TECHNOLOGY GOVERNANCE, RISK & COMPLIANCE (GRC) - HIPAA COMPLIANCE, SENIOR ANALYST
The Peloton Enterprise Technology Team is expanding & transforming its risk management, compliance & security capabilities & resources. We are investing in these areas to address an ever increasing cybersecurity threat landscape, as well as expanding regulatory compliance requirements as the company continues to grow.
The Technology Governance, Risk & Compliance (GRC) HIPAA Compliance Senior Analyst role will be a critical position within the team & for the organization globally. Working closely with the Enterprise Technology, Software Engineering & Legal teams, as well as stakeholders across the organization, this positions main responsibility will be to tactically support the design, build out & operation of a HIPAA compliant platform in an effort to raise the overall security & compliance posture of Peloton. This individual will need to partner with teams to implement the HIPAA Privacy, Security & Breach Notification Rules at an appropriate level of depth for the environment. The role will be hands-on with mainly tactical design & implementation responsibilities. The person will need to support HIPAA specific risk management practices at the highest level & implement the approach to appropriately treat the risks. The person will need to understand HIPAA data privacy & security requirements in detail in order to appropriately translate & apply them to a highly agile & modern technology environment.
In addition to the main focus on HIPAA, it is advantageous if this person has experience working across multiple frameworks & regulatory standards including, but not limited to, NIST CSF, PCI DSS, GDPR/CCPA & SOX. This individual will need to work closely with teams across the organization to understand the control environment in place currently, how to leverage it & when new customized solutions & processes need to be implemented.
- The role will be responsible for cross functional collaboration with Software Engineering, Legal, Internal Audit & Security teams in designing & operating both the technical & programmatic dependencies of a HIPAA compliant environment.
- Provide technical perspective & support on the architecture, infrastructure, & technology operations in place to manage health data risk.
- Under direction of GRC management, the role is responsible for building & supporting the HIPAA compliance program & managing the associated projects efficiently.
- Responsibility for informing leadership of issues resulting from risk analysis & determining potential solutions that are appropriate for Pelotons business & system architecture.
- Interacts with business & engineering stakeholders to understand risks to data by defining potential business impact with the responsibility to apply effective mitigation strategies.
- Maintains updated healthcare industry & regulatory knowledge in the fields of privacy, security, risk management & compliance related to HIPAA.
- Understanding of core risk management principles, how to calculate risk levels, determine risk tolerances & develop appropriate risk treatment plans.
- Understanding of security functions including: Incident Management, Secure Change Management, Identity & Access Management, & Vendor Security Risk Management.
- Stay current with healthcare industry, regulatory, & legal requirements relevant to security, compliance, & privacy.
- 5+ years of experience working in or with the healthcare industry or healthcare related products that require compliance with HIPAA
- Strong technical knowledge of all aspects of the HIPAA regulation
- Experience operating or advising programs that effectively rightsize risk management controls across the relevant contexts of a distributed architecture
- Experience supporting an organization to become compliant with HIPAA & maintain ongoing operational compliance
- Experience supporting an organization through HITRUST readiness & obtaining the certification
- Experience supporting an organization through a SOC 2 + HIPAA audit
- Experience as a HITRUST external assessor is a plus
- Strong degree of comfort working alongside an agile software engineering team to provide governance over the design & architecture of systems to ensure ePHI is appropriately safeguarded
- Experience tailoring communication & collaboration in an organization that utilizes both co-located & distributed teams
- Experience working with external legal partners & auditors
- Familiar with GRC tools to track, operate & monitor a HIPAA program
- Knowledge of JIRA & Confluence preferred
- Experience working in a technology organization preferred
- Experience in one or more of the following: SOX, GDPR/CCPA, NIST CSF, PCI DSS is preferred
- One or more of the following certifications is preferred: CISA, CISSP, HITRUST CCSFP, CIPP, CIPM, CIPT
Peloton uses technology + design to connect the world through fitness, empowering people to be the best version of themselves anywhere, anytime. We have reinvented the fitness industry by developing a first-of-its-kind subscription platform. Seamlessly combining hardware, software, & streaming technology, we create digital fitness & wellness content & products that Members love. In 2020 Peloton committed to becoming an antiracist organization with the launch of the Peloton Pledge. Learn more, here.
Together We Go Far means that we are greater than the sum of our parts, stronger collectively when each one of us is at our best. In order to be the best version of Peloton, we are deeply committed to building a diverse workforce & inclusive culture where all of our team members can be the best version of themselves. This work has no endpoint; it is the constant work of running an organization that strives to reach its full potential. As a first step in our commitment, we announced the Peloton Pledge to invest $100 million over the next four years to fight racial injustice & inequity in our world, & to promote health & wellbeing for all, from the inside out.