Compliance

We recognize that the healthcare industry is in a state of constant change in laws, regulations and other government requirements, reimbursements and payor requirements, and commercial and patient expectations. We provide software as a service (SaaS) that enables our customers to comply with applicable legal and contractual obligations. We also provide services that make compliance by our customers easier and reduce the compliance concerns that they have to consider.  

XIFIN RPM Software & Services Compliance

Logic
  • Simple configuration of required claims documentation
  • Payor configurations allow for financial integrity, payor contract adherence and automated compliance
  • Key compliance rules and logic
  • System templates provide guidance on standard industry documentation
Workflow
  • Enforces configured requirements and limits processing/clerical team’s ability to circumvent those requirements without management input
  • Required coding and documentation enforced by system workflow
  • Workflow design to optimize payor billing prior to billing patient
  • Workflow to minimize clerical decision making and unnecessary re-submissions
  • Key compliance alerts flagging and logging potentially non-compliant actions for audit logs and review
Audit Trail
  • Source documentation retention for each claim
  • Data and referential integrity maintained for auditing
  • Logging to support customer compliance audits
  • Audit log for system changes
Top-Tier Data Centers
  • Top ratings from Uptime Institute
  • Redundant services and connections
Secure Communications
Backup & Archiving Designed to Achieve Recovery Objectives
Security Measures Reflecting NIST Cybersecurity Framework

We provide services for our XIFIN RPM software customers that make their compliance efforts easier, including: 

Data Resources Maintained Current for Use Through XIFIN RPM Software
  • Maintenance of ICD Codes
  • Maintenance of CPT/HCPCS Codes for use by customers who have licensed appropriate rights from AMA
  • Timely updates of LCDs and NCDs
  • Medicare and Medicaid Fee Schedules
  • ABN formats
  • Correct Coding Initiative Edits
  • CMS Outpatient Code Editor updates
  • NPIs
  • List of Excluded Individuals and Entities
  • Eligibility Services Interface
  • Remittance Advice and Adjustment Codes
Data Processing
  • Front-end rejections and denials
  • Updates to front-end editing database
  • Nightly extracts
Customer Support & Consulting Services
  • Our help desk provides assistance with the use of our XIFIN RPM software, including its compliance features
  • We have consultants available to assist our customers in refining their use of our XIFIN RPM software and their related workflows to enhance their compliance programs
Privacy & Security Compliance
  • Our systems comply with the applicable requirements of HIPAA and other privacy and security laws
Full Business Intelligence Capabilities
  • We provide business intelligence capabilities within our system and through extracts from our system
  • Customers can use custom and ad hoc reporting to strengthen their compliance programs
Standard Reporting Library
  • We provide a standard library of reports to facilitate our customers’ revenue cycle management, including their auditing and monitoring activities

XIFIN RPM Achieves HITRUST
Risk-based, 2-year (r2) Certification

Outsourced Billing Services & Compliance

Many of our customers prefer to have XIFIN provide outsourced billing services, further reducing their compliance concerns:

Reduces fraud, waste and abuse risk.
  • Electronic transfer of data
  • Our trained team, our established procedures
  • Our compensation program minimizes this risk
  • Our monitoring and auditing
  • Eliminates pressures on internal billing team
Enhances privacy and security compliance
  • Our HIPAA training and procedures
  • Our technical measures
  • Our auditing and monitoring

XIFIN Information Management & Collaboration Software

Our information management and collaboration software, including XIFIN ProNet and our LIS (XIFIN LIS), are provided as SaaS to reduce the compliance activities required for their users.

Access & Collaboration
  • Customer controlled user access
  • Information sharing in a compliant system
  • Professional collaboration that can demonstrate compliance
Documentation
  • User access management
  • Logging
  • Documentation of information and collaboration activities
  • File integrity
Compliance
  • HIPAA compliant environment
  • Simplified auditing and monitoring

XIFIN maintains a compliance program designed to exceed legal requirements and demonstrate the highest level of ethics and legal compliance by our workforce and our company in all of our activities.

XIFIN's Compliance Program

Our compliance program is based on an annual assessment of the relevant compliance risks to XIFIN based on its business activities and environment. Given our role as a leading provider of revenue cycle management (RCM) software and services, and information and collaboration systems, our compliance program prioritizes fraud, waste and abuse and data privacy and security compliance, while recognizing our other compliance obligations throughout our organization.

