Director of Legal, Risk & Compliance

About The Position

Requirements

• 8–12+ years of experience in information security, governance, compliance, and legal within healthcare, health tech, or SaaS environments.
• CISSP strongly preferred (or equivalent advanced security certification).
• Deep working knowledge of HIPAA, SOC 2, HITRUST, GDPR, CCPA; FedRAMP experience strongly preferred.
• Experience leading audits, certifications, and regulatory assessments.
• Demonstrated experience reviewing and negotiating contractual language (MSAs, BAAs, DPAs, ISAs).
• Strong communication skills and ability to influence cross-functional stakeholders.

Responsibilities

• Own and lead Medicom’s information security and compliance programs, ensuring adherence to HIPAA, HITRUST, SOC 2, GDPR, and evolving regulatory standards.
• Define, document, and continuously improve the company’s security control framework and risk management processes.
• Leadership sponsor for SOC 2 audits and other certification efforts, coordinating with third-party auditors and internal stakeholders.
• Prepare the organization for advanced frameworks and certifications, including FedRAMP readiness.
• Serve as chair of the Confidentiality & Security Team (CST), including meeting leadership and agenda setting.
• Review and assess customer MSAs, BAAs, and ISAs to ensure alignment with Medicom’s security controls and compliance posture.
• Partner with Sales and Legal during enterprise negotiations to balance commercial objectives with risk mitigation.
• Ensure ongoing compliance with contractual obligations, federal and state regulations, and customer procurement policies.
• Coordinate with external counsel as appropriate regarding legal contracts and compliance matters.
• Partner closely with Engineering to embed security and compliance requirements into product design and architecture.
• Act as a trusted advisor across the organization on security, compliance, and risk-related matters.