HIPAA Compliance

HIPAA Compliance at Xilium focuses on three safeguards: Administrative, Technical, and Physical.

We comply with HIPAA by observing proper information management. A HIPAA officer is assigned to recommend guidelines, and conduct monitoring and training. These officers also serve as enforcers of security policies that prevent unauthorized access to sensitive information. At any time that these policies be breached, incident reports are prepared by the responsible staff or the supervising officer and submitted to the HIPAA officer for immediate action.

Our protocols are designed to include active client participation. Clients choose their preferred EMR, cloud storage, and phone system with which they may be familiar or comfortable. These channels are secured at all times, maintaining a delicate balance between protection and client accessibility.

VAs have individual accounts and are assigned a company laptop and work desk. This makes it easier for management to trace unauthorized access or any misuse of PHI. At the end of their shifts, laptops are documented and returned to a designated storage to be kept under lock and key.

Xilium’s office spaces are guarded by security personnel 24/7 and some areas are closed off to the general staff. Workstations that handle PHI are designated as “HIPAA zones” and observe tighter security clearance policies (i.e., accessible only to HIPAA-trained personnel). Employees are banned from using cellphones and any similar recording device at their HIPAA-designated workstations during work hours. Non-HIPAA-trained personnel are prohibited from entering HIPAA zones, including Xilium staff without the proper authority. These non-HIPAA-trained personnel are limited to their workstations in Restricted Zones. Lastly, guests are relegated to the lobby area, to be allowed into the office space only when the proper clearance has been complied.

We observe a zero-tolerance policy in the unauthorized downloading of PHI. Xilium likewise strictly refrains from printing PHI — and in such circumstances that these may be of utmost necessity, the documents are subsequently destroyed via shredder in the presence of a HIPAA officer.