Job Description

Reporting to the Chief Privacy Officer (CPO), the Director of Privacy Design and Governance serves as the privacy lead for product development, ensuring that privacy is embedded into products and data initiatives from concept and design through development, deployment, and decommissioning. In this role, the Director advances a comprehensive privacy program aligned with HIPAA, GLBA, applicable state privacy laws, and emerging federal and industry standards, including privacy frameworks, control mapping, and privacy standards for AI/ML and vendor data handling.

Acting as a strategic partner to Product, Data Science, Legal, Security, Marketing, and Operations, the Director conducts privacy impact assessments and risk assessments, defines data-minimization and retention strategies, identifies safeguards and controls, and provides clear guidance on compliant data use and disclosures, and individual privacy rights. Through strong cross-functional leadership and measurable governance, the Director enables business innovation while ensuring regulatory compliance and fostering trust, transparency, and accountability in all product and data practices.

Duties & Responsibilities:

• Build and maintain a privacy control framework that maps requirements across HIPAA, GLBA, state privacy laws, FTC expectations, and other applicable federal regulations.
• Manage comprehensive standards addressing data sharing, de-identification, artificial intelligence and machine learning, and vendor data handling.
• Manage the organization’s privacy-by-design framework, ensuring privacy considerations are embedded early in new product development, marketing initiatives, and business processes.
• Lead a privacy advisory program that provides timely, practical, and risk-based guidance to business units on compliant data use and sharing.
• Assist the CPO with stakeholder engagement and change management efforts, ensuring privacy requirements are clearly communicated, understood, and adopted across all departments.

• Develop and manage the Privacy Impact Assessment (PIA) process to evaluate risks associated with new systems, projects, and technologies involving PHI, PII and NPPI.
• Partner with Product, Engineering, and Security teams to define privacy control requirements and technical guardrails within design and deployment lifecycles.
• Support Marketing, IT, Security, Legal and Data Sciences teams in ensuring compliant practices related to data profiling and tracking technologies.
• Advise business units on individual rights processing (access, correction, deletion, opt-out) and ensure operational readiness for consumer privacy requests.

• Assist CPO in the maintenance of privacy policies and procedures, workforce training, and deliver targeted privacy training for business units.

• Monitor evolving HIPAA, GLBA, state, and federal privacy regulations, assessing their impact on organizational operations and policies.
• Provide guidance and thought leadership on emerging privacy trends, regulatory expectations, and enforcement priorities.
• Provide guidance and monitor compliance with the records retention policy to ensure proper administration in accordance with applicable laws and best practices.

Supervisory Responsibilities:

• Recruits, interviews, hires, and trains new staff.
• Oversees the daily workflow of the department.
• Provides constructive and timely performance evaluations.

#LI-Remote

Qualifications

Education & Experience:

• Bachelor’s degree in Healthcare Administration, Risk Management, Information Systems, Legal Studies, Public Policy, or a related field (JD or MBA/MHA preferred).
• Relevant privacy certifications (CIPP/US, CIPM, CHPC, CHPS, or equivalent) preferred.
• 5–8 years of privacy, compliance, or data governance experience within a HIPAA-regulated organization.

Skills & Abilities:

• In-depth knowledge of the HIPAA Privacy, Security, and Breach Notification Rules, GLBA Safeguards and Privacy Rules, and major U.S. state privacy laws.
• Expertise in privacy-by-design, PIAs, and risk analysis.
• Demonstrated experience in privacy program development, policy design, risk management, and cross-functional advisory work.
• Exceptional communication, leadership, and stakeholder management skills, with the ability to influence at all levels.
• Strong analytical and problem-solving skills; ability to translate regulatory requirements into actionable guidance.
• Excellent writing and communication skills for policies, training, and executive reporting.
• Cross-functional collaboration and leadership experience across Legal, Security, IT, and Product.
• Vendor risk and contract review advisory experience.
• Ability to foster a culture of privacy accountability and continuous improvement.

Other Requirements:

• Infrequent travel
  • Ability to provide personal transportation from time to time.
• Occasionally lifts up to 25 pounds.
• Prolonged periods of sitting at a desk and working on a computer