Director Compliance

About The Position

Requirements

• Bachelor’s degree in information security, Compliance, Risk Management, or related field. Equivalent experience may substitute.
• 7+ years in governance, compliance, risk management, or security in healthcare or regulated industries.
• Direct experience leading client and regulatory audits (CMS, HIPAA, NIST, OIG, HITRUST).
• Understanding of HIPAA, CMS regulations, NIST CSF, HITRUST, ISO 27001, and OIG compliance frameworks.
• Strong background in Global security governance, including physical, cyber, and incident response programs.
• Exceptional leadership, stakeholder management, and cross-functional collaboration skills.
• Proven ability to operate in a global, multi-jurisdictional environment.
• Strong written and verbal communication, including preparation of executive-level board reports.

Nice To Haves

• Preferred knowledge of AuditBoard, EY Compliance Management Tool, or equivalent GRC platforms.

Responsibilities

• Support, design and implement a global governance framework aligned with CMS regulations (42 C.F.R. § 438, 42 C.F.R. § 434.6), HIPAA Privacy & Security Rules, NIST CSF, ISO 27001, OIG guidance, HITRUST, and relevant state, federal, and global privacy laws.
• Manage AuditBoard workflows for risk registers, control monitoring, policy attestations, third-party risk assessments, quarterly client attestations, and compliance dashboards.
• Integrate EY Compliance Management Tool with AuditBoard for evidence management, regulatory submissions, and quarterly board reporting.
• Maintain an enterprise-wide risk register mapped to HIPAA, NIST, CMS, OIG, and contractual requirements.
• Ensure Policies align with framework requirements.
• Act as primary liaison for Client Information Program (CIP) and internal and external risk assessments and audits, ensuring centralized evidence library, coordination across Legal, IT, Operations, and Compliance, and timely remediation of findings.
• Support readiness for client, regulatory, and accreditation body audits (e.g., CMS, NCQA, URAC).
• Provide governance oversight for global training programs (HIPAA, CMS, NIST, OIG, security, and global DPAs).
• Serve as Global Security Officer with responsibility for physical and cyber security alignment with compliance and contractual obligations.
• Assist in investigations of potential security and compliance incidents, breaches, or compliance violations in collaboration with Compliance, Legal, IT, InfoSec, and Operations.
• Coordinate with the Special Investigation Unit (SIU) and ensure compliance with regulatory and client breach reporting timelines (e.g., CMS 60-day rule, client BAAs, HIPAA breach notification).
• Provide governance oversight for BCP/DR testing and reporting, ensuring resilience and contractual compliance through engaging Operations, IT, InfoSec and Compliance as needed.
• Ensure compliance with HIPAA Security Rule safeguards, including administrative, physical, and technical safeguards.
• Oversee implementation of HIPAA-required risk analyses, vulnerability assessments, and risk management plans.
• Coordinate HIPAA-required security awareness and training programs for workforce members working with Compliance and InfoSec.
• Ensure breach notification requirements under HIPAA are fully integrated into the incident response process.
• Ensure compliance with CMS security and privacy requirements, including 42 C.F.R. § 438 and 42 C.F.R. § 434.6.
• Oversee CMS-required breach notification, ensuring reporting within mandated timelines (e.g., 60-day rule client BAAs).
• Coordinate with Compliance, Legal, and Operations to ensure CMS program integrity safeguards are met, including OIG and SIU reporting.
• Support CMS-mandated risk assessments, data protection, fraud, waste, and abuse (FWA) prevention initiatives.
• Ensure organizational alignment with the NIST Cybersecurity Framework (CSF), implementing Identify, Protect, Detect, Respond, and Recover functions across enterprise systems.
• Oversee periodic NIST-based risk assessments and vulnerability management programs, ensuring corrective actions are tracked in AuditBoard.
• Support improvement initiatives aligned with NIST CSF and ISO 27001 standards, ensuring gaps are documented and remediated coordinating with Internal Audit.
• Support compliance with U.S. Office of Inspector General (OIG) guidelines for program integrity, exclusion screenings, and fraud, waste, and abuse (FWA) monitoring working with the Sagility OIG Office.
• Ensure adherence to HITRUST CSF requirements by implementing and maintaining cross-framework mappings to HIPAA, NIST, ISO, and CMS controls.
• Support HITRUST readiness assessments, coordinate evidence collection, and ensure remediation of identified gaps to maintain or achieve certification.
• Monitor integration of HITRUST control requirements into AuditBoard and ECM workflows for ongoing compliance tracking and reporting.
• Ensure enterprise-wide risk management oversight using AuditBoard and ECM for governance oversight.
• Establish reporting cadence for global board risk dashboards, issue remediation status, and trend analysis.
• Partner with IT, InfoSec, Operations, and Compliance teams to ensure continuous monitoring of risks and control effectiveness.