Senior GRC Analyst, HIPAA

About the role

At DoorDash, Security is critical to earning and maintaining trust across our global marketplace. The Governance, Risk, and Compliance team partners across Security, Engineering, Product, Legal, Privacy, IT, and business teams to translate regulatory, customer, and contractual obligations into scalable controls and practical security outcomes. We are looking for a Senior GRC Analyst, HIPAA to help mature and operate HIPAA-related security and compliance programs across DoorDash. This role will support multiple ongoing HIPAA workstreams, partner closely with engineering teams, and help ensure regulated data environments are designed, operated, and monitored in a secure, compliant, and scalable way. As a Senior GRC Analyst, HIPAA, you will be a subject matter expert for HIPAA security compliance within DoorDash's GRC function. You will be responsible for turning legal requirements into operational controls, map them to DoorDash controls, assess gaps, drive remediation, and support audit-ready evidence across technical and operational environments. This is a senior individual contributor role for someone who has implemented and managed HIPAA programs in a technology company or similarly complex regulated environment. You will work directly with Engineering, Product, Security Engineering, Legal, IT, and business stakeholders to make HIPAA compliance practical, measurable, and sustainable. You're excited about this opportunity because you will... Lead and support HIPAA security compliance workstreams across multiple products, platforms, systems, and engineering teams. Turn legal requirements into actionable technical and operational control requirements. Perform HIPAA readiness assessments, gap analyses, risk assessments, and control design/effectiveness reviews across cloud, SaaS, data, and internal tooling environments. Build and maintain control mappings across HIPAA, HITRUST, SOC 2, ISO 27001, NIST 800-53, and DoorDash security standards. Partner with Engineering and Security Engineering to implement scalable controls across IAM, encryption, logging and monitoring, vulnerability management, secure SDLC, incident response, data retention, and access review processes. Maintain HIPAA security program documentation, including policies, standards, procedures, control narratives, evidence requirements, risk registers, exception records, and remediation plans. Support internal and external audits, partner/customer assessments, security questionnaires, and compliance evidence collection. Partner with Legal, and Security Operations on incidents involving PHI/ePHI, including compliance impact analysis, documentation, and remediation tracking. Mature GRC tooling, workflows, dashboards, and continuous control monitoring to reduce manual compliance overhead. Provide practical guidance to technical and non-technical stakeholders so HIPAA requirements are understood, adopted, and embedded into day-to-day engineering practices. Monitor regulatory, framework, and industry changes related to HIPAA, HITRUST, healthcare security, and regulated data environments. We're excited about you because... You have 6+ years of experience in security compliance, GRC, risk management, audit, privacy/security operations, or related information security roles. You have 3+ years of hands-on experience implementing, operating, or materially maturing HIPAA programs in a technology, SaaS, health-tech, or highly regulated environment. You have strong working knowledge of HIPAA Security Rule requirements and practical experience applying HIPAA safeguards to cloud, SaaS, data, and engineering environments. You understand how PHI/ePHI flows through modern systems and can partner with engineering teams on data classification, access controls, encryption, logging, retention, and secure data handling. You have experience with adjacent frameworks and standards such as HITRUST, SOC 2, ISO 27001, NIST 800-53, PCI DSS, GDPR or CCPA. You have led or supported audits, compliance assessments, control testing, evidence collection, risk assessments, and remediation programs. You can translate complex compliance requirements into clear, actionable tasks for Engineering, Product, Security, IT, Legal, and Privacy stakeholders. You have enough technical fluency to understand cloud architecture, APIs, IAM, CI/CD, infrastructure-as-code, logging, vulnerability management, and security monitoring concepts. You communicate clearly, write high-quality documentation, manage multiple workstreams independently, and drive cross-functional progress without direct authority. You are pragmatic: you know how to reduce real risk while enabling teams to move quickly and responsibly.

Requirements

• Experience working directly with Engineering or Security Engineering teams in a high-growth technology company.
• Experience building or scaling a HIPAA program rather than only maintaining an existing checklist.
• Expe

Benefits

Your Match

How well this role fits your profile.

Company Intel

What employees say

Worked at DoorDash? Share your experience