HIPAA compliant remote patient monitoring: a physician reviewing patient data on a laptop

Trust and Security

Vivo Care is a HIPAA compliant remote patient monitoring, chronic care management, and advanced primary care management platform. This page consolidates our security and compliance posture for the IT, security, and procurement teams that review us, with independently verified protection for the data your patients trust you with.

Talk with our team

Security and privacy at every layer

At Vivo Care, protecting patient information is not a feature, it is the foundation. Every program we run, Remote Patient Monitoring, Chronic Care Management, and Advanced Primary Care Management, is delivered on a HIPAA compliant platform with safeguards for protected health information built into every layer.

Clinician working securely on a laptop in a medical office, Vivo Care HIPAA compliant remote care platform

Independent attestations and compliance

We follow a deliberate maturity path: meet the regulatory baseline, prove it through independent examination, and continue toward the healthcare gold standard.

  • HIPAA Compliant. Platform-wide across RPM, CCM, and APCM, with Business Associate Agreements and full safeguards for PHI.
  • SOC 2® Type II. An independent examination of our controls across all five Trust Services Criteria over a defined audit period.
  • HITRUST r2, in progress. Actively pursuing HITRUST r2 certification, building on the controls validated in our SOC 2 examination.
Provider showing empathy and trust with an older patient, Vivo Care remote care
Vivo Care completed a SOC 2 examination — AICPA SOC for Service Organizations

Independently examined. View our listing on the AICPA SOC for Service Organizations site.

Ryan Clark
“Our customers and partners trust us with their patients’ most sensitive data. Completing an independent SOC 2 Type II examination is how we prove that trust is well placed, not with claims, but with an outside auditor’s verification of how we operate every day. This is a milestone on a deliberate path, and the next step on that path is HITRUST.”

Ryan Clark

Chief Executive Officer

The five Trust Services Criteria

Our SOC 2 Type II examination spans all five Trust Services Criteria defined by the AICPA:

  • Security. Systems are protected against unauthorized access, use, and modification.
  • Availability. Systems are available for operation and use as committed.
  • Processing Integrity. System processing is complete, valid, accurate, and timely.
  • Confidentiality. Information designated as confidential is protected as committed.
  • Privacy. Personal information is collected, used, retained, and disclosed in line with our commitments.
The five Trust Services Criteria examined in the Vivo Care SOC 2 Type II report
Dr. Aamir Iqbal, MD
“When a provider adjusts a care plan based on a patient’s remote readings, that decision is only as sound as the data behind it. An independent SOC 2 Type II examination across all five Trust Services Criteria, including processing integrity, means the data our clinicians and partner providers rely on has been independently verified for accuracy and protection. In remote care, data integrity is patient safety.”

Dr. Aamir Iqbal, MD

Medical Director

How we protect data

Encryption. Patient data is encrypted in transit (TLS 1.2 or higher) and at rest (AES-256).

Access control. Access follows least-privilege, role-based controls, with periodic access reviews.

Monitoring. The environment is continuously logged and monitored.

Resilience. Documented incident response, disaster recovery, and business continuity procedures are maintained.

US-based hosting. The platform runs on US-based cloud infrastructure, and patient data remains in the United States.

Our attestation covers the Vivo Care platform we operate, not solely the certifications of an underlying cloud-hosting provider.

Secured end to end

From the patient’s FDA cleared device to the clinician’s dashboard, data is encrypted in transit and at rest. Access is limited to the people and services that need it, and every connection in the chain is monitored.

Connected monitoring devices and the Vivo Care clinician dashboard, linked by an encrypted connection

Our security program

Our controls are governed by a documented set of approved policies, reviewed regularly and enforced across the platform.

  • Access controls. Least privilege access with multi factor authentication.
  • Encryption. Data protected in transit and at rest.
  • Monitoring and logging. Continuous monitoring with audit trails.
  • Vulnerability management. Regular testing and patching.
  • Incident response. A defined plan for detection, response, and notification.
  • Vendor due diligence. Security review of vendors and sub-processors, including device partners that have completed a SOC 2 examination.
  • Workforce training. Ongoing security and privacy training for our team.
Vivo Care clinical care team reviewing a patient program together

Data privacy

Patient data is collected, used, and retained only to support care and the services providers ask us to deliver. We do not sell personal information. Our practices are described in full in our privacy policy.

Patient and provider talking in an exam room, trust and privacy in Vivo Care remote care

Talk with our team

Have questions about our security and privacy, or want to see the platform in action? Our team is here to help.

Request a demo

Further reading

Compliance is an ongoing commitment, not a one-time exercise. We continually invest in the security, privacy, and regulatory standards that protect patient data. Explore how we approach secure care below, and stay current on the topics that affect your program.

Security & ComplianceScaling Secure CareRead more Security & Compliance2026 OIG CCM Audit and Medicare ComplianceRead more Security & ComplianceOIG Scrutiny of Medicare RPMRead more Case StudyVirtru and PHI Email EncryptionRead more PlatformRemote Patient MonitoringRead more PlatformChronic Care ManagementRead more PlatformAdvanced Primary Care ManagementRead more PlatformConnected DevicesRead more
Stay current on security and compliance: subscribe to The Remote Care Standard

Our regular Compliance Corner: security, privacy, and regulatory updates that affect your program.

Security documentation

Security and procurement teams can access our SOC 2 Type II report and supporting security documentation through our compliance portal. The non-disclosure agreement is handled in the portal.

Request our security documents

Frequently asked questions

Is the Vivo Care platform HIPAA compliant?
Yes. Vivo Care is HIPAA compliant across Remote Patient Monitoring, Chronic Care Management, and Advanced Primary Care Management, with administrative, physical, and technical safeguards protecting Protected Health Information, and we sign Business Associate Agreements.
How is patient data encrypted?
Patient data is encrypted in transit using TLS 1.2 or higher and at rest using AES-256.
Do you require multi-factor authentication?
Yes. Multi-factor authentication is required for all portal users, and access follows least-privilege, role-based controls with periodic access reviews.
How do you protect PHI in email and communications?
Communications that contain Protected Health Information are sent through encrypted email using Virtru.
Do you have a SOC 2 report?
Vivo Care has completed a SOC 2 Type II examination across all five Trust Services Criteria. Qualified security and procurement teams can request the full report under a mutual non-disclosure agreement through our Trust Center.
Are you pursuing HITRUST?
Yes. Vivo Care is actively pursuing HITRUST r2 certification, building on the control environment validated through our SOC 2 Type II examination.
Where is patient data hosted?
The platform runs on US-based cloud infrastructure, and patient data remains in the United States.
Do you sign Business Associate Agreements (BAAs)?
Yes. Vivo Care signs BAAs with the healthcare organizations and partners we serve.