Description:

How This Role Makes a Difference
We are seeking a pragmatic, business-oriented Counsel, Health Data & Privacy to join our Legal & Compliance team. This role will focus primarily on HIPAA and health data privacy advisory, negotiation of data protection and healthcare-related agreements, and support of global data protection compliance across our clinical research and operational activities.

The ideal candidate brings strong experience with HIPAA and U.S. federal and state privacy laws, meaningful experience with GDPR and other international data protection frameworks and demonstrated capability negotiating data protection and healthcare-related agreements. This role requires both strategic and tactical involvement in health data governance, privacy compliance, and complex data contracting, as well as close collaboration with clinical, operational, procurement, and technology stakeholders. The successful candidate will be a skilled writer and pragmatic advisor who communicates effectively across the organization, evaluates risk with sound judgment, develops risk-calibrated solutions that enable business objectives, and supports implementation in a fast-paced, evolving healthcare and research environment.

How You'll Make An Impact

Health Data, AI & Global Privacy Governance
Privacy Law Expertise: Provide strategic and practical legal advice on global privacy and data protection laws, including GDPR, HIPAA, CCPA/CPRA, and other U.S. state and federal privacy laws. Experience with GDPR and HIPAA mandatory.
AI & Emerging Technologies: Advise on privacy and data protection implications of AI-enabled tools, machine learning systems, and other emerging technologies involving health and personal data. Conduct and draft legal risk assessments addressing automated processing, training data use, model outputs, human-in-the-loop safeguards, cross-border considerations, and evolving regulatory frameworks.
Clinical Support: Partner with clinical and operations teams to advise on privacy and data protection matters related to clinical research activities, including cross-border data transfers, site operations, and subject data rights.
Contracting & Transactions: Draft, review, and negotiate data processing agreements, data transfer agreements, data sections of clinical trial agreements, licensing deals, and other contracts involving company, personal or sensitive data.
Cross-Functional Partnership: Act as a trusted legal advisor to teams across the company to develop practical, risk-adjusted solutions that support compliance and responsible business growth.
Commercial & Strategic Transactions Support
Commercial Contracting: Draft, review, and negotiate a broad range of commercial agreements, including vendor agreements, services agreements, research collaborations, and data-driven partnerships.
Strategic Transactions & Partnerships: Support structuring of healthcare and data-driven initiatives to align legal risk with business objectives. Partner with operational and procurement stakeholders to facilitate efficient and compliant transactions.
Business Enablement: Proactively support and advise emerging business lines and new initiatives to drive business growth while mitigating risk
Perform other legal tasks and projects assigned by legal leadership.
The Expertise Required
Strong working knowledge of HIPAA and U.S. health privacy laws, including experience advising on use and disclosure of PHI, research authorizations, and breach analysis.
Demonstrated experience drafting and negotiating Business Associate Agreements (BAAs), Data Processing Agreements (DPAs), and data protection provisions in commercial agreements.
Experience drafting or supporting AI and automated decision-making risk assessments, privacy impact assessments, or related governance documentation for internal review or regulatory purposes.
Working knowledge of GDPR and international data transfer mechanisms, including controller/processor analysis and cross-border data considerations.
Ability to assess and clearly communicate legal risk in operational and commercial contexts.
Strong drafting, analytical, and negotiation skills, with attention to detail.
Business-oriented mindset with the ability to balance compliance obligations and commercial objectives.
Ability to work collaboratively across clinical, operational, procurement, and technology teams.
Sound judgment in escalating enterprise-level or reputational risk.
For this position, you must be currently authorized to work in the United States without the need for sponsorship for a non-immigrant visa.

Certifications/Licenses, Education, and Experience

Juris Doctor (JD) or equivalent law degree from an accredited institution.
3-6+ years of legal experience, including substantive GDPR experience and direct involvement in HIPAA and U.S. privacy law.

Licenses:

Licensed to practice law in at least one state in the United States and eligible for in-house corporate practice in state of residence.
CIPP or other similar certifications preferred.

How We Work Together

Location: Remote within the United States. This role requires 100% of work to be performed in a remote office environment.
Travel: This is a remote position with less than 10% travel requirements. Occasional planned travel may be required as part of the role.
Physical demands associated with this position Include: The ability to use keyboards and other computer equipment.
The expected salary range for this role is $140,000 - $170,000 USD per year for full time team members.