OUR MISSION
Big Health’s mission is to help millions back to good mental health. Our digital therapeutics for insomnia and anxiety deliver evidence-based, safe and effective non-drug alternatives. Our programs are reimbursed across over 10 million members and by some of the most prominent global healthcare organizations, including CVS Health, Evernorth and NHS Scotland. Through robust clinical evaluation and an approach that is scalable and equitable, we are redesigning the future of mental health care affecting nearly half of adult Americans. Join us.
ABOUT THE ROLE
We’re looking for a highly skilled and experienced Director of Privacy to join Big Health. Reporting to the Chief Financial Officer, the Director of Privacy will serve as the enterprise subject matter expert on privacy laws and regulations. They will oversee and manage the planning, implementation, oversight, auditing, monitoring, and ongoing operation of Big Health's privacy compliance and work very closely with the security engineering team. This includes ensuring compliance with federal, state, and international regulations and accreditation standards, such as HIPAA, GDPR, state data protection and privacy laws, ISO 27000 requirements, and HITRUST requirements. The Director of Privacy will provide expert guidance and advice to internal stakeholders on privacy, security, and compliance-related matters. The ideal candidate is an attorney with prior data privacy experience in HCIT, possessing strong business judgment and the ability to collaborate effectively across the organization.
Job Responsibilities:
- Advise and partner with internal product owners, sales, marketing, human resources, and other business teams to mitigate privacy risks and ensure compliance with relevant privacy matters, including HIPAA
- Draft, review, and negotiate Business Associate Agreements and/or Data Use Agreements
- Provide support to commercial attorneys in contract negotiations, specifically on data privacy and information security issues, including data protection agreements and information security addenda
- Establish and maintain compliance with applicable data privacy and consumer protection laws, ensuring data use and handling align with legal requirements
- Develop and manage Big Heath’s internal policies, procedures, and practices to address current and future data privacy and consumer protection laws
- Collaborate closely with the engineering team to identify and address privacy and security risks
- Monitor and analyze new and pending privacy, data protection, and consumer legislation that may impact the business
- Establish an ongoing process to track, investigate, and report inappropriate access and disclosure of protected health information, including oversight of corrective action plans that mitigate non-compliance
- Conduct periodic risk assessments and ongoing monitoring of key elements of the privacy program, including privacy notice, consent, authorization, business partner agreements/practices, minimum necessary information, disclosure, etc., and develop corresponding work plans, including corrective action plans
- Respond to alleged violations of information privacy, security, or compliance rules, regulations, policies, procedures, and Standards of Conduct by evaluating and investigating reported alleged violations
- Manage required breach determination and notification processes under applicable federal and state laws
- Manage HITRUST and SOC 2 certification process (along with our external assessors).Partner with the CFO to review the current cyber insurance policy. If necessary, meet and establish relationships with the provider's approved law firms to help implement a breach response plan
Qualifications:
- Undergraduate degree and JD from an accredited law school
- Admitted to at least one state bar in the United States
- 7 years of legal experience with a focus on privacy law, including 3+ years of specific privacy law practice
- Strong knowledge of US, North American, and Global Privacy laws and regulations, such as HIPAA, HITRUST, and UK/EU GDPR. Familiarity with CCPA/CPRA, TCPA, PMDA, CAN-SPAM, FTC Act, 21 CFR Part 11, and other data privacy and consumer protection laws
- Experience in healthcare privacy compliance or a similar enabling function in the healthcare industry, including developing and maintaining comprehensive privacy programs for scaling organizations
- Expertise in managing Privacy programs under European data protection laws and GDPR
- Prior experience in drafting and negotiating contractual provisions
- Knowledge of information technology and information security concepts
- Proficient in cultivating internal relationships and collaborating effectively with colleagues at all levels
- Proficient in both written and oral communication, with a strategic approach
- CIPP or similar Privacy and Data Protection certification, Compliance Certifications, Industry Presentations, Roundtable Participation all a plus
Life at Big Health:
- Join a diverse team of all backgrounds, we’re proud to be an equal opportunity employer
- Autonomy over your work and freedom to input
- Enjoy a clearly structured personal review and development program
- Quarterly happiness survey that we use to ensure we’re creating a healthy and happy workplace for ourselves
- Fund for spending on personal happiness
- Regular team and company events
- Generous vacation and maternity/paternity policy
- Competitive salary and equity package
More Background on Big Health:
- Backed by leading venture capital firms, Index Ventures, Octopus Ventures, and Kaiser Permanente Ventures
- With offices in London and San Francisco, Big Health’s products are used by large multinational employers and major health plans to help improve sleep and mental health. To date, more than 12 million people across 60+ countries have access to Sleepio or Daylight
Additionally, we will consider for employment qualified applicants with criminal histories in a manner consistent with the requirements of the San Francisco Fair Chance Ordinance. Big Health participates in E-Verify and will provide the federal government with Form I-9 information from all new employees to confirm that they are authorized to work in the U.S. Big Health does not use E-Verify to pre-screen applicants.
Tags
security
healthcare
information security
attorney
SOC 2
Apply to job