Technology Governance, Risk, & Compliance - HIPAA Compliance, Manager
The Peloton Enterprise Technology Team is expanding & transforming its risk management, compliance & security capabilities & resources. We are investing in these areas to address an ever increasing cybersecurity threat landscape as well as regulatory compliance requirements as the company continues to grow.
The Technology Governance, Risk & Compliance (GRC) HIPAA Compliance role will be a critical position within the team & for the organization globally. Working closely with the Enterprise Technology, Software Engineering & Legal teams, as well as stakeholders across the organization, this positions main responsibility will be to lead the design, build out & operation of a HIPAA compliant platform in an effort to raise the overall security & compliance posture of Peloton. This individual will be directly responsible for partnering with teams to implement the HIPAA Privacy, Security & Breach Notification Rules at an appropriate level of depth for the environment. The role will have strategy & design components, but will also be highly tactical & hands-on. The person will need to drive HIPAA specific risk management practices at the highest level & implement the approach to appropriately treat the risks. The person will need to understand HIPAA requirements & detail & be able to translate them to a highly agile & modern technology environment.
In addition to the main focus on HIPAA, this person should also have experience working across multiple frameworks & regulatory standards including, but not limited to, NIST CSF, PCI DSS, GDPR/CCPA & SOX. This individual will need to work closely with teams across the organization to understand the control environment in place currently, how to leverage it & when new customized solutions & processes need to be implemented.
- The role will be responsible for collaborating with our Software Engineering team from a technical perspective in order to provide direction on the architecture, deployment & operations of a HIPAA compliant environment.
- Under direction of GRC management, the role is responsible for leading the HIPAA compliance program & managing the associated projects at a tactical level.
- Responsibility for informing leadership of issues resulting from risk analysis & determining potential solutions that are appropriate for Pelotons business & system architecture.
- Interacts with business & engineering stakeholders to understand risks to data by defining potential business impact with the responsibility to apply effective mitigation strategies.
- Maintains updated healthcare industry & regulatory knowledge in the fields of privacy, security, risk management & compliance related to HIPAA.
- Understanding of core risk management principles, how to calculate risk levels, determine risk tolerances & develop appropriate risk treatment plans.
- Effectively engages Peloton stakeholders, business partners, & vendors to maintain an understanding of current risks, new systems, & changes to the environment.
- Understanding of security functions including: Incident Management, Secure Change Management, Identity & Access Management, & Vendor Security Risk Management.
- Must stay current with industry, regulatory, & legal requirements relevant to security, compliance, & privacy.
- 7+ years of experience working in or with the healthcare industry
- Strong knowledge of all aspects of the HIPAA regulation
- Experience internally leading an organization to become compliant with HIPAA & maintain ongoing operational compliance, or through specific HIPAA-focused consulting experience
- Experience internally or externally leading an organization through HITRUST readiness & obtaining the certification
- Experience internally or externally leading an organization through a SOC 2+ audit with HIPAA / HITRUST focus
- Experience as a HITRUST external assessor is a plus
- Strong degree of comfort working alongside a software engineering team to provide governance over the design & architecture of systems to ensure ePHI is appropriately safeguarded
- Experience working with external legal partners & auditors
- Familiar with GRC tools to track, operate & monitor a HIPAA program
- Knowledge of JIRA & Confluence preferred
- Experience working in a technology organization preferred
- Experience in one or more of the following: SOX, GDPR/CCPA, NIST CSF, PCI DSS is preferred
- One or more of the following certifications is preferred: CISA, CISSP, HITRUST CCSFP, CIPP, CIPM, CIPT
Peloton is the largest interactive fitness platform in the world with a loyal community of more than 3 million Members. The company pioneered connected, technology-enabled fitness, & the streaming of immersive, instructor-led boutique classes for its Members anytime, anywhere. Peloton makes fitness entertaining, approachable, effective, & convenient, while fostering social connections that encourage its Members to be the best versions of themselves. An innovator at the nexus of fitness, technology, & media, Peloton has reinvented the fitness industry by developing a first-of-its-kind subscription platform that seamlessly combines the best equipment, proprietary networked software, & world-class streaming digital fitness & wellness content, creating a product that its Members love. The brand's immersive content is accessible through the Peloton Bike, Peloton Tread, Peloton Bike+, Peloton Tread+, & Peloton App, which allows access to a full slate of fitness classes across disciplines, on any iOS or Android device, Apple TV, Fire TV, Roku TVs, & Chromecast & Android TV. Founded in 2012 & headquartered in New York City, Peloton has a growing number of retail showrooms across the US, UK, Canada & Germany. For more information, visit www.onepeloton.com.
Together We Go Far means that we are greater than the sum of our parts, stronger collectively when each one of us is at our best. In order to be the best version of Peloton, we are deeply committed to building a diverse workforce & inclusive culture where all of our team members can be the best version of themselves. This work has no endpoint; it is the constant work of running an organization that strives to reach its full potential. As a first step in our commitment, we announced the Peloton Pledge to invest $100 million over the next four years to fight racial injustice & inequity in our world, & to promote health & wellbeing for all, from the inside out.