Sr. Legal Risk Manager

Overview of the Role: Reporting to the Chief Information Security Officer (CISO) the Third-Party Enterprise Risk Manager is responsible for managing and growing a comprehensive third-party risk management program across the organization. This role is responsible for ensuring that Privia Healths information assets are safeguarded against cyber threats originating from third and fourth parties. The position involves leading the Third Party Access Committee (TPAC) driving compliance with federal and state regulations (such as HIPAA SOX HITRUST and state privacy laws) and implementing industry best practices for vendor risk management. The manager will collaborate cross-functionally to identify evaluate and mitigate risks associated with all third-party engagements contributing to the organizations strategic objectives and security posture.

Essential Job Duties:

• Maintain and grow the Third-Party Risk Management (TPRM) Framework: Design implement and continuously improve the organizations TPRM framework policies and procedures including the management and governance of:

  • Third Party Access Committee (TPAC) and oversee the review and approval process for all third parties.

  • Third-party review process ensuring that qualifying vendors submit required documentation in a timely manner and that our evaluation process complies with industry standards and Privias administrative technical and cybersecurity controls.

  • Maintain the Approval / Revocation List for internal and external stakeholders and appropriate communications when vendors change status

• Be the TPRM team liaison to the AI Governance Committee and work with the Privacy Officer The Chief Technology officer and other key members of the organization to ensure that AI is incorporated into our Third-Party Risk Management processes and is aligned to organizational objectives.

• Work with organizational stakeholders to ensure the TPRM is comprehensive and inclusive of all types of third parties that stakeholders understand how to engage with TPAC and that the appropriate mechanisms exist for ongoing training and awareness and meet changing business needs and demands. Establish alignment between TPAC vendors and national operating teams.

• Evaluate third-party access requests in collaboration with the committee to ensure Privia Policies federal state laws and industry best practices. Ensure the third parties have the appropriate cybersecurity controls and liability insurance so that they do not present undue risk.

• Track and maintain records of all TPAC submissions approvals and denials and publish a list of approved solutions on PriviaConnect.

• Coordinate periodic reviews of approved third parties at least every two years or for the term of the contract if shorter and manage corrective action plans when necessary.

• Collaborate with the Privacy & Data Analyst to review reports of API activity in the EMR and present findings to TPAC 

• Work with the Cybersecurity Analyst and other IT Security teams to ensure comprehensive third-party inventory and robust security controls are in place and aligned with industry standards 

• Oversee the implementation and maintenance of Third-Party Risk Management (TPRM) software solutions to streamline assessment monitoring and reporting processes. Maintain existing systems and processes.  

• Work with senior and executive leadership on new business models including potential vendor partner models that may involve developing a preferred vendor program or savings guides.

• Develop and maintain an inventory of all third parties including all data exchanges and validating its completeness and accuracy annually by comparing it against systems actively connected to the EMR.

• Manage cybersecurity risks associated with third-party vendors and service providers including implementing security requirements in vendor contracts.

• Perform other duties as assigned.

Qualifications :

• Education: Bachelors Degree in Information Technology Cybersecurity Risk Management or a related field or equivalent work experience preferred.

• Years of experience: 5 years of progressive experience in third-party risk management information security or a related field with at least 2 years in a lead role.

• Experience with/ Technology being used:

  • Demonstrated experience managing Third-Party Risk Management (TPRM) software.

  • Strong knowledge of security frameworks (e.g. NIST HITRUST) and regulatory compliance requirements (e.g. SOX HIPAA).

  • Experience in conducting risk assessments and developing mitigation strategies.

  • Experience managing vendors and third-party relationships.

  • Familiarity with EHR/EMR systems (e.g. athenaOne) is a plus.

  • Experience with data inventory and auditing processes.

  • Proficiency in analytical tools (e.g. Excel Google Sheets) for data analysis and reporting.

  • Experience with or Form Assembly a plus

  • Excellent written and oral communication skills with the ability to articulate complex concepts to various stakeholders.

  • Strong project management skills and a collaborative mindset.

  • Ability to work independently and with a team in a fast-paced environment managing multiple competing priorities.

  • Must comply with HIPAA rules and regulations and other State and Federal rules regulations and statutes.

The salary range for this role is $125000.00-$155000.00 in base pay and exclusive of any bonuses or benefits (medical dental vision life and pet insurance 401K paid time off and other wellness programs). This role is also eligible for an annual bonus targeted at 15% and restricted stock units. The base pay offered will be determined based on relevant factors such as experience education and geographic location. 

Additional Information :

All your information will be kept confidential according to EEO guidelines.

Technical Requirements (for remote workers only not applicable for onsite/in office work):

In order to successfully work remotely supporting our patients and providers we require a minimum of 5 MBPS for Download Speed and 3 MBPS for the Upload Speed. This should be acquired prior to the start of your employment. The best measure of your internet speed is to use online speed tests like This gives you an update as to how fast data transfer is with your internet connection and if it meets the minimum speed requirements. Work with your internet provider if you have questions about your connection. Employees who regularly work from home offices are eligible for expense reimbursement to offset this cost.

Privia Health is committed to creating and fostering a work environment that allows and encourages you to bring your whole self to work. We understand that healthcare is local and we are better when our people are a reflection of the communities that we serve. Our goal is to encourage people to pursue all opportunities regardless of their age color national origin physical or mental (dis)ability race religion gender sex gender identity and/or expression marital status veteran status or any other characteristic protected by federal state or local law.  

Remote Work :

Yes

Employment Type :

Full-time