Sr. Legal Risk Manager

About The Position

Requirements

• Bachelor's Degree in Information Technology, Cybersecurity, Risk Management, or a related field, or equivalent work experience preferred.
• 5+ years of progressive experience in third-party risk management, information security, or a related field, with at least 2 years in a lead role.
• Demonstrated experience managing Third-Party Risk Management (TPRM) software.
• Strong knowledge of security frameworks (e.g., NIST, HITRUST) and regulatory compliance requirements (e.g., SOX, HIPAA).
• Experience in conducting risk assessments and developing mitigation strategies.
• Experience managing vendors and third-party relationships.
• Experience with data inventory and auditing processes.
• Proficiency in analytical tools (e.g., Excel, Google Sheets) for data analysis and reporting.
• Excellent written and oral communication skills, with the ability to articulate complex concepts to various stakeholders.
• Strong project management skills and a collaborative mindset.
• Ability to work independently and with a team in a fast-paced environment, managing multiple competing priorities.
• Must comply with HIPAA rules and regulations and other State and Federal rules, regulations, and statutes.

Nice To Haves

• Familiarity with EHR/EMR systems (e.g., athenaOne) is a plus.
• Experience with Monday.com or Form Assembly a plus

Responsibilities

• Maintain and grow the Third-Party Risk Management (TPRM) Framework: Design, implement, and continuously improve the organization's TPRM framework, policies, and procedures, including the management and governance of:
• Third Party Access Committee (TPAC) and oversee the review and approval process for all third parties.
• Third-party review process, ensuring that qualifying vendors submit required documentation in a timely manner and that our evaluation process complies with industry standards and Privia’s administrative, technical, and cybersecurity controls.
• Maintain the Approval / Revocation List for internal and external stakeholders and appropriate communications when vendors change status
• Be the TPRM team liaison to the AI Governance Committee and work with the Privacy Officer, The Chief Technology officer and other key members of the organization to ensure that AI is incorporated into our Third-Party Risk Management processes and is aligned to organizational objectives.
• Work with organizational stakeholders to ensure the TPRM is comprehensive and inclusive of all types of third parties, that stakeholders understand how to engage with TPAC, and that the appropriate mechanisms exist for ongoing training and awareness, and meet changing business needs and demands. Establish alignment between TPAC vendors and national operating teams.
• Evaluate third-party access requests in collaboration with the committee to ensure Privia Policies, federal, state laws, and industry best practices. Ensure the third parties have the appropriate cybersecurity controls and liability insurance so that they do not present undue risk.
• Track and maintain records of all TPAC submissions, approvals, and denials, and publish a list of approved solutions on PriviaConnect.
• Coordinate periodic reviews of approved third parties at least every two years, or for the term of the contract, if shorter, and manage corrective action plans when necessary.
• Collaborate with the Privacy & Data Analyst to review reports of API activity in the EMR and present findings to TPAC
• Work with the Cybersecurity Analyst and other IT Security teams to ensure comprehensive third-party inventory and robust security controls are in place and aligned with industry standards
• Oversee the implementation and maintenance of Third-Party Risk Management (TPRM) software solutions to streamline assessment, monitoring, and reporting processes. Maintain existing systems and processes.
• Work with senior and executive leadership on new business models, including potential vendor partner models that may involve developing a preferred vendor program or savings guides.
• Develop and maintain an inventory of all third parties, including all data exchanges and validating its completeness and accuracy annually by comparing it against systems actively connected to the EMR.
• Manage cybersecurity risks associated with third-party vendors and service providers, including implementing security requirements in vendor contracts.
• Perform other duties as assigned.

Benefits

• medical
• dental
• vision
• life
• pet insurance
• 401K
• paid time off
• other wellness programs
• annual bonus targeted at 15%
• restricted stock units