Headway
healthtech
SeniorGovernance,Risk,Compliance(GRC)Analyst
Neural analysis suggests this role is
optimal for Senior candidates.
“Senior Governance, Risk, Compliance (GRC) Analyst at Headway. Skills: HITRUST, SOC 2, PCI-DSS, HIPAA, GRC platform usage, Risk management, Compliance program development. Support HITRUST, SOC 2, PCI-DSS, and HIPAA audit readiness. Collect evidence for audits”
Industry & Context.
Identifying, assessing, and tracking technical security risks through mitigation
What They're Looking For.
Must Have
5+ years of experience in a GRC, compliance, or security risk role, Working knowledge of at least two of: HITRUST, SOC 2, PCI-DSS, or HIPAA, Used a GRC platform like Vanta, Drata, OneTrust, or similar to automate evidence collection or manage controls, Communicate compliance requirements clearly to both technical and non-technical audiences, Default to building repeatable processes over one-off heroics, Excited about using AI and modern tooling to scale compliance operations
Nice to Have
Worked in healthcare or healthtech and understand what HIPAA means in practice, not just in theory
What You'll Do.
and HIPAA audit readiness
Collect evidence for audits
Coordinate with assessors
Track control gaps and remediation timelines
Build and manage the vendor security assessment lifecycle
Manage questionnaires
and policy enforcement
Stand up and run Headway's security awareness training program
Manage onboarding modules
annual compliance training
and completion tracking
Operate the centralized risk register
and track technical security risks through mitigation
Surface risk-informed priorities to engineering and security leadership
Partner cross-functionally with Privacy
and Engineering to embed compliance
How You'll Work.
Team & Collaboration
Partner with Privacy, Legal, IT, and Engineering teams; Surface risk-informed priorities to engineering and security leadership
Communication Scope
Communicate compliance requirements clearly to both technical and non-technical audiences
Process & Methodology
Tracking control gaps and remediation timelines, Managing vendor security assessment lifecycle, Managing training programs, Tracking technical security risks
Full Job Description
1 in 4 people in the US have a treatable mental health condition, but most providers don't accept insurance, making therapy too expensive for most people. Headway’s mission is to fix this by building a new mental healthcare system everyone can access. We started by solving the biggest barrier to care: insurance. The admin work - credentialing, claims, payment reconciliation - is a nightmare. We've automated that. But we're going further. Over 75,000 providers across all 50 states run their practice on our software, serving over 1 million patients. We are building the best tools for therapists to run their entire practice, reimagining the experience of finding a therapist, and investing in the platform foundations to enable this at scale. We aren't just a billing layer; we are becoming the platform where care actually happens. We're a Series D company with $325M+ in funding (a16z, Accel, Spark Capital, etc.), looking for exceptional people to help us achieve this mission. We want your time here to be the most meaningful experience of your career. Join us, and help change mental healthcare for the better. About the Role Headway handles sensitive health data for millions of patients — and that responsibility demands a security and compliance program that scales with the business. We're building out our dedicated GRC team to improve and mature our program! You'll join the Security team and work across four pillars: security certifications (HITRUST, SOC 2, PCI-DSS, HIPAA), third-party risk management, security awareness training, and technical risk management. You won't be maintaining a stale compliance program — you'll be building a modern, AI-enabled one at a company that's transforming how mental healthcare is delivered in the United States. This role reports to Blake Atkinson, Director of Security, and partners closely with Privacy and Engineering teams. What You'll Own Support HITRUST, SOC 2, PCI-DSS, and HIPAA audit readiness — collecting evidence, coordinating wit
Applying for this Senior Governance, Risk, Compliance (GRC) Analyst role?
Most applicants get filtered before a human reads their resume. See if yours makes the cut.
How to Apply on Greenhouse
- Create a Greenhouse profile before applying — it saves time across multiple applications.
- Upload your resume as a PDF; the parser handles it better than Word.
- Answer all knockout questions carefully — wrong answers auto-reject before a human sees you.
- Enable email notifications to track application status in real time.
ANONYMOUS · UNFILTERED
What do employees actually say about Headway?
Real rants from real employees. Read before you apply.