Director of Legal, Risk & Compliance

About the role

Medicom is seeking a Director of Legal, Risk & Compliance (GRC) to lead the Company’s information security, regulatory compliance, and contractual risk management programs. As a healthcare data company, Medicom must meet the highest standards for data protection while supporting rapid product development and enterprise growth.

This role will own Medicom’s security and compliance frameworks (HIPAA, HITRUST, SOC 2, GDPR, FedRAMP readiness) while also serving as the primary reviewer of customer contractual obligations. The Director will partner closely with Engineering, Sales, Legal, and executive leadership to ensure security, compliance, and legal commitments are aligned and operationally achievable.

What you'll do

• Own and lead Medicom’s information security and compliance programs, ensuring adherence to HIPAA, HITRUST, SOC 2, GDPR, and evolving regulatory standards.
• Define, document, and continuously improve the company’s security control framework and risk management processes.
• Leadership sponsor for SOC 2 audits and other certification efforts, coordinating with third-party auditors and internal stakeholders.
• Prepare the organization for advanced frameworks and certifications, including FedRAMP readiness.

• Serve as chair of the Confidentiality & Security Team (CST), including meeting leadership and agenda setting.

• Review and assess customer MSAs, BAAs, and ISAs to ensure alignment with Medicom’s security controls and compliance posture.
• Partner with Sales and Legal during enterprise negotiations to balance commercial objectives with risk mitigation.
• Ensure ongoing compliance with contractual obligations, federal and state regulations, and customer procurement policies.
• Coordinate with external counsel as appropriate regarding legal contracts and compliance matters.

• Partner closely with Engineering to embed security and compliance requirements into product design and architecture.
• Act as a trusted advisor across the organization on security, compliance, and risk-related matters.

Qualifications

• 8–12+ years of experience in information security, governance, compliance, and legal within healthcare, health tech, or SaaS environments.
• CISSP strongly preferred (or equivalent advanced security certification).
• Deep working knowledge of HIPAA, SOC 2, HITRUST, GDPR, CCPA; FedRAMP experience strongly preferred.
• Experience leading audits, certifications, and regulatory assessments.
• Demonstrated experience reviewing and negotiating contractual language (MSAs, BAAs, DPAs, ISAs).
• Strong communication skills and ability to influence cross-functional stakeholders.

Equal Opportunity Employer Statement

Medicom Technologies is an Equal Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, or protected veteran status.

Reasonable Accommodation Notice

If you require a reasonable accommodation in the application process, please contact [email protected] to discuss your needs.