At XLA Health, we understand the critical importance of protecting the privacy and security of patient information. As a medical business process outsourcing firm, we are committed to full compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and all associated regulations.

Our Commitment to HIPAA

XLA Health serves as a Business Associate to covered healthcare providers under HIPAA. We fully comply with all applicable requirements, including the Privacy Rule, Security Rule, and Breach Notification Rule. This compliance is foundational to how we operate and deliver services such as:

• Appointment scheduling
• Patient intake and eligibility verification
• Medical billing and coding
• Call center and administrative support
• Records coordination and documentation assistance

Employee Training & Confidentiality

Every XLA Health employee:

• Receives mandatory HIPAA training during onboarding and annually thereafter
• Signs a legally binding HIPAA Confidentiality and Security Agreement
• Is instructed on the proper handling, storage, transmission, and disposal of Protected Health Information (PHI)
• Is monitored for adherence to our internal HIPAA policies and procedures

Violations of these obligations are grounds for disciplinary action, up to and including termination.

Security Practices

We maintain rigorous administrative, technical, and physical safeguards to protect PHI:

• Secure cloud infrastructure with encryption in transit and at rest
• Access controls and role-based permissions to restrict PHI visibility
• Audit logging and intrusion detection systems
• Workstation controls and remote-wipe capabilities
• Regular risk assessments and vulnerability remediation

Business Associate Agreements (BAAs)

We execute Business Associate Agreements (BAAs) with all covered entities we serve. These contracts clearly define our responsibilities, restrictions, and breach notification procedures under HIPAA. We also require BAAs with any subcontractors who may access PHI in the course of delivering services on our behalf.

Breach Notification Protocol

In the rare event of a data incident involving PHI, XLA Health has a formal Breach Response Plan that includes:

• Immediate containment and mitigation
• Prompt notification to covered entities as required under HIPAA
• Full cooperation in any remediation efforts

We take proactive steps to reduce risk and have never had a reportable HIPAA breach to date.

Questions & Contact

If you are a healthcare provider or patient with questions about our HIPAA compliance policies, please contact: legal@xlahealth.com

‍