Own and lead Medicom’s information security and compliance programs, ensuring adherence to HIPAA, HITRUST, SOC 2, GDPR, and evolving regulatory standards.
Define, document, and continuously improve the company’s security control framework and risk management processes.
Leadership sponsor for SOC 2 audits and other certification efforts, coordinating with third-party auditors and internal stakeholders.
Prepare the organization for advanced frameworks and certifications, including FedRAMP readiness.
Serve as chair of the Confidentiality & Security Team (CST), including meeting leadership and agenda setting.
Review and assess customer MSAs, BAAs, and ISAs to ensure alignment with Medicom’s security controls and compliance posture.
Partner with Sales and Legal during enterprise negotiations to balance commercial objectives with risk mitigation.
Ensure ongoing compliance with contractual obligations, federal and state regulations, and customer procurement policies.
Coordinate with external counsel as appropriate regarding legal contracts and compliance matters.
Partner closely with Engineering to embed security and compliance requirements into product design and architecture.
Act as a trusted advisor across the organization on security, compliance, and risk-related matters.

8–12+ years of experience in information security, governance, compliance, and legal within healthcare, health tech, or SaaS environments.
CISSP strongly preferred (or equivalent advanced security certification).
Deep working knowledge of HIPAA, SOC 2, HITRUST, GDPR, CCPA; FedRAMP experience strongly preferred.
Experience leading audits, certifications, and regulatory assessments.
Demonstrated experience reviewing and negotiating contractual language (MSAs, BAAs, DPAs, ISAs).
Strong communication skills and ability to influence cross-functional stakeholders.

Director of Legal, Risk & Compliance

Key skills