IT Security Risk & Contract Analyst

Datavant is a rapidly growing healthcare technology company with a mission to connect the world’s health data. By eliminating data silos in the healthcare industry, we aim to unlock opportunities to accelerate medical research, and help organizations design better ways to facilitate access, affordability, and quality of care leading to better patient outcomes. 

By joining Datavant today, you’re stepping onto a highly collaborative, fully remote team that is passionate about creating transformative change in healthcare. We look for people who are smart, nice and get things done. We invest in our people and believe in hiring for high-potential and humble individuals who can rapidly grow their responsibilities as the company scales. Datavant is a distributed, remote-first team (no office locations) and we empower Datavanters to shape their working environment in a way that suits their needs -- learn more here!  

 As the IT Risk and Contract Analyst you be responsible for reviewing all vendor and client contracts as requested by business, procurement and legal teams to evaluate and negotiate IT security and compliance requirements within master service agreements (MSA), information security agreements (ISA), data processing/security agreements (DPA/DSA), etc. This is opportunity directly contribute to the organizations best in class security, compliance and customer service. This role is additionally responsible for other governance-oriented responsibilities such as internal and third-party risk assessments as well as reviewing and updating policies and procedures.   

You Will: 

• Evaluate, edit and negotiate the contract documentation with clients and vendors. 
• Engage with Business and Legal teams to assess compliance and technical/business risks with contractual terms. 
• Periodic contract negotiation as it relates to technical and regulatory components or client and/or vendor contracts.  
• Regularly review and update Company contractual requirements for vendors. 
• Collaborate with internal business partners, along with client and vendor contacts to ensure that audits and/or questionnaires are completed accordingly. 
• Track all remediation issues for Clients, and coordinate with Compliance for reporting of any open issues in the enterprise risk register. 
• Serve as first pass client contract reviews for all areas related to Security and Compliance 
• Provide Management with feedback on any areas of non-compliance with client obligations, regulatory requirements, or areas of increasing security or compliance focus by clients through assessments or contracts. 
• Work with Vendor Oversight team to continually maintain and update vendor populations and vendor oversight plan. 
• Assist as needed in conduct regular assessment of vendors to ensure compliance with all regulatory requirements to reduce / mitigate risks. 
• Assist as needed to complete client requested security and compliance assessments. 
• Provide monthly metrics to management as requested. 

What You Will Bring to the Table:  

• 3+ years of IT Security experience which must include reviewing and editing security addendums in contracts. 
• Solid understanding and experience with control frameworks or Industry standards such as HITRUST, NIST, Sarbanes Oxley, or other frameworks including PCI-DSS, FedRAMP, etc. 
• Requires understanding of HIPAA, HITECH, CMS First-Tier Downstream (FDR) and other regulations such GDPR, CCPA and other State specific privacy regulations. 
• Outstanding presentation (oral and written) and negotiation skills which includes clearly presenting technical information to non-technical people. 
• Exceptional ability to readily adapt and prioritize duties within a high velocity, high quality decisions, and customer centric Company cultural. 
• High degree of initiative and ability to work independently with little supervision. 
• Additional preferred experience:  IT audit, IT Security, Internal Audit, HITRUST, Sarbanes Oxley, CISA, CIA. 
• Strong document analysis skills related to policies, standards, procedures, control frameworks and regulations. 
• Ability to travel up to 30%. 

Bonus Points if: 

• Paralegal certificate with IT Security experience or other related certifications such as CISA, CIA, CISSP, CISM.   

Experience in Healthcare related to compliance, third party risk management and/or internal audit. 
 We are committed to building a diverse team of Datavanters who are smart, nice, and get things done where every Datavanter is empowered to bring their authentic self to their work. We are all responsible for stewarding a high-performance culture in which all Datavanters belong and thrive. We are proud to be an equal opportunity employer and welcome applications from people of all backgrounds and experiences. 

Our compensation philosophy is to be externally competitive, internally fair, and not win or lose on compensation. Salary ranges are developed with the support of benchmarks (competitive San Francisco rates for US-based roles) and industry best practices.  

We’re building a high-growth, high-autonomy culture. We rely less on job titles and more on cultivating an environment where anyone can contribute, the best ideas win, and personal growth is driven by expanding impact and less by title. This means we default to simple job titles (e.g., Software Engineer) rather than complex ones (e.g., Senior Software Engineer). The range posted is for a given job title, which can include multiple levels. Individual rates for the same job title may differ based on their level, responsibilities, skills, and experience for a specific job. The estimated salary range for this role is $77,000 – $88,000. 

 Even though this is a remote role, you may need to travel onsite. To ensure the safety of patients and staff, many of our clients require post-offer health screenings and proof and/or completion of various vaccinations such as the flu shot, Tdap, COVID-19, etc. Any requests to be exempted from these requirements will be reviewed by Datavant Human Resources and determined on a case-by-case basis. Depending on the state in which you will be working, exemptions may be available on the basis of disability, medical contraindications to the vaccine or any of its components, pregnancy or pregnancy-related medical conditions, and/or religion. 

 At the end of this application, you will find a set of voluntary demographic questions. If you choose to respond, your responses will be used to help us identify areas of improvement in our recruitment process. We can only see aggregate responses and are unable to view individual responses. In fact, we aren’t even able to see if you’ve responded or not! Responding is your choice and it will not be used in any way in our hiring process.