Counsel, Health Data and Privacy

About Care Access:

Care Access is working to make the future of health better for all. With hundreds of research locations, mobile clinics, and clinicians across the globe, we bring world-class research and health services directly to communities that often face barriers to care. We are dedicated to ensuring that every person has the opportunity to understand their health, access the care they need, and contribute to the medical breakthroughs of tomorrow.

With programs like Future of Medicine, which makes advanced health screenings and research opportunities accessible to communities worldwide, and Difference Makers, which supports local leaders to expand their community health and wellbeing efforts, we put people at the heart of medical progress. Through partnerships, technology, and perseverance, we are reimagining how clinical research and health services reach the world. Together, we are building a future of health that is better and more accessible for all.

To learn more about Care Access, visit www.CareAccess.com. How This Role Makes a Difference We are seeking a pragmatic, business-oriented Counsel, Health Data & Privacy to join our Legal & Compliance team. This role will focus primarily on HIPAA and health data privacy advisory, negotiation of data protection and healthcare-related agreements, and support of global data protection compliance across our clinical research and operational activities.

The ideal candidate brings strong experience with HIPAA and U.S. federal and state privacy laws, meaningful experience with GDPR and other international data protection frameworks and demonstrated capability negotiating data protection and healthcare-related agreements. This role requires both strategic and tactical involvement in health data governance, privacy compliance, and complex data contracting, as well as close collaboration with clinical, operational, procurement, and technology stakeholders. The successful candidate will be a skilled writer and pragmatic advisor who communicates effectively across the organization, evaluates risk with sound judgment, develops risk-calibrated solutions that enable business objectives, and supports implementation in a fast-paced, evolving healthcare and research environment.

How You'll Make An Impact Health Data, AI & Global Privacy Governance Privacy Law Expertise: Provide strategic and practical legal advice on global privacy and data protection laws, including GDPR, HIPAA, CCPA/CPRA, and other U.S. state and federal privacy laws. Experience with GDPR and HIPAA mandatory.

AI & Emerging Technologies: Advise on privacy and data protection implications of AI-enabled tools, machine learning systems, and other emerging technologies involving health and personal data. Conduct and draft legal risk assessments addressing automated processing, training data use, model outputs, human-in-the-loop safeguards, cross-border considerations, and evolving regulatory frameworks.

Clinical Support: Partner with clinical and operations teams to advise on privacy and data protection matters related to clinical research activities, including cross-border data transfers, site operations, and subject data rights. Contracting & Transactions: Draft, review, and negotiate data processing agreements, data transfer agreements, data sections of clinical trial agreements, licensing deals, and other contracts involving company, personal or sensitive data.

Cross-Functional Partnership: Act as a trusted legal advisor to teams across the company to develop practical, risk-adjusted solutions that support compliance and responsible business growth. Commercial & Strategic Transactions Support Commercial Contracting: Draft, review, and negotiate a broad range of commercial agreements, including vendor agreements, services agreements, research collaborations, and data-driven partnerships.

Strategic Transactions & Partnerships: Support structuring of healthcare and data-driven initiatives to align legal risk with business objectives. Partner with operational and procurement stakeholders to facilitate efficient and compliant transactions. Business Enablement: Proactively support and advise emerging business lines and new initiatives to drive business growth while mitigating risk

• Perform other legal tasks and projects assigned by legal leadership.

The Expertise Required Strong working knowledge of HIPAA and U.S. health privacy laws, including experience advising on use and disclosure of PHI, research authorizations, and breach analysis.

• Demonstrated experience drafting and negotiating Business Associate Agreements (BAAs), Data Processing Agreements (DPAs), and data protection provisions in commercial agreements.

Experience drafting or supporting AI and automated decision-making risk assessments, privacy impact assessments, or related governance documentation for internal review or regulatory purposes.:

Working knowledge of GDPR and international data transfer mechanisms, including controller/processor analysis and cross-border data considerations. Ability to assess and clearly communicate legal risk in operational and commercial contexts. Strong drafting, analytical, and negotiation skills, with attention to detail.

Business-oriented mindset with the ability to balance compliance obligations and commercial objectives. Ability to work collaboratively across clinical, operational, procurement, and technology teams. Sound judgment in escalating enterprise-level or reputational risk. For this position, you must be currently authorized to work in the United States without the need for sponsorship for a non-immigrant visa.

Certifications/Licenses, Education, and Experience Juris Doctor (JD) or equivalent law degree from an accredited institution. 3-6+ years of legal experience, including substantive GDPR experience and direct involvement in HIPAA and U.S. privacy law.

Licenses:

Licensed to practice law in at least one state in the United States and eligible for in-house corporate practice in state of residence. CIPP or other similar certifications preferred. How We Work Together Location: Remote within the United States. This role requires 100% of work to be performed in a remote office environment.

Travel: This is a remote position with less than 10% travel requirements. Occasional planned travel may be required as part of the role. Physical demands associated with this position Include: The ability to use keyboards and other computer equipment. The expected salary range for this role is $140,000 - $170,000 USD per year for full time team members.

Benefits & Perks (US Full Time Employees):

Paid Time Off (PTO) and Company Paid Holidays 100% Employer paid medical, dental, and vision insurance plan options Health Savings Account and Flexible Spending Accounts Bi-weekly HSA employer contribution Company paid Short-Term Disability and Long-Term Disability 401(k) Retirement Plan, with Company Match

Diversity & Inclusion We work with and serve people from diverse cultures and communities around the world. We are stronger and better when we build a team representing the communities we support. We maintain an inclusive culture where people from a broad range of backgrounds feel valued and respected as they contribute to our mission.

We are an equal opportunity employer, and all qualified applicants will receive consideration for employment without regard to, and will not be discriminated against on the basis of, race, color, religion, sex, sexual orientation, gender identity or expression, pregnancy, age, national origin, disability status, genetic information, protected veteran status, or any other characteristic protected by law.

Care Access is unable to sponsor work visas at this time. If you need an accommodation to apply for a role with Care Access, please reach out to: TalentAcquisition@careaccess.com

Mandatory Employer Disclosures:

Notice to Illinois applicants: Applicants are not obligated to disclose expunged juvenile records or adjudication, arrest, or conviction. Notice to Connecticut applicants: Care Access may require applicants to submit to a urinalysis drug test in connection with an application for employment. Notice to Arizona, Georgia, Indiana, and North Dakota applicants: Care Access complies with applicable laws prohibiting smoking in and around places of employment.

Notice to Massachusetts applicants: It is unlawful in Massachusetts to require or administer a lie detector test as a condition of employment or continued employment. An employer who violates this law shall be subject to criminal penalties and civil liability. Notice to Rhode Island applicants: Care Access complies with Rhode Island law prohibiting smoking in enclosed areas within places of employment. Care Access is also subject to is subject to Chapters 29–38 of Title 28 of the Rhode Island General Laws.

Notice to Maryland applicants: UNDER MARYLAND LAW, AN EMPLOYER MAY NOT REQUIRE OR DEMAND, AS A CONDITION OF EMPLOYMENT, PROSPECTIVE EMPLOYMENT, OR CONTINUED EMPLOYMENT, THAT AN INDIVIDUAL SUBMIT TO OR TAKE A LIE DETECTOR OR SIMILAR TEST. AN EMPLOYER WHO VIOLATES THIS LAW IS GUILTY OF A MISDEMEANOR AND SUBJECT TO A FINE NOT EXCEEDING $100.