Security & Compliance

Built with clinical data security by design

Cardiac device telemetry contains protected health information. Implansense is designed to handle ePHI with the security controls that hospital procurement and clinical program directors require.

HIPAA

Designed to support compliance with HIPAA

Implansense is designed to support compliance with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule requirements for electronic protected health information (ePHI). This includes the technical, administrative, and physical safeguard requirements applicable to covered entities and their business associates.

Note: Implansense operates as a Business Associate under HIPAA. A Business Associate Agreement (BAA) is required prior to data ingestion and is available upon request.

Implansense is designed to support compliance with HIPAA — this is not a certification or attestation of legal compliance. Customers are responsible for their own HIPAA compliance obligations.

Secure data infrastructure concept representing HIPAA-aligned cardiac device telemetry data storage and encryption

Technical Controls

Data security controls

Encryption at restAll ePHI encrypted at rest using AES-256. Database-level and file-system-level encryption applied to all data stores containing patient data.

Encryption in transitAll data transmitted to and from Implansense encrypted using TLS 1.2 or higher. Unencrypted transmissions rejected at the application layer.

Access controlRole-based access control (RBAC) with minimum-necessary access principles. SSO/SAML integration supported for enterprise identity management. MFA required for all user accounts.

Audit loggingComprehensive access and action audit log — every ePHI access, export, and deletion event logged with user identity, timestamp, IP address, and action type. Logs retained per HIPAA minimum 6-year requirement.

Data residencyUS-based data residency available. Data does not leave designated geographic boundaries without explicit institutional authorization. Contact us for your institution's data sovereignty requirements.

Vulnerability managementRegular penetration testing and vulnerability scanning. Responsible disclosure program. Security patches applied within defined SLA windows.

SOC 2 Type II Audit — In Progress

Implansense has initiated a SOC 2 Type II examination covering the Security, Availability, and Confidentiality trust service criteria. The examination period covers our operational controls for handling ePHI in cardiac telemetry analytics workflows. Expected completion: Q4 2026. Prospective customers may request a copy of the report under NDA upon completion.

We are an early-stage seed company building toward SOC 2 Type II certification. We are transparent about our current status — the audit is in progress, not yet complete.

21 CFR Part 820

Designed with 21 CFR Part 820 design controls in mind

Implansense incorporates design control principles aligned with 21 CFR Part 820 (Quality System Regulation) and FDA's design controls guidance for software used in clinical decision support contexts. This includes requirements documentation, design verification activities, and change control processes.

Implansense is designed to support clinical workflow analytics and does not provide automated diagnostic conclusions. All clinical decisions remain with the treating physician. This alignment note does not constitute FDA clearance or certification.

Incident Response

Security incident response

Implansense maintains a documented incident response plan covering detection, containment, investigation, and notification obligations. In the event of a security incident involving ePHI, Implansense will notify affected covered entities consistent with HIPAA Breach Notification Rule requirements (within 60 days of discovery).

Security concerns can be reported to [email protected].

Ready to discuss security requirements?

Request access to connect with our team and discuss your institution's security and compliance requirements.

Request Access