Governance, Risk, and Compliance (GRC) Analyst

Job Description: GRC Analyst – HITRUST, SOC 2, and Other Compliance

Frameworks

Position: Governance, Risk, and Compliance (GRC) Analyst

Location: Remote/Onsite (Flexible)

Employment Type: Full-Time

Reports To: Chief Information Security Officer (CISO) or Compliance Lead

Role Overview

Blooming Health is seeking a skilled and motivated GRC Analyst to lead the implementation and maintenance of security compliance programs, including HITRUST, SOC 2, NIST, OHIP, and other regulatory frameworks as needed. This individual will serve as the primary liaison between internal IT, Security, and Operations teams, as well as external compliance consultants. They will ensure all required policies and procedures are developed, implemented, and continuously monitored, while managing internal audits and preparing necessary reports for certification and regulatory bodies.

This is a pivotal role in ensuring Blooming Health’s compliance posture supports secure and scalable growth.

Key Responsibilities

Compliance Program Management

• Develop, implement, and manage compliance programs for frameworks such as HITRUST, SOC 2, NIST 800-53, OHIP, and others relevant to Blooming Health.

• Collaborate with external security compliance consultants to guide and accelerate compliance initiatives.

• Design and maintain policies, procedures, and controls that align with regulatory requirements and industry best practices.

Audits and Assessments

• Conduct internal reviews and audits to assess the effectiveness of security controls, operational processes, and compliance policies.

• Prepare and organize documentation and evidence for external audits, readiness assessments, and certification processes.

• Act as the primary point of contact for external assessors and certification authorities.

Policy and Procedure Development

• Lead the creation, implementation, and enforcement of policies related to security, privacy, and operational compliance.

• Ensure all procedures are documented, communicated, and integrated into daily workflows.

Documentation and Reporting

• Maintain a centralized repository of compliance artifacts for ongoing assessments.

• Generate comprehensive reports for internal leadership, certifying authorities, and regulatory bodies to demonstrate compliance status and progress.

Collaboration and Communication

• Work closely with IT, Security, and Operations teams to implement and verify technical and procedural controls.

• Coordinate with external compliance consultants to ensure alignment with certification goals and timelines.

• Partner with business stakeholders to align compliance activities with operational priorities.

Training and Awareness

• Develop and deliver training programs to educate employees on compliance requirements and best practices.

• Foster a culture of security awareness and accountability across the organization.

Risk Management

• Perform risk assessments to identify vulnerabilities, non-compliance risks, and remediation opportunities.

• Maintain a risk register and track the resolution of identified issues.

• Monitor changes in regulatory requirements and update policies and controls accordingly.

Incident and Breach Management

• Develop and maintain an Incident Response Plan aligned with compliance frameworks like HITRUST and SOC 2.

• Act as a key stakeholder in responding to security incidents, breaches, and non-compliance events.

• Coordinate post-incident activities, including root cause analysis, documentation, and reporting to regulatory authorities if required.

• Ensure incidents are logged and tracked to resolution, with lessons learned feeding into process improvements.

• Conduct regular tabletop exercises to test incident response readiness.

Qualifications

Required Skills and Experience

• 3+ years of proven experience in Governance, Risk, and Compliance roles, preferably in healthcare or technology.

• Strong understanding of frameworks such as HITRUST, SOC 2, NIST 800-53, and HIPAA.

• Proven experience conducting internal audits, managing compliance documentation, and preparing for external certifications.

• Familiarity with compliance tools like Vanta, Drata, or Tugboat Logic.

• Knowledge of security controls, including encryption, logging, access management, and vulnerability management.

Technical Skills

• Proficiency with tools such as SIEMs, endpoint protection platforms, and configuration management systems.

• Experience managing policies for cloud-based environments (e.g., AWS, Azure).

• Hands-on experience with security frameworks and automation tools.

Soft Skills

• Excellent communication skills for engaging with technical teams, non-technical stakeholders, and external assessors.

• Strong project management abilities to ensure timely completion of compliance initiatives.

• Detail-oriented with the ability to multitask and prioritize in a dynamic environment.

Preferred Qualifications

• Certifications such as HITRUST Practitioner, CISSP, CISA, CISM, or equivalent.

• Experience implementing compliance programs for multi-framework environments (e.g., SOC 2 + HIPAA + HITRUST).

Why Join Blooming Health?

• Be a key contributor to building a robust compliance program for a mission-driven healthcare startup.

• Work in a collaborative and innovative environment with opportunities for professional growth.

• Competitive salary and benefits package, with flexibility to work remotely or onsite.