Clinical Compliance Manager (US Healthcare)
Own US healthcare compliance and AI governance across our marketplace. You'll define the HIPAA boundary, operationalize CPOM sensitivities, drive SOC 2 alignment, manage vendors/BAAs, and run a pragmatic policy & audit program that keeps product velocity high and risk low.
On This Page
Role overview
Compliance ownership
Define and maintain US compliance posture: HIPAA boundary, CPOM sensitivity, SOC 2 alignment, state privacy coverage, records & retention.
AI & data
Establish AI guardrails (no PHI to non-approved endpoints, evals, human-in-the-loop), and data minimization/consent patterns.
Vendor risk
Due diligence, DPAs/BAAs, security questionnaires, scopes & subprocessor tracking, ongoing reviews.
Enablement
Turn policy into checklists, templates, and build-time gates; partner with Product, Eng, Security, and Provider Ops.
| Area | Summary |
|---|---|
| Compliance ownership | Define and maintain US compliance posture: HIPAA boundary, CPOM sensitivity, SOC 2 alignment, state privacy coverage, records & retention. |
| AI & data | Establish AI guardrails (no PHI to non-approved endpoints, evals, human-in-the-loop), and data minimization/consent patterns. |
| Vendor risk | Due diligence, DPAs/BAAs, security questionnaires, scopes & subprocessor tracking, ongoing reviews. |
| Enablement | Turn policy into checklists, templates, and build-time gates; partner with Product, Eng, Security, and Provider Ops. |
Program pillars
Policy lifecycle
Draft → review → train → attest → audit → update
Acceptable Use, Privacy, Data Handling, Incident Response, AI Use Policy
Data handling
Classification, minimization, retention & deletion
Record of Processing, "no-train/no-share" flags, PHI boundary docs
Controls & audits
Map controls to frameworks; test & evidence
Change mgmt, access reviews, backups, vendor reviews, training logs
Incident readiness
Runbooks, tabletop drills, notifications
Breach decision tree, forensics partners, comms templates
| Pillar | Focus | Examples |
|---|---|---|
| Policy lifecycle | Draft → review → train → attest → audit → update | Acceptable Use, Privacy, Data Handling, Incident Response, AI Use Policy |
| Data handling | Classification, minimization, retention & deletion | Record of Processing, "no-train/no-share" flags, PHI boundary docs |
| Controls & audits | Map controls to frameworks; test & evidence | Change mgmt, access reviews, backups, vendor reviews, training logs |
| Incident readiness | Runbooks, tabletop drills, notifications | Breach decision tree, forensics partners, comms templates |
AI governance
Clinical boundary
No medical advice. AI features inform navigation and education only; clinical judgment remains with licensed providers.
Regulatory scope
HIPAA awareness
Define when we're a covered entity/business associate vs. consumer app
Boundary docs; BAAs; marketing vs. operations distinctions
CPOM sensitivity
Corporate practice of medicine awareness by state
Clear clinic–marketplace separations; disclaimers; routing rules
State health privacy
Consumer health privacy requirements (e.g., consent, disclosures)
Granular opt-outs, sensitive data flags, tracking governance
SOC 2 alignment
Trust Services Criteria mapping
Control owners, evidence, auditor liaison
Records & retention
Schedules, legal holds, deletion
System-of-record matrices; periodic purge jobs
| Area | Scope | Notes |
|---|---|---|
| HIPAA awareness | Define when we're a covered entity/business associate vs. consumer app | Boundary docs; BAAs; marketing vs. operations distinctions |
| CPOM sensitivity | Corporate practice of medicine awareness by state | Clear clinic–marketplace separations; disclaimers; routing rules |
| State health privacy | Consumer health privacy requirements (e.g., consent, disclosures) | Granular opt-outs, sensitive data flags, tracking governance |
| SOC 2 alignment | Trust Services Criteria mapping | Control owners, evidence, auditor liaison |
| Records & retention | Schedules, legal holds, deletion | System-of-record matrices; periodic purge jobs |
Processes & artifacts
Vendor & BAA management
- Security & privacy questionnaires; DPIA-style assessments for AI vendors.
- DPAs/BAAs, scopes, subprocessor tracking, renewal calendars.
- Data egress allow-lists; key & region controls verified.
Policy → practice
- Checklists in PRD/RFC templates; compliance gates in CI (evidence links).
- Training & attestations; quarterly access reviews.
