Senior GRC Analyst, HIPAA

About the Team

At DoorDash, Security is critical to earning and maintaining trust across our global marketplace. The Governance, Risk, and Compliance team partners across Security, Engineering, Product, Legal, Privacy, IT, and business teams to translate regulatory, customer, and contractual obligations into scalable controls and practical security outcomes.

We are looking for a Senior GRC Analyst, HIPAA to help mature and operate HIPAA-related security and compliance programs across DoorDash. This role will support multiple ongoing HIPAA workstreams, partner closely with engineering teams, and help ensure regulated data environments are designed, operated, and monitored in a secure, compliant, and scalable way.

About the Role

As a Senior GRC Analyst, HIPAA, you will be a subject matter expert for HIPAA security compliance within DoorDash’s GRC function. You will be responsible for turning legal requirements into operational controls, map them to DoorDash controls, assess gaps, drive remediation, and support audit-ready evidence across technical and operational environments.

This is a senior individual contributor role for someone who has implemented and managed HIPAA programs in a technology company or similarly complex regulated environment. You will work directly with Engineering, Product, Security Engineering, Legal, IT, and business stakeholders to make HIPAA compliance practical, measurable, and sustainable.

You’re excited about this opportunity because you will…

• Lead and support HIPAA security compliance workstreams across multiple products, platforms, systems, and engineering teams.
• Turn legal requirements  into actionable technical and operational control requirements.
• Perform HIPAA readiness assessments, gap analyses, risk assessments, and control design/effectiveness reviews across cloud, SaaS, data, and internal tooling environments.
• Build and maintain control mappings across HIPAA, HITRUST, SOC 2, ISO 27001, NIST 800-53, and DoorDash security standards.
• Partner with Engineering and Security Engineering to implement scalable controls across IAM, encryption, logging and monitoring, vulnerability management, secure SDLC, incident response, data retention, and access review processes.
• Maintain HIPAA security program documentation, including policies, standards, procedures, control narratives, evidence requirements, risk registers, exception records, and remediation plans.
• Support internal and external audits, partner/customer assessments, security questionnaires, and compliance evidence collection.
• Partner with Legal, and Security Operations on incidents involving PHI/ePHI, including compliance impact analysis, documentation, and remediation tracking.
• Mature GRC tooling, workflows, dashboards, and continuous control monitoring to reduce manual compliance overhead.
• Provide practical guidance to technical and non-technical stakeholders so HIPAA requirements are understood, adopted, and embedded into day-to-day engineering practices.
• Monitor regulatory, framework, and industry changes related to HIPAA, HITRUST, healthcare security, and regulated data environments.

We’re excited about you because…

• You have 6+ years of experience in security compliance, GRC, risk management, audit, privacy/security operations, or related information security roles.
• You have 3+ years of hands-on experience implementing, operating, or materially maturing HIPAA programs in a technology, SaaS, health-tech, or highly regulated environment.
• You have strong working knowledge of HIPAA Security Rule requirements and practical experience applying HIPAA safeguards to cloud, SaaS, data, and engineering environments.
• You understand how PHI/ePHI flows through modern systems and can partner with engineering teams on data classification, access controls, encryption, logging, retention, and secure data handling.
• You have experience with adjacent frameworks and standards such as HITRUST, SOC 2, ISO 27001, NIST 800-53, PCI DSS, GDPR or CCPA.
• You have led or supported audits, compliance assessments, control testing, evidence collection, risk assessments, and remediation programs.
• You can translate complex compliance requirements into clear, actionable tasks for Engineering, Product, Security, IT, Legal, and Privacy stakeholders.
• You have enough technical fluency to understand cloud architecture, APIs, IAM, CI/CD, infrastructure-as-code, logging, vulnerability management, and security monitoring concepts.
• You communicate clearly, write high-quality documentation, manage multiple workstreams independently, and drive cross-functional progress without direct authority.
• You are pragmatic: you know how to reduce real risk while enabling teams to move quickly and responsibly.

Preferred Qualifications

• Experience working directly with Engineering or Security Engineering teams in a high-growth technology company.
• Experience building or scaling a HIPAA program rather than only maintaining an existing checklist.
• Experience with HITRUST certification, SOC 2 audits, ISO 27001 audits, or multi-framework control mapping.
• Experience with third-party risk management, vendor security reviews, business associate/vendor security expectations, and customer security assessments.
• Experience supporting privacy, security incident response, or breach assessment workflows involving regulated data.
• Familiarity and interest towards AI, data platform, healthcare interoperability, payments, or marketplace environments. Preferably you have also built something yourself using AI. 

We expect this position to be filled by 8/26/26.

About DoorDash

At DoorDash, our mission to empower local economies shapes how our team members move quickly, learn, and reiterate in order to make impactful decisions that display empathy for our range of users—from Dashers to merchant partners to consumers. We are a technology and logistics company that started by enabling door-to-door delivery, and we are looking for team members who can help us go from a company that is known as the place you order food to a company that people turn to for any and all goods.

DoorDash is growing rapidly and changing constantly, which gives our team members the opportunity to share their unique perspectives, solve new challenges, and own their careers. We're committed to supporting employees’ happiness, healthiness, and overall well-being by providing comprehensive benefits and perks including premium healthcare, wellness expense reimbursement, paid parental leave and more.

Our Commitment to Diversity and Inclusion

We’re committed to growing and empowering a more inclusive community within our company, industry, and cities. That’s why we hire and cultivate diverse teams of people from all backgrounds, experiences, and perspectives. We believe that true innovation happens when everyone has room at the table and the tools, resources, and opportunity to excel.

Statement of Non-Discrimination: In keeping with our beliefs and goals, no employee or applicant will face discrimination or harassment based on: race, color, ancestry, national origin, religion, age, gender, marital/domestic partner status, sexual orientation, gender identity or expression, disability status, or veteran status. Above and beyond discrimination and harassment based on “protected categories,” we also strive to prevent other subtler forms of inappropriate behavior (i.e., stereotyping) from ever gaining a foothold in our office. Whether blatant or hidden, barriers to success have no place at DoorDash. We value a diverse workforce – people who identify as women, non-binary or gender non-conforming, LGBTQIA+, American Indian or Native Alaskan, Black or African American, Hispanic or Latinx, Native Hawaiian or Other Pacific Islander, differently-abled, caretakers and parents, and veterans are strongly encouraged to apply. Thank you to the Level Playing Field Institute for this statement of non-discrimination.

Pursuant to the San Francisco Fair Chance Ordinance, Los Angeles Fair Chance Initiative for Hiring Ordinance, and any other state or local hiring regulations, we will consider for employment any qualified applicant, including those with arrest and conviction records, in a manner consistent with the applicable regulation.

If you need any accommodations, please inform your recruiting contact upon initial connection.

Notice to Applicants for Jobs Located in NYC or Remote Jobs Associated With Office in NYC Only

We used Covey as part of our hiring and/or promotional process for jobs in NYC and certain features may qualify it as an AEDT in NYC. As part of the hiring and/or promotion process, we provided Covey with job requirements and candidate submitted applications. We began using Covey Scout for Inbound from August 21, 2023, through December 21, 2023.  We resumed using Covey Scout for Inbound again on June 29, 2024, and ceased using Covey Scout for Inbound on April 30, 2026.

The Covey tool has been reviewed by an independent auditor. Results of the audit may be viewed here: https://getcovey.com/nyc-local-law-144.