Senior Privacy and Regulatory Counsel

Surescripts serves the nation through simpler, trusted health intelligence sharing, in order to increase patient safety, lower costs and ensure quality care. We deliver insights at critical points of care for better decisions - from streamlining prior authorizations to delivering comprehensive medication histories to facilitating messages between providers.

Job Summary:

The Senior Privacy and Regulatory Counsel provides critical corporate, regulatory, and commercial legal services to the organization and its in-house clients to manage privacy, regulatory and data use risks. Such legal services primarily concern the interpretation of laws, rules, regulations, and guidance documents that regulate the collection, use, sharing, and retention/deletion of health-related personally identifiable information (PII) (e.g., HIPAA, the FTC Act, state consumer privacy laws, and data breach reporting and notification laws), data rights, product/service/system counseling based on Privacy by Design, risk assessment and analysis, risk remediation, and drafting and negotiating privacy and data protection provisions of agreements with partners, customers, and vendors, as well as other healthcare regulatory laws.

This role is accountable for privacy and regulatory legal expertise and counseling, and contributes to the strategic design of the privacy program, partnering with and counseling the Chief Legal Officer, Privacy Officer and Chief Information Security Officer, and other key stakeholders including the Product Innovation, Data & Analytics, and Growth departments , enabling the Executive Team to make informed, risk-based decisions regarding legal risk and strategy.

#LI-REMOTE

Responsibilities:

• Provide legal support and advise across a myriad of regulations including HIPAA, Information Blocking Rules, Anti-Lead complex legal services arising from business priorities and data rights associated with the handling of deidentified data, PII/Protected Health Information (PHI).
• Provide legal and strategic advice to the Chief Legal Officer, Privacy Officer and VP, Legal Affairs to ensure compliance and manage risk to PII/PHI.
• Partner with other members of the Legal Affairs team, product managers and developers, Growth team, and other stakeholders to ensure privacy is incorporated in the development of products, services, and systems.
• Create and foster partnerships across the enterprise, managing those relationships as well as providing high quality advice in innovative ways, including through PowerPoint and visual representation.
• Participate in the operation of data privacy, risk, and governance boards or committees, such as developing priorities and initiatives.
• Act in accordance with the Department's service delivery model.
• Serve as senior leader on the Privacy and Regulatory team to develop, implement, and execute strategic vision, including team meetings, brainstorming sessions, trainings, and team building activities.
• Draft, maintain, and update Business Associate Agreement (BAA) and related privacy and data protection templates.
• Draft and negotiate/advise on BAAs and related privacy and data protection agreements and terms in customer/vendor contracts or other legal documentation with customers, suppliers, and other parties.
• Advise other members of the Legal Affairs team in the negotiation of BAAs and related privacy and data protection terms in customer/vendor contracts or other legal documentation with customers, suppliers, and other parties.
• Partner cross-functionally to ensure compliance with privacy and data protection-relevant provisions of contracts, state and federal law and regulations and applicable standards.
• Mentor other privacy or legal professionals.
• Counsel on privacy and security incident preparedness and management.
• Track, analyze, and counsel stakeholders involving privacy and data protection related law, regulation, published standards, etc.
• Prepare comments or responses to requests for information (RFIs) on behalf of the Company regarding proposed rules or regulations related to privacy and data protection.
• Evaluate and advise on compliance with applicable privacy, data protection, and data use laws, rules, regulations, and guidance documents related to Company products/services in conceptual or development phases, as well as on appropriate courses of action for privacy and data protection to meet the Company's and business units' needs, including data rights use and concepts such as HIPAA data aggregation and proper management and administration as a Business Associate.
• Manage complex projects as assigned, including guidance on where HIPAA, Intellectual Property, Anti-Kickback Statute and other regulations factor into the solution.
• Assist with internal and external privacy and data protection-related federal, state, and industry compliance activities.
• Manage legal matters assigned to outside counsel and preside at meetings regarding legal issues.
• Work within the Privacy and Regulatory team to create key performance indicators and drive goals and continuous improvement opportunities established by the Associate General Counsel, supporting the management, growth and effectiveness of the vertical

• Juris Doctor degree from an ABA-accredited law school and good standing member of at least one state bar
• 8+ years of experience as a practicing privacy attorney at a law firm or in-house - additional years of relevant experience in a non-attorney role in the healthcare or technology industry may be considered in satisfying this requirement
• 5+ years of experience working with product strategists, owners, developers, and architects, advising on privacy and data protection issues throughout the development lifecycle
• 5+ years healthcare regulatory background
• 5+ years of subject matter experience in privacy and data protection
• 2+ years of experience assessing, analyzing, and recommending risk management strategies for privacy compliance
• Works with a high degree of autonomy, demonstrating significant subject matter experience and excellent communication skills

• 2+ years of experience with the operation of a governance committee or similar body supporting privacy strategy
• 2+ years of experience with HIPAA regulated entities, interpreting the Privacy and Security Rules
• Familiarity with other areas of emerging technology
• Professional certification in privacy, data governance, data classification, and/or risk assessment
• Familiarity with published privacy and data protection standards, such as NIST, ISO, and/or HITRUST