Privacy Manager
Hi, we’re Gravie. Our mission is to improve the way people purchase and access healthcare through innovative, consumer-centric health benefit solutions that people can actually use. Our industry-changing products and services are developed and delivered by a diverse group of unique people. We encourage you to be your authentic self - we like you that way.
A Little More About The role:
We’re looking for a Privacy Manager to play a critical role in safeguarding sensitive information and ensuring Gravie’s compliance with a complex landscape of privacy laws and regulations. This individual will be responsible for developing, implementing, and monitoring privacy policies and procedures, managing privacy incidents, and collaborating cross-functionally to embed privacy-by-design principles across the organization. This role requires a strong understanding of the Health Insurance Portability and Accountability Act (HIPAA) and broader healthcare privacy practices, particularly within the payer/plan/carrier environment..
You will:
● Assist in the development, implementation, and maintenance of comprehensive privacy policies, procedures, and training programs in alignment with applicable laws and industry best practices.
● Conduct regular privacy risk assessments and impact analyses to identify and mitigate potential privacy vulnerabilities.
● Monitor changes in privacy laws and regulations, assessing their impact on company operations and recommending necessary adjustments to policies and practices.
● Lead or assist in the investigation and resolution of privacy incidents, including potential breaches of Protected Health Information (PHI) and other sensitive data.
● Manage the incident response lifecycle from detection and containment to eradication, recovery, and post-incident analysis.
● Maintain accurate records of all privacy incidents, investigations, and remediation efforts.
● Ensure timely and compliant breach notification processes as required by HIPAA and state laws.
● Collaborate closely with the Information Security team on data protection initiatives, ensuring privacy requirements are integrated into security controls and data governance frameworks.
● Advise on privacy-by-design principles for new products, systems, and processes.
● Participate in vendor due diligence processes, particularly regarding Business Associate Agreements (BAAs) and data handling practices.
● Prepare for and support internal and external privacy audits, including HIPAA compliance assessments.
● Assist in the preparation and maintenance of documentation for SOC 2 (Service Organization Control 2) audits related to privacy criteria.
● Contribute to regulatory reporting requirements related to privacy.
● Serve as a subject matter expert on privacy matters, providing guidance and support to internal departments (e.g., Legal, IT, HR, Product, Operations, Sales).
● Review and approve language related to privacy in member communications, contracts, and marketing materials.
● Manage privacy-related inquiries and requests from members, clients, and regulatory bodies.
You bring:
● Bachelor's degree in a relevant field (e.g., Healthcare Administration, Information Systems, Legal Studies, Business).
● 3-5 years of progressive experience in privacy compliance within the healthcare industry, with a strong preference for experience on the payer, health plan, or carrier side.
● Demonstrated in-depth knowledge of HIPAA (Privacy, Security, and Breach Notification Rules) is required.
● Understanding of other privacy frameworks and regulations strongly preferred, including:
o Gramm-Leach-Bliley Act (GLBA)
o General Data Protection Regulation (GDPR)
o Various state-specific privacy laws (e.g., CCPA, CPRA, VCDPA, CPA).
● Proven experience in privacy incident response and tracking.
● Familiarity with information security principles and practices, and experience collaborating with InfoSec teams.
● Experience with audit readiness and/or SOC 2 preparation is a plus.
● Strong analytical, problem-solving, and critical thinking skills.
● Excellent written and verbal communication skills, with the ability to translate complex legal and technical concepts into clear, actionable guidance.
● High level of integrity, discretion, and ethical conduct.
Extra credit:
● Certified Information Privacy Professional (CIPP/US, CIPP/E)
● Certified Information Privacy Manager (CIPM)
● Certified in Healthcare Privacy and Security (CHPS)
Gravie:
In order to transform health insurance and build a health plan everyone can love, we need talented people doing amazing work. In exchange, we offer a great overall employee experience with opportunities for career growth, meaningful mission-driven work, and an above average total rewards package.
The salary range for this position is $90,000 - $150,000 annually. Numerous factors including, but not limited to, educations, skills, work experience, certifications, etc. will be considered when determining compensation.
Our unique benefits program is the gravy, i.e., the special sauce that sets our compensation package apart. In addition to standard health and wellness benefits, Gravie’s package includes alternative medicine coverage, flexible PTO, up to 16 weeks paid parental leave, paid holidays, a 401k program, cell phone reimbursement, transportation perks, education reimbursement, and 1 week of paid paw-ternity leave.
A Little More About Us:
● We know healthcare. Our company was founded and is still led by industry veterans who have started and grown several market-leading companies in the space.
● We have raised money from top tier investors who share the same long-term vision as we do of building an industry defining company that will endure over the long run. We are well capitalized.
● Our customers like us. Our revenue churn is in the low single digits, in an industry where greater than 20% churn is common.
● Our culture is unique. We tend to be non-hierarchical, merit-driven, opinionated but kind people who thrive working in a high-performance, fast-paced environment. People at Gravie care deeply about making a positive impact in the lives of the people we serve. We may not be the right place for everybody, but if you get energized by doing work every day that focuses on putting consumers at the front of the line, we could be a great place for you. It takes unique people and diverse perspectives to deliver our results. We encourage you to be your authentic self – we like you that way.
