iRhythm Technologies, Inc. uses industry best practices that ensure the confidentiality, integrity and availability of data. Hosted at Amazon Web Services, our infrastructure is highly durable, scalable and secure. We develop, manage and maintain all proprietary software, systems and associated security.
We are dedicated to exceeding our customer's expectations with respect to protected health information privacy and security by adhering to all relevant security requirements.
As participants in patient health care, we are committed to maintaining the privacy of Protected Health Information (PHI) as directed by applicable federal and state law. Our full Notice of Privacy Practices, found at irhythmtech.com/content/privacy describes our privacy practices, our legal duties and rights concerning PHI.
Certifications, Standards and Regulations
SOC 2 Type II
Zio by iRhythm is SOC 2 Type II certified adhering to the AICPA's Trust Services Principles and Criteria for Security, Availability, Confidentiality and Privacy. The SOC 2 Type II is performed by an independent third-party and demonstrates iRhythm's commitment to Security and Privacy.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a highly regulated and security-conscious statute in the healthcare industry. Zio by iRhythm is committed to maintaining HIPAA compliance and is regularly audited by independent third party assessors to help ensure we remain compliant.
FIPS 140-2 Validation
Zio by iRhythm has received the National Institute of Standards and Technology's (NIST) Federal Information Processing Standard (FIPS) 140-2 validation for data encryption. This achieves an added level of security required by specific government healthcare agencies and further demonstrates iRhythm's continued commitment to patient privacy and data security. Certificate number #3118.
The General Data Protection Regulation (GDPR) is a regulation on data protection and privacy in the European Union. Zio by iRhythm receives regular independent third party assessments to help ensure we follow best practices in our efforts to comply with GDPR.
The California Consumer Privacy Act (CCPA) is a state statute intended to enhance privacy rights and consumer protection for residents of California. Zio by iRhythm performs periodic independent third party Information Security / Data Privacy assessments to help with our compliance with requirements.
Zio by iRhythm has chosen to continue our participation in the EU/US Privacy Shield Framework operated by the US Department of Commerce.
- Single Sign-On (SSO) via SAML available
- Enforced Multi-Factor Authentication (MFA)
- Data encrypted in motion and at rest (HTTPS, AES-256)
- Role-based access controls
- 24/7 monitoring
- Regular penetration and vulnerability testing
- AWS EC2 platform
- HL7-based EHR integration
- No on-premise hardware
- Highly scalable
- Highly durable, geographically distributed architecture
- Scalable, virtualized server environment
- Redundant systems, no single point of failure
- Encrypted backups with offsite replication
- Comprehensive audit logging and alerting framework
- Activity tracking
- Regular risk assessments
Policies and Procedures
- Extensive internal policy, procedure and operational controls
- Business Continuity Plan, including virtualization, cloud computing and dual site configuration
- Incident Response policy and procedures
- Business Associate Agreement with vendors that are involved with the delivery of the Zio Service.