The Sr. Manager, Governance Risk and Compliance (GRC) is responsible for overseeing Included Health's regulatory compliance, risk management, and governance programs, ensuring compliance with healthcare regulations (HIPAA, HITECH, SOC 2), and building a robust GRC framework to protect PHI. This role plays a crucial role within the Governance, Risk & Compliance team, reporting directly to the Chief Information Security Officer.

Responsibilities:

Third-Party & Vendor Risk Management:
Manage the complete third-party risk management (TPRM) program, from initial assessment to ongoing monitoring.
Conduct security risk assessments for all vendors, especially those handling protected health information (PHI).
Collaborate with Legal to review security language in vendor contracts and Business Associate Agreements (BAAs).
Maintain the vendor risk register, track remediation of risks, and report on vendor risk exposure.
Demonstrate success developing third-party risk governance programs with Legal, Security, and Procurement to increase efficiency and reduce friction across stakeholders.
Experience implementing tiered vendor risk models and reassessment cycles to reduce manual tracking workload.
Audit & Compliance (HIPAA, SOC 2)
Manage all internal and external audits, including planning, evidence collection, and coordinating with auditors.
Serve as the main point of contact for external auditors (e.g., for SOC 2, HIPAA).
Oversee security controls (technical and procedural) to ensure continuous compliance with HIPAA, HITECH, and SOC 2 frameworks.
Translate complex regulatory requirements into actionable security controls and procedures for technical and business teams.
Track and manage the remediation of all audit findings.
Experience creating standardized audit playbooks and evidence repositories.
Experience owning an organization-wide compliance program to comply with audit framework(s).
Strong ability to translate audit outcomes into business-oriented insights that directly impact riskreduction and process improvement.
Enterprise Risk & Security Operations
Manage the enterprise risk management program, including conducting annual risk assessments and maintaining the risk register.
Develop, maintain, and test the company's incident response (IR) plan.
Run security awareness programs, such as phishing simulations and tabletop exercises.
Track remediation efforts for all identified risks.
Produce concise, executive-ready risk reports that inform strategic decisions across departments.
Client & Sales Security Support
Lead responses to client and prospect security questionnaires, RFPs, and assessments.
Develop and maintain a knowledge base of standard security responses and supporting documentation.
Act as the security subject matter expert to support the sales and partnership teams.
Coordinate and manage client-facing security audits and reviews.
Security Policy & Documentation
Extensive experience creating, reviewing, and maintaining clear security policies, standards, andprocedures.
Create, review, and maintain clear security policies, standards, and procedures.
Ensure all policies align with regulatory requirements (HIPAA, SOC 2) and industry best practices.
Communicate policies and procedures to all employees and contractors.
Experience embedding compliance checkpoints within existing or new operational processes (e.g.,change management, onboarding).

Qualifications:

Required
7+ years of experience in GRC, compliance, risk management, or information security roles, with at least 4 years in a management or leadership capacity
Demonstrated experience managing a full-cycle third-party risk management (TPRM) programs, including conducting vendor risk assessments and reviewing security terms in contracts.
Hands-on expertise leading external audits for major compliance frameworks, specifically SOC 2 Type 2 and HIPAA.
Proven ability to build and manage an enterprise risk program, including conducting formal risk assessments (e.g., NIST-based) and developing/testing incident response plans.
Direct experience serving as a security subject matter expert in a client-facing role, including leading responses to security questionnaires, RFPs, and customer audits.
Exceptional technical writing skills with a history of creating, implementing, and maintaining a comprehensive set of security policies, standards, and procedures.
Preferred
Bachelor's degree in Computer Science, Information Security, Business Administration, or related field (or equivalent experience).
Deep expertise in healthcare compliance regulations including:
HIPAA Privacy Rule, Security Rule, and Breach Notification Rule
HITECH Act and meaningful use requirements
SOC 2 Type 2 (preferably with hands-on audit management experience)
Professional certifications such as: CISSP, CISM, CRISC, CISA, GRCP, CHPS, CIPP/US
Experience with additional compliance frameworks such as:ISO 27001/27002, ISO 27701, HITRUST, CSFFedRAMP, State RAMPPCI-DSS, State privacy laws (CCPA, CPRA, VCDPA, etc.)
Experience with GRC platforms such as Vanta, Drata, OneTrust, LogicGate, Archer, ServiceNow GRC, or similar
Knowledge of cloud security and compliance (AWS, GCP)
Experience managing security awareness platforms (KnowBe4, Proofpoint, NINJIO, etc.)

