Clinical-grade security, designed for health system requirements.
RPMLyra is designed with HIPAA Security Rule technical safeguards in mind — encryption at rest and in transit, role-based access controls, immutable audit logging, and BAA readiness.
Designed with HIPAA technical safeguards in mind
RPMLyra is built for clinical environments. These controls reflect our security posture — not certification claims.
Encryption at Rest
All PHI stored with AES-256 encryption at rest. Database volumes encrypted via cloud provider KMS. Encryption keys rotated on defined schedules with strict access separation.
Encryption in Transit
TLS 1.2 minimum across all data paths — patient device to platform, platform to EHR, and all API endpoints. Certificates managed with automated renewal and monitoring.
Role-Based Access
Principle of least privilege. Clinical staff see only their assigned patients. Administrators cannot view individual readings without audit trail. Separate roles for billing, clinical, admin, and API access.
Immutable Audit Logging
Every data access, reading, alert, and configuration change is timestamped, attributed to a user, and written to an append-only audit log. Logs are retained and cannot be modified by any platform user.
BAA Readiness
RPMLyra executes Business Associate Agreements with covered entities as required under HIPAA. BAA review is part of our standard enterprise onboarding process.
MFA & Session Management
Multi-factor authentication required for all clinical staff accounts. Session timeout enforced at 30 minutes of inactivity. Single sign-on (SSO) via SAML 2.0 for enterprise deployments.
Security Testing Program
Our security program includes periodic vulnerability assessments and third-party penetration testing of platform endpoints. Findings are tracked, remediated, and documented as part of our security governance process.
Cloud infrastructure designed for availability and compliance
HIPAA-Eligible Cloud
Deployed on cloud infrastructure with HIPAA-eligible service tiers. Provider operates under a signed BAA covering the services used for PHI storage and processing.
US Data Residency
All PHI stored and processed within the United States. No cross-border data transfer for clinical data. Backup replication within US regions only.
Backup & Recovery
Daily automated backups with 30-day retention. Point-in-time recovery capability. Disaster recovery RTO target under 4 hours for critical reading and alert data.
How we describe our compliance status — accurately
We don't claim certifications we haven't completed. RPMLyra is an early-stage platform designed with specific compliance frameworks in mind. Here is our accurate posture statement:
"RPMLyra is designed with HIPAA Security Rule technical and administrative safeguard requirements in mind. We execute BAAs with covered entities. We are not currently HITRUST CSF certified or SOC 2 Type II certified."
We understand health systems have compliance procurement requirements. We're happy to complete your security questionnaire and discuss our controls in detail.
Designed with §164.312 controls in mind
Executed with covered entities before go-live
We complete standard procurement security questionnaires
Breach detection, notification procedures in place