iRhythm Technologies, Inc. uses industry best practices that ensure the confidentiality, integrity and availability of data. Hosted at Amazon Web Services, our infrastructure is highly durable, scalable and secure. We develop, manage and maintain all proprietary software, systems and associated security.

We are dedicated to exceeding our customer's expectations with respect to protected health information privacy and security by adhering to all relevant security requirements.

As participants in patient health care, we are committed to maintaining the privacy of Protected Health Information (PHI) as directed by applicable federal and state law. Our full Notice of Privacy Practices, found at irhythmtech.com/content/privacy describes our privacy practices, our legal duties and rights concerning PHI.

Certifications, Standards and Regulations

tc-soc-2-type-2

SOC 2 Type II

Zio by iRhythm is SOC 2 Type II certified adhering to the AICPA's Trust Services Principles and Criteria for Security, Availability, Confidentiality and Privacy. The SOC 2 Type II is performed by an independent third-party and demonstrates iRhythm's commitment to Security and Privacy.

tc-hippa

HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a highly regulated and security-conscious statute in the healthcare industry. Zio by iRhythm is committed to maintaining HIPAA compliance and is regularly audited by independent third party assessors to help ensure we remain compliant.

tc-fips-140-2-validation

FIPS 140-2 Validation

Zio by iRhythm has received the National Institute of Standards and Technology's (NIST) Federal Information Processing Standard (FIPS) 140-2 validation for data encryption. This achieves an added level of security required by specific government healthcare agencies and further demonstrates iRhythm's continued commitment to patient privacy and data security. Certificate number #3118.

tc-gdpr

GDPR

The General Data Protection Regulation (GDPR) is a regulation on data protection and privacy in the European Union. Zio by iRhythm receives regular independent third party assessments to help ensure we follow best practices in our efforts to comply with GDPR.

tc-ccpa

CCPA

The California Consumer Privacy Act (CCPA) is a state statute intended to enhance privacy rights and consumer protection for residents of California. Zio by iRhythm performs periodic independent third party Information Security / Data Privacy assessments to help with our compliance with requirements.

tc-privacy-shield

Privacy Shield

Zio by iRhythm has chosen to continue our participation in the EU/US Privacy Shield Framework operated by the US Department of Commerce.

Information Security

tc-security

Security

  • Data encrypted in motion and at rest (HTTPS, AES-256)
  • Role-based access controls
  • 24/7 monitoring
  • Regular penetration and vulnerability testing
tc-cloudbased

Cloud-Based

  • AWS EC2 platform
  • HL7-based EHR integration
  • No on-premise hardware
  • Highly scalable
tc-availability

Availability

  • Highly durable, geographically distributed architecture
  • Scalable, virtualized server environment
  • Redundant systems, no single point of failure
  • Encrypted backups with offsite replication
tc-auditing

Auditing

  • Comprehensive audit logging and alerting framework
  • Activity tracking
  • Regular risk assessments
tc-policies-and-procedures

Policies and Procedures

  • Extensive internal policy, procedure and operational controls
  • Business Continuity Plan, including virtualization, cloud computing and dual site configuration
  • Incident Response policy and procedures
  • Business Associate Agreement with vendors that are involved with the delivery of the Zio Service.

Have a question?