Notice of Privacy Practices

Introduction

VLBPO, LLC (“VLBPO”) is a business process outsourcing and call-center services provider. We act as:

• A Business Associate under HIPAA (U.S.)
• A Data Processor or Sub-Processor under the UK GDPR
• A Data Processor or Sub-Processor under the Jamaica Data Protection Act (JDPA)

This Notice describes how we process your personal data or PHI when instructed by our clients, and your rights under the relevant data protection laws.

Definitions

Categories of Data We Access

• Contact Information: Name, phone, email, address
• Health & Insurance Data (PHI): Plan ID, clinical notes (audio only), diagnosis codes
• Metadata: Timestamps, call IDs, user roles
• Legal or Regulatory: As instructed by client under subpoena or lawful mandate

Lawful Uses & Disclosures

HIPAA (U.S.)

We only use PHI:

• As directed by your Covered Entity
• For call recording, quality review, or billing support
• Under strict confidentiality and minimum necessary rules

UK GDPR

We process personal data when:

• You consent via recorded call notice
• Processing is necessary for contract delivery
• Law requires us to assist our client
• There is a legitimate interest (e.g., service QA), balanced against your rights

Jamaica DPA

Processing is based on:

• Your consent (via voice prompt)
• A contract with the client (Business Operator)
• Legal obligations
• Legitimate purpose defined by the DPA

Transparency

“This call is being recorded for quality assurance, training, and dispute resolution. By continuing, you consent.”

A full copy of this Privacy Notice is also available at:
https://vlbpo.com/privacy-policy

Data Sharing & Sub-Processors

We only share data with:

• Your Controller/Operator (our client)
• Approved Sub-Processors (if applicable, under strict DPA terms)
• Regulatory or Legal Authorities, if legally compelled

VLBPO does not sell or commercialize any data.

Security & Retention

• Access Controls: Multi-factor authentication, IP restrictions
• Retention:
  • Per client instruction or contract
  • Auto-purge after termination, unless subject to legal hold

Your Rights

Under HIPAA

Contact your Covered Entity to:

• Access or amend your PHI
• Receive an accounting of disclosures
• Request privacy restrictions

VLBPO processes such requests only upon instruction from the Covered Entity.

Under UK GDPR

Contact your Controller to:

• Access, rectify, or erase your data
• Object to or restrict processing
• Request data portability (machine-readable format)

Under Jamaica DPA

Contact your Business Operator to:

• Request access, correction, or erasure
• Object to certain types of processing

All rights must be initiated via your controller. VLBPO processes requests only upon written instruction from the controller.

Data Protection Officer & Representatives

Data Protection Officer
Atika Arif
atika@vlbpo.com

UK Representative (Article 27 UK GDPR)
Robert Downer downerrob92@gmail.com

Jamaica Representative (per Section 3 of JDPA)
Janine Powell janinepowell876@gmail.com

Breach Notification

In case of a breach:

• HIPAA: We notify the Covered Entity within 48 hours
• UK GDPR: We inform the Controller without undue delay
• Jamaica DPA: We notify the Business Operator promptly (ideally within 72 hours)

The Controller/Operator is responsible for notifying regulators and individuals.

Policy Updates

We review and update this Notice Biannually. Any changes will be posted on our website and provided to clients as required by contract or law.

Questions or Complaints

If you have concerns regarding your data processed by VLBPO:

Contact:
Atika Arif, DPO
atika@vlbpo.com

Or your national supervisory authority:

• U.S.: HHS Office for Civil Rights – www.hhs.gov
• UK: Information Commissioner’s Office (ICO) – www.ico.org.uk

Jamaica: Office of the Information Commissioner – www.oic.gov.jm