- Incident playbooks; post-mortems with corrective actions.
Success metrics
Control health
% key controls tested "pass" on schedule with evidence
Focus on risk-weighted controls, not vanity counts
Vendor posture
% vendors with current reviews/BAAs; issue closure time
Critical vendors reviewed at least annually
Training & attestation
% employees current on privacy/AI/compliance training
New hire within 30 days; annual refresh 100%
Incident readiness
Tabletop & runbook coverage; MTTR for drills/incidents
Notification decisions within SLA; lessons captured
AI guardrail efficacy
Eval pass rate; PHI egress block rate; regression escapes
No medical advice; cost/latency within SLO
| Metric | Definition | Guardrails |
|---|---|---|
| Control health | % key controls tested "pass" on schedule with evidence | Focus on risk-weighted controls, not vanity counts |
| Vendor posture | % vendors with current reviews/BAAs; issue closure time | Critical vendors reviewed at least annually |
| Training & attestation | % employees current on privacy/AI/compliance training | New hire within 30 days; annual refresh 100% |
| Incident readiness | Tabletop & runbook coverage; MTTR for drills/incidents | Notification decisions within SLA; lessons captured |
| AI guardrail efficacy | Eval pass rate; PHI egress block rate; regression escapes | No medical advice; cost/latency within SLO |
Requirements
Must-have
- 5+ years in healthcare compliance, privacy, or risk (US).
- Operational HIPAA awareness, vendor/BAA management, and policy lifecycle ownership.
- Experience partnering with Product/Eng/Security at product velocity.
- Clear writing: policies, training, audit evidence, decision memos.
- US work authorization; ability to support periodic on-site/offsite travel.
Nice-to-have
- SOC 2 / ISO 27001 control mapping and audit liaison experience.
- Exposure to consumer health privacy regimes and CPOM nuances.
- AI governance experience (guardrails, evals, data boundary decisions).
- Clinical background or experience in telehealth/marketplaces.
| Must-have | Nice-to-have |
|---|---|
|
|
Hiring process
Apply
Resume/CV + brief note on a policy/control you operationalized and one AI boundary decision you led.
2–5 business days
Screen
30 min on compliance judgment, vendor/BAA approach, and AI governance perspective.
~1 week
Deep dive
Walkthrough of HIPAA boundary & state privacy trade-offs; sample artifacts (redacted welcome).
~1 week
Practical
Time-boxed exercise or prior work review (policy snippet + vendor risk scenario + AI guardrail outline).
3–7 days
Panel
Cross-functional discussions with Product/Eng/Security/Provider Ops; incident tabletop scenario.
~1 week
Offer
Comp band, benefits, start date. Background check post-offer where lawful.
48–72 hours
| Step | What to expect | Typical time |
|---|---|---|
| Apply | Resume/CV + brief note on a policy/control you operationalized and one AI boundary decision you led. | 2–5 business days |
| Screen | 30 min on compliance judgment, vendor/BAA approach, and AI governance perspective. | ~1 week |
| Deep dive | Walkthrough of HIPAA boundary & state privacy trade-offs; sample artifacts (redacted welcome). | ~1 week |
| Practical | Time-boxed exercise or prior work review (policy snippet + vendor risk scenario + AI guardrail outline). | 3–7 days |
| Panel | Cross-functional discussions with Product/Eng/Security/Provider Ops; incident tabletop scenario. | ~1 week |
| Offer | Comp band, benefits, start date. Background check post-offer where lawful. | 48–72 hours |
Accommodation requests: email care@clinicbooking.com (subject: "Interview Accommodation").
Apply
Email your applicationwith your resume/CV and 1–2 examples of policies or audits you've led (sanitized). If available, include an AI governance note you authored.
Prefer an ATS? Use the application form if available.
Notices
- Equal Opportunity: We welcome applicants of all backgrounds and do not discriminate on any protected basis.
- Right to work: US work authorization required; export-control compliance may apply to some tools/vendors.
- Privacy: Your data is handled per our Applicant/Candidate Privacy Notice and Records Retention Summary.
Owner/Operator: Spyface Tech Company, LLC (d/b/a "ClinicBooking"). Address: 30 N Gould St Ste N, Sheridan, WY 82801, USA · Contact: hello@spyface.com (corporate), care@clinicbooking.com (talent).
Ready to Apply?
Send your resume and a brief note about your healthcare compliance experience to get started.
Apply Now