We are looking for a Senior GRC Analyst, HIPAA to help mature and operate HIPAA-related security and compliance programs across DoorDash. This role will support multiple ongoing HIPAA workstreams, partner closely with engineering teams, and help ensure regulated data environments are designed, operated, and monitored in a secure, compliant, and scalable way.
About the Role

As a Senior GRC Analyst, HIPAA, you will be a subject matter expert for HIPAA security compliance within DoorDash's GRC function. You will be responsible for turning legal requirements into operational controls, map them to DoorDash controls, assess gaps, drive remediation, and support audit-ready evidence across technical and operational environments.

This is a senior individual contributor role for someone who has implemented and managed HIPAA programs in a technology company or similarly complex regulated environment. You will work directly with Engineering, Product, Security Engineering, Legal, IT, and business stakeholders to make HIPAA compliance practical, measurable, and sustainable.
You're excited about this opportunity because you will...

• Lead and support HIPAA security compliance workstreams across multiple products, platforms, systems, and engineering teams.
• Turn legal requirements into actionable technical and operational control requirements.
• Perform HIPAA readiness assessments, gap analyses, risk assessments, and control design/effectiveness reviews across cloud, SaaS, data, and internal tooling environments.
• Build and maintain control mappings across HIPAA, HITRUST, SOC 2, ISO 27001, NIST 800-53, and DoorDash security standards.
• Partner with Engineering and Security Engineering to implement scalable controls across IAM, encryption, logging and monitoring, vulnerability management, secure SDLC, incident response, data retention, and access review processes.
• Maintain HIPAA security program documentation, including policies, standards, procedures, control narratives, evidence requirements, risk registers, exception records, and remediation plans.
• Support internal and external audits, partner/customer assessments, security questionnaires, and compliance evidence collection.
• Partner with Legal, and Security Operations on incidents involving PHI/ePHI, including compliance impact analysis, documentation, and remediation tracking.
• Mature GRC tooling, workflows, dashboards, and continuous control monitoring to reduce manual compliance overhead.
• Provide practical guidance to technical and non-technical stakeholders so HIPAA requirements are understood, adopted, and embedded into day-to-day engineering practices.
• Monitor regulatory, framework, and industry changes related to HIPAA, HITRUST, healthcare security, and regulated data environments.

We're excited about you because...

• You have 6+ years of experience in security compliance, GRC, risk management, audit, privacy/security operations, or related information security roles.
• You have 3+ years of hands-on experience implementing, operating, or materially maturing HIPAA programs in a technology, SaaS, health-tech, or highly regulated environment.
• You have strong working knowledge of HIPAA Security Rule requirements and practical experience applying HIPAA safeguards to cloud, SaaS, data, and engineering environments.
• You understand how PHI/ePHI flows through modern systems and can partner with engineering teams on data classification, access controls, encryption, logging, retention, and secure data handling.
• You have experience with adjacent frameworks and standards such as HITRUST, SOC 2, ISO 27001, NIST 800-53, PCI DSS, GDPR or CCPA.
• You have led or supported audits, compliance assessments, control testing, evidence collection, risk assessments, and remediation programs.
• You can translate complex compliance requirements into clear, actionable tasks for Engineering, Product, Security, IT, Legal, and Privacy stakeholders.
• You have enough technical fluency to understand cloud architecture, APIs, IAM, CI/CD, infrastructure-as-code, logging, vulnerability management, and security monitoring concepts.
• You communicate clearly, write high-quality documentation, manage multiple workstreams independently, and drive cross-functional progress without direct authority.
• You are pragmatic: you know how to reduce real risk while enabling teams to move quickly and responsibly.

Preferred Qualifications

• Experience working directly with Engineering or Security Engineering teams in a high-growth technology company.
• Experience building or scaling a HIPAA program rather than only maintaining an existing checklist.
• Experience with HITRUST certification, SOC 2 audits, ISO 27001 audits, or multi-framework control mapping.
• Experience with third-party risk management, vendor security reviews, business associate/vendor security expectations, and customer security assessments.
• Experience supporting privacy, security incident response, or breach assessment workflows involving regulated data.
• Familiarity and interest towards AI, data platform, healthcare interoperability, payments, or marketplace environments. Preferably you have also built something yourself using AI.

We expect this position to be filled by 8/26/26.

Compensation

The successful candidate's starting pay will fall within the pay range listed below and is determined based on job-related factors including, but not limited to, skills, experience, qualifications, work location, and market conditions. Base salary is localized according to an employee's work location. Ranges are market-dependent and may be modified in the future.

In addition to base salary, the compensation for this role includes opportunities for equity grants. Talk to your recruiter for more information.

DoorDash cares about you and your overall well-being. That's why we offer a comprehensive benefits package to all regular employees, which includes a 401(k) plan with employer matching, 16 weeks of paid parental leave, wellness benefits, commuter benefits match, paid time off and paid sick leave in compliance with applicable laws (e.g. Colorado Healthy Families and Workplaces Act). DoorDash also offers medical, dental, and vision benefits, 11 paid holidays, disability and basic life insurance, family-forming assistance, and a mental health program, among others.

To learn more about our benefits, visit our careers page here.

See below for paid time off details:

• For salaried roles: flexible paid time off/vacation, plus 80 hours of paid sick time per year.
• For hourly roles: vacation accrued at about 1 hour for every 25.97 hours worked (e.g. about 6.7 hours/month if working 40 hours/week; about 3.4 hours/month if working 20 hours/week), and paid sick time accrued at 1 hour for every 30 hours worked (e.g. about 5.8 hours/month if working 40 hours/week; about 2.9 hours/month if working 20 hours/week).

The national base pay range for this position within the United States, including Illinois and Colorado.

$132,600-$195,000 USD