Manager - IT Security Compliance | Full Time
GENERAL SUMMARY:
The IT Security Compliance Manager is responsible for overseeing the cybersecurity compliance program across the health system. This position ensures alignment with healthcare regulatory requirements, national security frameworks, and federal interoperability initiatives - including HIPAA, HITECH, CMS Promoting Interoperability, and TEFCA. This role leads enterprise-wide readiness for security compliance audits, manages regulatory attestations, and partners closely with the Cybersecurity GRC team, Privacy, Legal, and IT Operations to maintain a trusted and compliant security posture. The IT Security Compliance Manager provides governance and oversight but does not directly manage or operate technical/security controls. The IT Security Compliance Manager is responsible for establishing and maintaining an enterprise-wide IT Compliance program. The position is responsible for identifying, directing, coordinating, evaluating, and reporting on security compliance management key performance indicators. The position is also responsible for project prioritization, strategic planning, execution, policies, procedures, and guiding practices.
REPORTING/RELATIONSHIPS:
The IT Security Compliance Manager reports to the Director, Cybersecurity GRC within the Information Privacy & Security Office. In addition, this position will work in a collaborative effort with IT and business unit leadership to ensure alignment with policies, processes, applicable laws, and regulations.
MANAGEMENT:
Provides leadership, vision, managerial oversight, development, implementation, and execution of Henry Ford Health security compliance management planning. Maintains policies and processes that enable Henry Ford Health to establish consistent, efficient, and appropriate oversight of services. Sets performance expectations for direct reports and provides constructive performance feedback on a regular basis.
Fosters a culture of customer service, disciplined business conduct, and healthy communication. Ensures each team member understands their role, assigned responsibilities, and is accountable for their performance. Allocates resources so timelines, commitments, and service levels from the team are met.
PRINCIPLE DUTIES AND RESPONSIBILITIES:
- Oversee compliance with applicable healthcare cybersecurity regulations and frameworks including HIPAA Security Rule, HITECH, CMS Promoting Interoperability, and TEFCA.
- Maintain awareness of evolving regulatory and accreditation requirements; interpret their impact on the organization’s cybersecurity posture.
- Partner with the GRC Controls Manager to ensure security controls align with regulatory intent and audit readiness needs.
- Serve as the central point of contact for compliance-related audits, assessments, and documentation requests.
- Lead preparation and coordination for external and internal audits (HIPAA, HITRUST, PCI, TEFCA, CMS, OCR, GDPR, and others).
- Oversee the organization’s annual HIPAA Security Rule and CMS Promoting Interoperability attestations.
- Provides compliance metrics, dashboards, and reporting to leadership.
- Track compliance findings through remediation and validate closure with responsible stakeholders.
- Serve as compliance liaison for TEFCA participation, ensuring alignment with Common Agreement and QHIN framework security and privacy obligations.
- Maintain documentation and evidence demonstrating adherence to TEFCA’s security, privacy, and breach response requirements.
- Collaborate with Legal, Privacy, and Interoperability teams to maintain readiness for CMS-aligned network security certifications and attestations.
- Review and maintain cybersecurity-related policies and standards to ensure consistency with regulatory requirements.
- Provide compliance guidance for new technology initiatives, system integrations, and data exchange projects.
- Serve as a subject matter expert to business and IT leadership on cybersecurity compliance, audit readiness, and TEFCA/CMS interoperability obligations.
- Promote organizational awareness of regulatory responsibilities and audit readiness expectations.
- Conducts performance reviews for team members and provides coaching and staff performance feedback.
- Supports sound fiscal management including budgetary input for proper staffing and expenditures.
- Other duties as assigned.
EDUCATION/EXPERIENCE REQUIRED:
- Bachelor's degree in Information Technology, Cybersecurity, or related field (or equivalent experience) required.
- Five plus (5+) years of experience in IT security compliance, risk management, or audit coordination within healthcare or other regulated industries required.
- Strong working knowledge of HIPAA, HITECH, CMS Promoting Interoperability, TEFCA, and related federal and state requirements required.
- Familiarity with frameworks including NIST CSF, NIST 800-53, HITRUST CSF, and ISO 27001 required.
- Experience with both the payer and provider side of healthcare regulation including an understanding of necessary segregation between them required.
- Professional certifications such as CISSP, CISA, CISM, HCISPP, or HITRUST CCSFP required.
- Experience supporting TEFCA or CMS-aligned network compliance initiatives required.
- Experience with IT GRC platforms such as ServiceNow GRC, Archer or OneTrust preferred. Experience supporting TEFCA or CMS-aligned network compliance initiatives preferred.
- Excellent organizational, communication, and stakeholder management skills preferred.
- Exceptional and demonstrated leadership skills and ability to influence peers, superiors, and corporate culture preferred.
- Ability to analyze, interpret, and summarize regulations, policies and procedures, reports, and legal documents preferred.
- Demonstrated ability to recruit, train and lead people, set goals and achieve implementation results for security programs and solutions preferred.
- Advanced knowledge of IT systems and functions, process development, change management, and service and implementation lifecycle preferred.
- Demonstrated strong and effective verbal, written, and interpersonal communication skills preferred.
Additional Details
This posting represents the major duties, responsibilities, and authorities of this job, and is not intended to be a complete list of all tasks and functions. It should be understood, therefore, that incumbents may be asked to perform job-related duties beyond those explicitly described above.
Overview
Henry Ford Health partners with millions of people on their health journey, across Michigan and around the world. We offer a full continuum of services – from primary and preventative care to complex and specialty care, health insurance, a full suite of home health offerings, virtual care, pharmacy, eye care and other health care retail. With former Ascension southeast Michigan and Flint region locations now part of our team, Henry Ford’s care is available in 13 hospitals and hundreds of ambulatory care locations. Based in Detroit, Henry Ford is one of the nation’s most respected academic medical centers and is leading the Future of Health: Detroit, a $3 billion investment anchored by a reimagined Henry Ford academic healthcare campus. Learn more at henryford.com/careers.
Benefits
The health and overall well-being of our team members is our priority. That’s why we offer support in the various components of our team’s well-being: physical, emotional, social, financial and spiritual. Our Total Rewards program includes competitive health plan options, with three consumer-driven health plans (CDHPs), a PPO plan and an HMO plan. Our team members enjoy a number of additional benefits, ranging from dental and eye care coverage to tuition assistance, family forming benefits, discounts to dozens of businesses and more. Employees classified as contingent status are not eligible for benefits.
Equal Employment Opportunity/Affirmative Action Employer
Equal Employment Opportunity / Affirmative Action Employer Henry Ford Health is
committed to the hiring, advancement and fair treatment of all individuals without regard to
race, color, creed, religion, age, sex, national origin, disability, veteran status, size, height,
weight, marital status, family status, gender identity, sexual orientation, and genetic information,
or any other protected status in accordance with applicable federal and state laws.