SERIOUS ABOUT SECURITY
ZappRx has developed and implemented policies and procedures to protect your data and ensure the cofidentiality, integrity, and availability of our information systems containing Protected Health Information (PHI). All of our employees are trained on and responsible for protecting our information systems from unauthorized access, modification, destruction, and disclosure.
Data security policies and procedures are reviewed annually, or sooner if necessary, in an effort to protect the privacy of our staff, clients, and contractors working with or for ZappRx.
CLOUD SERVICES SECURITY
The ZappRx production system - the only place where PHI is stored - is hosted entirely within a secure, dedicated, and HIPAA-compliant Amazon Web Services (AWS) environment that provides for replication and high availability. We have reviewed the applicable (SOC 2) report for relevant controls relating to security and availability of the environment. These reports are re-examined annually as part of our internal HIPAA policy review.
LIMITED ACCESS RESTRICTIONS
ZappRx limits access to PHI to a handful of employees whose roles and responsibilities require access to support our clients and for healthcare operations. All employees with access to PHI are required to have a unique log-in and password which meets a minumum password strength and complexity, and access to systems is limited to active employees and contractors who have signed proper paperwork reviewed by our Human Resources department. All user access is reviewed periodically by our Information Security Officer.
SECURITY BREACH POLICY
ZappRx takes many precautions to avoid security breaches, and we use proactive monitoring to discover any unusual access to our cloud-based systems. In the event of a breach or suspected security breach, employees are trained to immediately report relevant information to the Privacy Officer and/or their supervisor. All breaches and suspected breaches will undergo a mandatory post-incident review of events and actions taken. If findings show that there was a data breach, affected business associates and identified individuals will be notified without unreasonable delay.
PHYSICAL SECURITY PRACTICES
ZappRx takes proper precautions to protect both physical and electronic data. All ZappRx staff are trained and tested on HIPAA-compliant practices for handling PHI, and six-year record retention policies are in place and overseen by our Privacy Officer. Some of our specific practices include:
Encryption of all company laptops.
Company laptops are on fully-supported operating systems equipped with up-to-date anti-virus /anti-malware software and asset tracking.
Strong passwords on systems containing PHI.
ePHI transferred externally to partners is done over secure channels.
Data in motion is encrypted using TLS.
Data at rest is encrypted using AES-256.
No physical PHI is maintained at ZappRx.