Home  /  Careers  /  Founding Semi-Feral Compliance Dork

Founding Semi-Feral Compliance Dork

Artificer Health | Remote | Full-Time

About the title

Yes, it's real. Yes, it's intentional.

"Semi-feral" means you've done time inside the machine - the big health system, the enterprise payer, the compliance consulting firm with 400 people and a 90-slide deck about what compliance is. You know how that world works. You also know how much of it is theater. So at some point you stopped performing and started asking uncomfortable questions, which did not make you popular, which is how you ended up here, reading a job posting from a pre-revenue startup that can't afford to waste your time on process that doesn't protect anyone.

"Dork" means you actually love this stuff. Not because it makes you look good at audits. Because you read the OCR guidance documents when they drop. Because you have opinions about HITRUST scoring methodology that you will share unprompted. Because when someone says "we just need to check the HIPAA box," something in you dies a little.

If that sentence landed: keep reading.

If you're wondering whether we'll change the title before your first client call: we won't.

Why this role exists

Prior authorization is one of the most friction-heavy, delay-prone processes in American healthcare. Artificer Health is building software to automate it - to get patients to care faster and get providers out from under a process that was designed in 1992 and has not fundamentally improved since.

We are not yet revenue-generating. We are building, recruiting pilot customers, and moving fast. Our first EHR integration target is athenahealth. The team is deliberately small.

Healthcare AI touches PHI. Healthcare software gets audited. Healthcare sales cycles include security reviews, vendor assessments, and the question every IT director at a medical practice eventually asks: "How do I know you won't get us breached?"

The honest answer to that question is not a SOC 2 logo on a website. It's a compliance program that actually works, built by someone who actually understands what "actually works" means in this context.

That's why this role exists. Not to generate paperwork. To build trust that accelerates sales and protects patients. Those two things are not in conflict. They are, when done right, the same thing.

What you'll actually do

Build the compliance program from the ground up. We have 22 security policies drafted and a controls crosswalk in progress. You'll inherit that work, gut what doesn't hold up, finish what does, and build the rest. Nothing here is sacred. If a policy doesn't map to a real risk or a real control, it goes.

Own HIPAA/HITECH from end to end. Not just the policies - the actual program. BAA management, PHI data flow documentation, minimum necessary standard application, breach notification procedures, workforce training that people actually retain. You understand that HIPAA compliance and HIPAA security are not the same sentence and you can explain the difference without condescending.

Drive SOC 2 Type 2 readiness. We're building toward it. You'll define the scope, select the trust service criteria that matter for what we actually do, map controls to evidence, and build the operational cadence so that when the audit window opens, it is not a fire drill. It should not be a fire drill. If it is, something failed upstream.

Chart the HITRUST path. You know what HITRUST actually costs, what it actually proves, and at what point in a company's maturity it makes sense to pursue it. You'll develop the strategy, not just the checklist.

Handle multi-state privacy law compliance. This is not getting easier. You'll track the relevant state health privacy laws, advise on how they interact with HIPAA, and make sure we're not building something that's compliant in one state and a liability in another.

Review vendor agreements and cloud infrastructure. When we bring on a new vendor, you evaluate their security posture. When we sign a data processing agreement, you read it. When engineering wants to use a new cloud service that might touch PHI, you weigh in before the code is written, not after.

Work with engineering as a partner, not a checkpoint. Compliance bolted on after the fact is expensive, slow, and usually insufficient. You'll be in product and engineering conversations early. Your job is to say "here's how we can do this and stay compliant" at least as often as you say "we can't do that." Ideally more.

Build systems so you're not the single point of failure. If the entire compliance program lives in your head, that's a risk. You'll document, automate where possible, and train the team so compliance is everyone's baseline, not your personal burden.

Handle incident response planning. Not just the policy - the runbook. The thing people actually follow at 11pm when something goes wrong.

Represent compliance in customer conversations when it matters. Pilot customers will have questions. Some of them will want to talk to the person who owns this. That person is you.

What you bring

Deep, current knowledge of healthcare-specific compliance. HIPAA Privacy Rule, Security Rule, Breach Notification Rule - not as bullet points, as working knowledge. You understand the minimum necessary standard well enough to apply it in ambiguous situations. You've drafted or reviewed BAAs and you know where the boilerplate breaks down.

SOC 2 experience that goes past the theory. You've been through at least one SOC 2 audit in a role where you were responsible for the outcome, not just adjacent to it.

HITRUST familiarity. You understand the HITRUST CSF at a level that lets you have a real conversation about scope and scoring, not just acronym-level familiarity.

Multi-state health privacy law awareness. You know that HIPAA is a floor, not a ceiling, and you track what's happening at the state level.

The ability to say "no, and here's why" without becoming the reason nothing gets done. This is a specific skill. A lot of compliance people have the "no" part. The "here's how we CAN do it" part is rarer and more valuable.

Strong enough communication skills to work with engineers, executives, and medical practice administrators in the same week. Different audiences. Different vocabularies. Same underlying requirements.

Comfort with startup ambiguity. There is no compliance team. There is no inherited playbook. There is no predecessor to blame when something needs rebuilding. There is work to be done and a problem worth solving.

You are the kind of person who considers a new patio11 essay about the hidden complexity of some seemingly mundane regulatory system to be a perfectly good Saturday afternoon. If that reference means nothing to you, that's fine. If it made you smile, we should talk.

One more thing: you're not going to spend much time explaining HIPAA 101 to leadership. The founder has deep security expertise. He has read the same guidance documents you have. You will be able to skip the basics and get straight to the interesting problems. This is a feature of the role, not an accident.

What we bring

A problem worth solving. Prior authorization causes measurable harm - delayed surgeries, missed diagnoses, administrative burnout at small practices that can't absorb the overhead. If we build this right, patients get to care faster. That's not a mission statement. That's what the software does.

A team that operates without spectators. Everyone here works. Nobody has a role that lets them wait for someone else to pick up the ball. If you see something broken, you fix it or you say something. That's the only mode available.

A founder who will not waste your time with compliance theater. The goal is a program that actually protects patients and actually passes audits because it actually works. Not one that looks good in a binder.

A founding seat. You will not inherit a playbook. You will write it. Five years from now, the compliance architecture at Artificer Health will reflect decisions you made at the beginning. That is either exciting or exhausting depending on who you are. We need it to be exciting.

Genuine flexibility on how and where you work. Remote-friendly, with meaningful overlap during US business hours. We care about outcomes, not presence.

Compensation that reflects what this role actually is. Founding-level equity. Salary that is competitive for the stage. We'll talk specifics in the first conversation.

How to apply

Send an email to [email protected] with the subject line: Semi-Feral and Ready.

In the body: tell us about a compliance program you built or rebuilt that actually worked - not the audit it passed, but what it changed in how the organization operated. Three paragraphs maximum. We will read all of it.

If you have a resume, attach it. If you'd rather send a LinkedIn profile, that's fine too. We are not filtering on format.

We don't have a long hiring process. You'll talk to the founder. You'll get a realistic picture of where we are and what this role actually involves. No surprises.

Ready to apply?

Send your application to the email below. Read the full description for your specific application prompt.

[email protected]
← All Open Roles