Trust Center - Security

iRhythm Technologies, Inc. uses industry best practices that ensure the confidentiality, integrity, and availability of data. Hosted at Amazon Web Services, our infrastructure is highly durable, scalable, and secure. We develop, manage, and maintain all proprietary software, systems, and associated security.

We are dedicated to exceeding our customer's expectations with respect to protected health information privacy and security by adhering to all relevant security requirements.

As participants in patient health care, we are committed to maintaining the privacy of Protected Health Information (PHI) as directed by applicable federal and state law. Our full Notice of Privacy Practices, found at irhythmtech.com/content/privacy describes our privacy practices, our legal duties, and rights concerning PHI.

Certifications, Standards and Regulations

SOC2Typell

Zio by iRhythm is SOC 2Type II certified adhering to the AICPA's Trust Services Principles and Criteria for Security, Availability, Confidentiality and Privacy. The SOC 2 Type II is performed by an independent third-party and demonstrates iRhythm's commitment to Security and Privacy.

HIPAA

The Health Insurance Portability and Accountability Act of 1996(HIPAA) is a highly regulated and security-conscious statute in the healthcare industry. Zio by iRhythm is committed to maintaining HIPAA compliance and is regularly audited by independent third-party assessors to help ensure we remain compliant.

FIPS 140-2 Validation

Zio by iRhythm has received the National Institute of Standards and Technology's (NISTI Federal Information Processing Standard (FIPS) 140-2 validation for data encryption. This achieves an added level of security required by specific government healthcare agencies and further demonstrates iRhythm's continued commitment to patient privacy and data security. Certificate number #3118.

CCPA

The California Consumer Privacy Act (CCPA) is a state statute intended to enhance privacy rights and consumer protection for residents of California. Zio by iRhythm performs periodic independent third-party Information Security/ Data Privacy assessments to help with our compliance with requirements.

GDPR

The General Data Protection Regulation (GDPR) is a regulation on data protection and privacy in the European Union. Zio by iRhythm receives regular independent third party assessments to help ensure we follow best practices in our efforts to comply with GDPR.

Privacy Shield

Zio by iRhythm has chosen to continue our participation in the EU/US Privacy Shield Framework operated by the US Department of Commerce.

Information Security

Security

Single Sign-On (SSO) viaSAML available

Enforced Multi-Factor Authentication (MFA)

Data encrypted in motion and at rest (HTTPS, AES-256)

Role-based access controls

24hr monitoring

Regular penetration and vulnerability testing

Cloud-Based

AWS EC2 platform

HL7-based EHR integration

No on~premise hardware

Highly scalable

Availability

Highly durable, geographically distributed architecture

Scalable, virtualized server environment

Redundant systems, no single point of failure

Encrypted backups with offsite replication

Auditing

Comprehensive audit logging and alerting framework

Activity tracking

Regular risk assessments

Policies and Procedures

Extensive internal policy, procedure, and operational controls

Business Continuity Plan, including virtualization, cloud computing, and dual-site configuration

Incident Response policy and procedures

Business Associate Agreement with vendors that are involved with the delivery of the Zio Service.

We adhere to Medicare Independent Diagnostic Testing Facility (IDTF) Performance Standards, 42 C.F.R.section 410.33.

WEB0122.01