Physical/Cognitive Requirements:

Prompt and regular attendance at assigned work location.
Capability to remain seated in a stationary position for prolonged periods.
Eye-hand coordination and manual dexterity to operate keyboard, computer and other office-related equipment.
No heavy lifting is expected, though occasional exertion of about 20 lbs of force (e.g., lifting a computer \/ laptop) may be required.
Capability to work with leadership, employees, and members in an appropriate manner

The United States new hire base salary target ranges for this full-time position are:

Zone A: $138,380 - $195,470 + equity + benefits

Zone B: $152,218 - $215,017 + equity + benefits

Zone C: $166,056 - $234,564 + equity + benefits

Zone D: $179,894 - $254,111 + equity + benefits

This range reflects the minimum and maximum target for new hire salaries for candidates based on their respective Zone. Below is additional information on Included Health's commitment to maintaining transparent and equitable compensation practices across our distinct geographic zones.

Starting base salary for the successful candidate will depend on several job-related factors, unique to each candidate, which may include, but not limited to, education; training; skill set; years and depth of experience; certifications and licensure; business needs; internal peer equity; organizational considerations; and alignment with geographic and market data. Compensation structures and ranges are tailored to each zone's unique market conditions to ensure that all employees receive fair and competitive compensation based on their roles and locations. Your Recruiter can share details of your geographic alignment upon inquiry.

In addition to earning a base salary, this role is eligible for a performance-based bonus. Details of the Annual Bonus Plan, including performance metrics, target incentives, and potential earnings, will be discussed during the interview process.

Benefits & Perks:

In addition to receiving a competitive pay, the compensation package may include, depending on the role, the following:

Remote-first culture

401(k) savings plan through FidelityComprehensive medical, vision, and dental coverage through multiple medical plan options (including disability insurance)

Full suite of Included Health telemedicine (e.g. behavioral health, urgent care, etc.) and health care navigation products and services offered at no cost for employees and dependents

Generous Paid Time Off ("PTO") and Discretionary Time Off ("DTO")

12 weeks of 100% Paid Parental leave

Up to $25,000 Fertility and Family Building Benefit Compassionate Leave (paid leave for employees who experience a failed pregnancy, surrogacy, adoption or fertility treatment)

11 Holidays Paid with one Floating Paid Holiday

Work-From-Home reimbursement to support team collaboration and effective home office work

24 hours of Paid Volunteer Time Off ("VTO") Per Year to Volunteer with Charitable Organizations

Your recruiter will share more about the benefits package for your role during the hiring process.

#LI-CG1

About Included Health

Included Health is a new kind of healthcare company, delivering integrated virtual care and navigation. We’re on a mission to raise the standard of healthcare for everyone. We break down barriers to provide high-quality care for every person in every community — no matter where they are in their health journey or what type of care they need, from acute to chronic, behavioral to physical. We offer our members care guidance, advocacy, and access to personalized virtual and in-person care for everyday and urgent care, primary care, behavioral health, and specialty care. It’s all included. Learn more at includedhealth.com.

-----

Included Health is an Equal Opportunity Employer and considers applicants for employment without regard to race, color, religion, sex, orientation, national origin, age, disability, genetics or any other basis forbidden under federal, state, or local law. Included Health considers all qualified applicants with arrest or conviction records in accordance with the San Francisco Fair Chance Ordinance, the Los Angeles County Fair Chance Ordinance, and California law.

Apply now

See more open positions at Included Health

Privacy policy Cookie policy