

We offer:

• Interesting and meaningful work for every career stage
• The hourly pay for this position is $65-$90 per hour. The pay range reflects the minimum and maximum target. Pay is based on several factors including location and may vary depending on job-related knowledge, skills, and experience. Certain roles are eligible for additional compensation such as incentive pay and stock options.

If you are based in California, we encourage you to read this important information for California residents linked here.

Truveta is committed to creating a diverse, inclusive, and empowering workplace. We believe that having employees, interns, and contractors with diverse backgrounds enables Truveta to better meet our mission and serve patients and health communities around the world. We recognize that opportunities in technology historically excluded and continue to disproportionately exclude Black and Indigenous people, people of color, people from working class backgrounds, people with disabilities, and LGBTQIA people. We strongly encourage individuals with these identities to apply even if you don’t meet all of the requirements.