855-GET-XPRO
8522 South 1300 East #D203, Sandy, UT 84094
info@xpronetworks.com

Privacy Policy

Xpro Networks LLC

 

  1. Introduction

Xpro Networks (“we”, “us”, “our”) values your privacy and is committed to protecting the personal and sensitive information we process in the course of delivering managed services and all forms of technological assistance. This policy explains what data we collect, how it’s used, shared, and protected, including special sections for HIPAA and GLBA compliance.

  1. Scope

This policy applies to:

  • All clients (healthcare providers, financial institutions, small businesses, individuals)
  • All services delivered by Xpro Networks
  • All personal data, including Protected Health Information (PHI) and Nonpublic Personal Information (NPI)
  1. Information We Collect
  • General Personal Data: contact details, billing information, device/user logs, network usage metadata
  • PHI (when servicing HIPAA-covered entities): health conditions, patient records, lab results, etc.
  • NPI (when servicing financial institutions): SSNs, account numbers, transaction histories, credit info, etc.
  1. Purpose of Processing

We process data to:

  • Deliver and support IT services
  • Secure and maintain systems
  • Bill and communicate with clients
  • Comply with legal or regulatory obligations
  1. Sharing & Disclosure
  • With subcontractors or vendors under strict confidentiality agreements
  • When legally required (court orders, regulatory requests)
  • With your consent

5.1 HIPAA‑Covered Clients

  • We may only use/disclose PHI as permitted under HIPAA for Treatment, Payment, and Healthcare Operations or as authorized by you.
  • Subcontractors handling PHI must sign a Business Associate Agreement (BAA).

5.2 Financial Institution Clients (GLBA)

  • We protect nonpublic personal information (NPI) per GLBA’s Privacy Rule and Safeguards Rule.
  • You’ll receive annual privacy notices and an opt-out option before we share NPI with non‑affiliated parties.
  • We maintain a formal written information security program, including controls, audits, risk assessments, and employee training.
  1. Data Security
  • Risk assessments and periodic vulnerability testing
  • Administrative, technical, and physical safeguards: MFA, least-privilege, encryption (AES‑256 or similar for ePHI), firewalls, patching, logging, and monitoring
  • Timely incident response and reporting per HIPAA breach notification rules and GLBA requirements
  1. Data Retention & Disposal
  • Retained only as long as necessary
  • Secure deletion of all data (digital/physical) when services end
  1. Your Rights & Choices
  • General clients: access / correction requests under applicable privacy laws (e.g. CCPA)
  • HIPAA context: access to PHI, amendment rights, accounting disclosures, restrict disclosures
  • GLBA context: annual notice, opt‑out of non‑consensual NPI sharing
  1. Vendor & Subprocessor Requirements
  • Subprocessors must adhere to equal data protection standards
  • HIPAA-handling vendors require BAAs; GLBA-handling vendors must implement contractual safeguards and risk reviews
  1. Accountability & Governance
  • Designated compliance officer for HIPAA & GLBA
  • Regular staff training
  • Annual internal and third-party compliance audits
  • Documented policies and procedures throughout the organization
  1. Policy Updates

We may update this policy to align with new regulations and will notify clients in advance of material changes.

Contact Us

Questions or requests (access, opt-out, data portability, etc.) should be directed to our Privacy & Compliance Office at or via postal mail at 8522 S 1300 E STE D203, Sandy, Utah 84094.

Annex A: HIPAA-Specific Obligations

  • Maintain BAAs and business associate chain
  • Adhere to technical safeguards (§164.312): access control, audit logs, encryption, integrity checks
  • Follow Privacy Rule: minimum necessary, patient consent/authorization, breach notification protocols

Annex B: GLBA-Specific Obligations

  • Provide annual privacy notices and opt-out rights under the Privacy Rule
  • Implement and maintain a written information security program under the Safeguards Rule (risk assessment, control designation, training, testing)
  • Prevent pretexting through staff training and verification measures

 

Archives

Categories