Search Jobs

 
Advanced Search

Job Details

< Back to job list
  • Senior Governance Risk & Compliance Analyst
  • Posted: 3/25/2026

Job ID#: 237

Category: Information Technology

Job Description

Who We Are 
HaloMD specializes in Independent Dispute Resolution (IDR) through The No Surprises Act and state regulations for out-of-network healthcare providers, leveraging advanced technology and deep industry expertise to secure optimized reimbursements.
 
Position Summary
We are looking for a Senior Governance Risk & Compliance Analyst to join our Governance, Risk & Compliance (GRC) team and play a critical role in maintaining and strengthening our compliance posture within a HIPAA-regulated environment. In this role you will be a hands-on contributor responsible for responding to customer security questionnaires, gathering and organizing audit evidence for SOC 2 and HITRUST programs, maintaining and updating security policies, and managing our third-party risk management program. You will work closely with cross-functional teams, external auditors, and customers on a daily basis.
 
Key Responsibilities
Customer Security Questionnaires & Trust Enablement
  • Serve as the primary responder for inbound customer and prospect security questionnaires, RFPs, and due diligence requests.
  • Build and maintain a centralized knowledge base of approved responses to accelerate questionnaire turnaround times.
  • Partner with Sales, Customer Success, and Legal teams to ensure timely and accurate completion of security assessments.
  • Continuously improve response quality and consistency by incorporating audit results and policy updates.
Audit Evidence Gathering & Compliance Operations
  • Collect, organize, and validate evidence artifacts for SOC 2 Type I/II and HITRUST CSF audit cycles.
  • Coordinate with control owners across Engineering, IT, HR, and other departments to ensure evidence is complete, accurate, and delivered on schedule.
  • Manage evidence within the GRC platform (Vanta preferred) and ensure continuous monitoring dashboards remain current.
  • Support external auditor requests during fieldwork, including walkthroughs, sampling, and clarification of control activities.
  • Track remediation items and corrective actions to closure, escalating risks as needed.
Policy & Standards Management
  • Draft, review, and update information security policies, standards, and procedures to align with HIPAA, SOC 2, and HITRUST requirements.
  • Manage the policy lifecycle including version control, stakeholder review cycles, approval workflows, and employee attestation tracking.
  • Monitor regulatory and framework changes and recommend policy updates to maintain continuous compliance.
  • Support security awareness and training initiatives related to policy adoption and compliance obligations.
Third-Party Risk Management (TPRM)
  • Own the day-to-day execution of the third-party risk management program, including vendor intake, risk tiering, and assessment scheduling.
  • Conduct security assessments of new and existing vendors through questionnaire review, SOC 2 report analysis, and penetration test evaluation.
  • Maintain the vendor risk register, track risk acceptance decisions, and ensure appropriate contractual safeguards (BAAs, DPAs, security addenda) are in place.
  • Collaborate with Procurement, Legal, and business stakeholders to integrate TPRM requirements into the vendor onboarding process.
  • Report on third-party risk metrics and trends to GRC leadership.
 
Required Qualifications
  • 5+ years of experience in information security, GRC, IT audit, or compliance roles.
  • Hands-on experience supporting SOC 2 and/or HITRUST audit programs, including evidence collection and auditor interaction.
  • Working knowledge of HIPAA Security Rule, Privacy Rule, and Breach Notification Rule.
  • Demonstrated experience responding to customer security questionnaires (e.g., SIG, CAIQ, custom assessments).
  • Experience conducting or managing third-party vendor risk assessments.
  • Strong understanding of common security frameworks and standards (e.g., NIST CSF, ISO 27001, NIST 800-53, CSA CCM).
  • Excellent written communication skills with the ability to produce clear, professional policy documents and customer-facing responses.
  • Strong organizational skills and attention to detail with the ability to manage multiple concurrent workstreams.
  • Bachelor's degree in Information Security, Information Technology, Business, or a related field (or equivalent experience).
 
Preferred Qualifications
  • Experience with Vanta or similar GRC automation platforms (e.g., Drata, AuditBoard, OneTrust).
  • Professional certifications such as CISA, CRISC, CCSFP (HITRUST), Security+, or HCISPP.
  • Experience in a healthcare technology, health-tech SaaS, or digital health environment.
  • Familiarity with cloud environments (AWS, Azure, or GCP) and related compliance controls.
  • Experience building or improving TPRM programs from early maturity stages.
  • Prior experience using questionnaire automation tools (e.g., Conveyor, SafeBase, Whistic).
 
Perks & Benefits
  • Remote - Within the United States and reliable high-speed internet but preference is to be based in, or within a commutable distance of our Dallas, TX office for occasional in-person meetings. 
  • Multiple medical plan options 
  • Health Savings Account with company contributions
  • Dental & vision coverage for you and your dependents
  • 401k with Company match
  • Vacation, sick time & Company paid holidays
  • Company wellbeing program with health insurance incentives
 
What's Next?
If you're ready to bring your skills, passion, and leadership to our growing team, we want to hear from you! Apply today and help us create a future where success is the standard.

It is the policy of HaloMD not to discriminate against any applicant for employment, or any employee because of age, color, sex, disability, national origin, race, religion, or veteran status.

Already have an account? Log in here

© HaloMD