About the job
Apply for this position
Privacy Manager
Hi, we’re Gravie. Our mission is to improve the way people purchase and access healthcare through innovative, consumer-centric health benefit solutions that people can actually use. Our industry-changing products and services are developed and delivered by a diverse group of unique people. We encourage you to be your authentic self - we like you that way.
A Little More About The role:
We’re looking for a Privacy Manager to play a critical role in safeguarding sensitive information and ensuring Gravie’s compliance with a complex landscape of privacy laws and regulations. This individual will be responsible for developing, implementing, and monitoring privacy policies and procedures, managing privacy incidents, and collaborating cross-functionally to embed privacy-by-design principles across the organization. This role requires a strong understanding of the Health Insurance Portability and Accountability Act (HIPAA) and broader healthcare privacy practices, particularly within the payer/plan/carrier environment..
You will:
● Assist in the development, implementation, and maintenance of comprehensive privacy policies, procedures, and training programs in alignment with applicable laws and industry best practices.
● Conduct regular privacy risk assessments and impact analyses to identify and mitigate potential privacy vulnerabilities.
● Monitor changes in privacy laws and regulations, assessing their impact on company operations and recommending necessary adjustments to policies and practices.
● Lead or assist in the investigation and resolution of privacy incidents, including potential breaches of Protected Health Information (PHI) and other sensitive data.
● Manage the incident response lifecycle from detection and containment to eradication, recovery, and post-incident analysis.
● Maintain accurate records of all privacy incidents, investigations, and remediation efforts.
● Ensure timely and compliant breach notification processes as required by HIPAA and state laws.
● Collaborate closely with the Information Security team on data protection initiatives, ensuring privacy requirements are integrated into security controls and data governance frameworks.
● Advise on privacy-by-design principles for new products, systems, and processes.
● Participate in vendor due diligence processes, particularly regarding Business Associate Agreements (BAAs) and data handling practices.
● Prepare for and support internal and external privacy audits, including HIPAA compliance assessments.
● Assist in the preparation and maintenance of documentation for SOC 2 (Service Organization Control 2) audits related to privacy criteria.
● Contribute to regulatory reporting requirements related to privacy.
● Serve as a subject matter expert on privacy matters, providing guidance and support to internal departments (e.g., Legal, IT, HR, Product, Operations, Sales).
● Review and approve language related to privacy in member communications, contracts, and marketing materials.
● Manage privacy-related inquiries and requests from members, clients, and regulatory bodies.
You bring:
● Bachelor's degree in a relevant field (e.g., Healthcare Administration, Information Systems, Legal Studies, Business).
● 3-5 years of progressive experience in privacy compliance within the healthcare industry, with a strong preference for experience on the payer, health plan, or carrier side.
● Demonstrated in-depth knowledge of HIPAA (Privacy, Security, and Breach Notification Rules) is required.
● Understanding of other privacy frameworks and regulations strongly preferred, including:
o Gramm-Leach-Bliley Act (GLBA)
o General Data Protection Regulation (GDPR)
o Various state-specific privacy laws (e.g., CCPA, CPRA, VCDPA, CPA).
● Proven experience in privacy incident response and tracking.
● Familiarity with information security principles and practices, and experience collaborating with InfoSec teams.
● Experience with audit readiness and/or SOC 2 preparation is a plus.
● Strong analytical, problem-solving, and critical thinking skills.
● Excellent written and verbal communication skills, with the ability to translate complex legal and technical concepts into clear, actionable guidance.
● High level of integrity, discretion, and ethical conduct.
Extra credit:
● Certified Information Privacy Professional (CIPP/US, CIPP/E)
● Certified Information Privacy Manager (CIPM)
● Certified in Healthcare Privacy and Security (CHPS)
Gravie:
In order to transform health insurance and build a health plan everyone can love, we need talented people doing amazing work. In exchange, we offer a great overall employee experience with opportunities for career growth, meaningful mission-driven work, and an above average total rewards package.
The salary range for this position is $90,000 - $150,000 annually. Numerous factors including, but not limited to, educations, skills, work experience, certifications, etc. will be considered when determining compensation.
Our unique benefits program is the gravy, i.e., the special sauce that sets our compensation package apart. In addition to standard health and wellness benefits, Gravie’s package includes alternative medicine coverage, flexible PTO, up to 16 weeks paid parental leave, paid holidays, a 401k program, cell phone reimbursement, transportation perks, education reimbursement, and 1 week of paid paw-ternity leave.
A Little More About Us:
● We know healthcare. Our company was founded and is still led by industry veterans who have started and grown several market-leading companies in the space.
● We have raised money from top tier investors who share the same long-term vision as we do of building an industry defining company that will endure over the long run. We are well capitalized.
● Our customers like us. Our revenue churn is in the low single digits, in an industry where greater than 20% churn is common.
● Our culture is unique. We tend to be non-hierarchical, merit-driven, opinionated but kind people who thrive working in a high-performance, fast-paced environment. People at Gravie care deeply about making a positive impact in the lives of the people we serve. We may not be the right place for everybody, but if you get energized by doing work every day that focuses on putting consumers at the front of the line, we could be a great place for you. It takes unique people and diverse perspectives to deliver our results. We encourage you to be your authentic self – we like you that way.