Senior Privacy, Security & AI Counsel

Role Overview:

With a mission to fundamentally transform U.S. healthcare, Collective Health is the ideal workplace for a self-starting, team-oriented attorney who wants to make a major impact and assume meaningful responsibilities at a fast-growing health-tech company. We seek a business-minded attorney to become our Senior Data Security & AI Counsel, proactively working on data security and AI needs. This role will provide high quality, pragmatic legal counsel on a broad range of cybersecurity, data protection and AI matters as well as operational guidance to the product and engineering teams on product development and launch. The job will also involve drafting and negotiating commercial terms to help ensure compliance and risk management in a rapidly evolving environment. This position is vital in driving business innovation within a complex technical and regulatory context.

What you'll do:

• Regulatory Advisor:
  • Stay apprised of changing state and federal laws and direct the business on practical implementation of privacy, security, and AI requirements for business operations, vendor engagements, and product development.
  • Proactively translate state and federal privacy, security, and AI laws into actionable strategies, product requirements and contract terms for business and product teams and assist in development of training and awareness programs.
  • Advise regulatory attorneys on privacy, security, and AI implications of healthcare related laws, such as ERISA and the ACA, as they relate to third party administrator functions, claims data, and required communications.
• Commercial Contracting Support:
  • Draft and negotiate privacy, security and AI terms and agreements, i.e., Business Associate Agreements, Data Security Agreements, and working with commercial attorneys to align terms with product capabilities and company processes while effectively managing privacy, AI, and security risks.
  • Empower business and sales teams by providing expert guidance on privacy, security, and AI questions in Requests for Proposals and customer questionnaires.
  • Provide strategic legal review, guidance and contract terms for data use, ownership, indemnification, and limitations of liability aligned with state and federal privacy, AI, and security laws and best practice to support the development and evolution of products.

• Product, Engineering and AI Support:
  • Remain current on evolving AI laws to educate and provide support to the business to ensure ongoing compliance with privacy, security, and AI-specific regulation, framework, policies, and guidance.
  • Proactively identify and mitigate security and AI risks associated with new product features and commercial initiatives, ensuring 'security by design' and 'privacy by design' principles are embedded from conception and engage with product and engineering teams on new development initiatives, providing clear, practical legal guidance.
  • Direct teams in the legal classification of AI systems, assessment of risks, and AI governance frameworks, including development of policies and procedures for ethical AI development, deployment, use, and risk mitigation, ensuring responsible innovation and addressing potential biases and fairness in product offerings.
  • Guide cross-functional stakeholders on AI principles such as governance, transparency, accountability, and human-oversight.
  • Work cross-functionally on a privacy and data governance program (covering data classification, retention, quality, access and disposal) ensuring compliance and enabling data-driven product innovation.

• Privacy & Data Security Support:
  • Act as a legal partner to the Privacy Officer and the Chief Information Security Officer to proactively advise on federal and state privacy and data security obligations, applicable external certifications and benchmarking frameworks (e.g., HITRUST, NIST, NYDFS, SOC2), including participating in tabletop exercises.
  • Assist with drafting, updating, and operationalizing cybersecurity, and data protection policies, procedures, standards, and guidelines and support third party risk management, due diligence and contracting.
  • Advise and support, as requested by the Privacy Officer and/or Chief Information Security Officer, escalated privacy and/or cyber incidents, lawsuits, regulatory inquiries, or government escalations including communications and outreach to customer, vendor and partner counsel.

To be successful in this role, you'll need:

• D. with U.S. state bar admissions in good standing in the jurisdiction in which you practice
• 8+ years in house experience supporting privacy, cybersecurity, data protection, and/or related regulatory matters, ideally in a healthcare technology setting.
• Knowledge of and ability to apply healthcare privacy, security and AI legal and regulatory frameworks and industry best practices, certifications, and reviews, and experience to a fast-paced environment
• Ability to interpret new and existing privacy, security and AI requirements and provide practical, actionable guidance to operationalize processes to support regulatory compliance
• Enthusiasm for and skill at building relationships, sharing necessary information, and collaborating effectively with a broad range of stakeholders within the company, the legal and compliance teams, and the health tech industry
• Experience identifying and mitigating new risks in heavily regulated or emerging technology areas as a legal advisor to product, security, and/or engineering teams
• Understanding and experience advising throughout the entire product development lifecycle, including contracting, and regulatory compliance.
• Detail-oriented, with the ability to balance strategic thinking and practical, hands-on execution.
• Outstanding judgment, business acumen, practicality, collaboration, responsiveness, and integrity
• Excellent communication and presentation skills, with the ability to represent the company effectively in internal communications at all levels and with external stakeholders.
• Passion for Collective Health’s mission and for working in a young, growing company where systems and processes will require hands-on engagement and creativity.

Bonus Qualifications:

• Relevant experience at a rapidly growing technology or healthcare company
• Up to date privacy, security, and/or healthcare certifications preferred (e.g., CIPP/US, AIGP, CIPT, CISSP, CISSP, HCISPP, Security+, CCSP)

Pay Transparency Statement

This is a hybrid position based out of our Lehi office, with the expectation of being in office at least two weekdays per week. #LI-hybrid

The actual pay rate offered within the range will depend on factors including geographic location, qualifications, experience, and internal equity. In addition to the salary, you will be eligible for 200,000 stock options and benefits like health insurance, 401k, and paid time off. Learn more about our benefits at https://jobs.collectivehealth.com/benefits/.