ZappRx is committed to the security and privacy of its customers and their data. The ZappRx Platform was designed according to the highest security compliance standards in the healthcare industry. All ZappRx Platform components reside on HIPAA-compliant AWS cloud infrastructure. ZappRx maintains formal policies and procedures that have been implemented to govern all aspects of the design, administration, management and use of the ZappRx Platform.
ZappRx fully complies with HIPAA and HITECH regulations to maintain the security, confidentiality and privacy of Protected Health Information (PHI). All employees and contractors are responsible for the protection of PHI and are trained in HIPAA/HITECH requirements and are required to formally acknowledge compliance with policies and procedures.
SOC 2 Type 2
ZappRx maintains a SOC 2 Type 2 report for the security and privacy trust services principles from an independent third party for the ZappRx Platform.
ZappRx received HITRUST CSF Certification for the ZappRx Platform. HITRUST CSF is a framework used by organizations that create, process, store, or exchange PHI. Certification assures customers that ZappRx meets the healthcare industry’s standards for protecting PHI and other health-related data.
ZappRx maintains formal policies and procedures for security incident and breach management. Incidents and breaches are handled by the Security Officer and Privacy Officer in accordance with HIPAA requirements. The incident management and breach reporting procedures are tested at least annually.
ZappRx limits access to PHI solely to those employees whose roles and responsibilities require access to support our clients and for healthcare operations. All employees with access to PHI are required to have a unique log-in and password that meet minimum password-strength and complexity requirements, and access to systems is limited to active employees and contractors based on job responsibilities using the least-privilege principle. ZappRx adheres to the Minimum Necessary standard as required for all HIPAA-compliant entities. Our Security Officer periodically reviews all user access. All data is encrypted at-rest and in-transit.