How We Keep
Your Data Private


Xillium maintains a culture that keeps focus on security. We create an environment that fosters a security-first mindset, setting a high standard for the protection of information assets.


We maintain offices that control physical access and filter HIPAA-trained staff from non-trained staff. These policies are established to support the privacy and security required by HIPAA.

Secured Entry
Overall each site has security personnel to prevent unauthorized access to the facility. This protects equipment, network and data.
Company ID required for entry
No unauthorized devices allowed in the facility (such as phones or USB drives)
All client and patient data is only accessed within designated HIPAA Zones. Only staff trained in HIPAA and with signed BAA agreements are allowed into the HIPAA Zones.
Equipment Lockers
All personal cell phones, and other electronic devices are stored in secured access equipment lockers.


Your Data Your Choice

We follow secure industry standards and practices. It means we are continuously adapting security systems and policies to mitigate threats. Today, we mandate the following policies.

Password Policies
Password Managers

Complex and automated password, secured and encrypted accounts

Multi-factor Authentication (MFA)

Protection to mitigate risks of impersonation or remote attacks

Storage Policies
Data Removal

Automated administrative deletion of daily PHI and other client data

Administrative automated local file removal

Cloud Backup Policy

Cloud backups are disabled for any client storage areas

Browser Controls

Secure and automated passwords for all accounts in protecting client data

Browser setting controls have central administration

Data Access

We have policies that restrict access to your data

No 3rd party access to any patient data without explicit permission from the care provider or trustee of the data

No data sharing

Remote desktop access is disabled

Restricted Network Access: All company networks are restricted at the hardware MAC address level

Managers and administrators do not have access to client data

Your Messaging Platforms

Your data always stays on your platform and only your platform. Patient data is only accessed through EMR and other systems provided by clients.


Local Temp storage usage only

Administrative automated local file removal based on time of life standard

Policies for Equipment, Network and More

We strive to keep current with the latest security updates and watch lists. We establish high-level security protocols that restrict access to sensitive data. Keeping client data safe is our prime concern. It means that keeping our systems safe is our top priority.

We have a policy of corporate-owned and controlled equipment only for accessing client data.
Idle Computers
Centrally controlled administrative policies that specify limitations and access to idle computers
Equipment Policy
All equipment is sourced from the US for all systems and network infrastructure that access client systems and patient data.
Equipment & Vendor Selection
All equipment is restricted to vendors with headquarters in US government-approved countries. We avoid high-risk vendors and restrict critical services, such as cloud services, to US locations and to well-established vendors.

Zero Trust Policy

Zero Trust is a security industry standard where you do not trust even your own deivces on your own network. It protects against the spread of infections across your entire set of devices and networking equipment. By not trusting your own equipment, it establishes software and firmware barriers and monitoring tools to quickly identify infections and isolate them, reducing their spread.
Network & Application
Who We Trust
We trust Microsoft Windows for terminal access to systems.
We trust Google Workspace to maintain our internal systems.
We trust Quickbooks to store and manage our financial information including client data.
EMR, RPM, and Other Applications
Patient data is only recorded or saved within a client's EMR and other client-controlled systems. We only use HIPAA compliant, well-established US-based applications & vendor-approved secure encrypted messaging applications.
Cloud Backup Policy
Left to you and your systems only
We do not back up any data or record any staff activity while they are working for our medical clients. Neither data nor metadata is stored. Phone data and metadata is owned and only accessible by the client.
Data Removal Policy (Devices and cloud services)
In some instances, such as importing data from outside an EMR or exporting data per the directive of the client, data is temporarily stored on a laptop directory. We train staff to delete temporary data immediately as well as administratively delete temporary data daily.
Encryption Policy

All devices that store client or company data are encrypted. We require that access to all client data be via encrypted networking protocols where possible.

We access client systems via encrypted network traffic and strive for VPN access where default system protocols are not encrypted.
All data that exists on all devices is encrypted.
Employee Credentials
All credentials are stored in an encrypted password vault.


During the pandemic, WFH is a fact of life. We have policies for WFH to ensure they uphold our privacy and security standards and follow HIPAA protection of PHI.

Company-provided equipment only
Restricted phone policy while using work equipment
Network and Workspace
Dedicated restricted network only for work
Network configuration and verification by Xillium IT
Home workspace inspection by Xillium staff


To improve compliance with HIPAA security policies, we require ongoing staff training and conduct regular security and HIPAA audits. Keeping data private goes beyond HIPAA. While technical safeguards provide an added layer of protection, a strong focus on behavioral security reinforces good security habits. We consider HIPAA compliance as the starting point of ensuring data privacy. Security awareness improves security culture.

Work Setup Choices for your Team

Learn More