Our compliance program begins with the seven factors required for an effective compliance and ethics program as described by the Office of the Inspector General (OIG) and the Federal Sentencing Guidelines:

Standards and Procedures

We have developed our Standards of Conduct to guide the performance of our workforce and establish our expectations for the highest level of ethical and lawful conduct. We maintain written policies and procedures appropriate for our business and the compliance risks we have identified.  

Oversight

We have established a Compliance Committee that oversees our compliance activities and that guides the activities of our Chief Compliance Officer and their team. Our Compliance Committee’s charter includes a review of our business annually to identify the material enterprise compliance risks in our business, and the responsibility to maintain appropriate compliance program features regarding such risks. Our Compliance Committee is chaired by our General Counsel and Chief Compliance Officer, Marty Barrack, who brings a deep background in compliance and a number of well-recognized certifications in compliance.  Our Chief Compliance Officer reports directly to our CEO, Lâle White, and our Board of Directors.  

Reporting to our Chief Compliance Officer is our Vice President, Security, and Compliance, Bill Floeter, an experienced computer security professional holding a CHPS (Certified in Healthcare Privacy and Security) from the American Health Information Management Association (AHIMA). Bill implements and manages our information security and compliance program and has a team of skilled professionals reporting to him. 

Due Diligence

We have implemented procedures to review the backgrounds of our workforce before we hire them, and while they are part of our workforce.  

Communication, Training & Education

We identify our training and education needs through a matrix approach that considers our workforce roles and responsibilities and the compliance issues relating to their specific positions. We communicate to our workforce the importance of compliance and our Standards of Conduct, and our policies and procedures as they evolve.  

Auditing and Monitoring

We audit and monitor our activities considering the compliance risks we have identified. We maintain a hotline provided by a third-party service for reporting of compliance concerns, and reports can be submitted anonymously.  

Enforcing Standards

We are sensitive to our “tone at the top,” and our executives consistently message the importance of compliance throughout our organization. Compliance is considered in performance evaluations, and appropriate disciplinary measures are taken for violations of our compliance program, and our policies and procedures.  

Responding to Issues

After any compliance issue has been raised, we conduct a thorough investigation and address the issue to respond appropriately to the issue and to prevent similar further issues from arising.

You can reach our compliance team at compliance@xifin.com, whether you want to discuss compliance, report any concerns or for any other reason. 

Key XIFIN Compliance Activities

Fraud, Waste, and Abuse

We are keenly aware of the OIG’s Compliance Program Guidance for Third-Party Medical Billing Companies. We work internally and with our customers to operate consistent with that guidance, and to address fraud, waste and abuse compliance issues relating to our business and that of our customers.

Data, Privacy, and Security

We manage and maintain personal information protected under HIPAA and other state, federal and foreign laws. We obtain an annual third-party review of our HIPAA compliance, as well as third party reviews of our operations. We monitor the laws and industry practices relating to data privacy and security and maintain an active program consistent with the NIST Cybersecurity Framework.

XIFIN Exceeds Stringent SSAE 18 Auditing Requirements

In today's global economy, service providers must demonstrate that they have adequate controls and safeguards when they host or process data belonging to their customers. In addition, the requirements of Section 404 of the Sarbanes-Oxley Act of 2002 make SSAE 18 audit reports even more important to the process of reporting on the effectiveness of internal control over financial reporting.

XIFIN maintains proper controls and safeguards in place when delivering and supporting data belonging to our customers. XIFIN has successfully completed all of our audits under SSAE 18 and its predecessor standards as determined by an independent accounting and auditing firm, since first undergoing such audits in 2009. This designation distinguishes XIFIN as a provider of reliable software and services, built upon a solid set of operational controls and business processes.

XIFIN annually obtains SOC 1 and SOC 2 Type 2 audits. 

What is SSAE 18?

Statement on Standards for Attestation Engagements no. 18 (SSAE 18) is a Generally Accepted Auditing Standard issued by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA). The SSAE 18 standard went into effect for any reports dated after May 1, 2017.

SSAE 18 superseded SSAE 16, which in turn superseded the SAS 70 audit standard.   When the SSAE 18 standard was released, it added reviewing the company’s Third-Party Vendor Management Program and required a formal Annual Risk Assessment process be performed for both the SOC 1 and SOC 2 audits.

A service auditor's examination performed in accordance with the SSAE 18 standard represents that a service organization has been through an in-depth audit of its control objectives and control activities.  SOC audits that are of Type 2 means that the auditors reviewed evidence that the controls were in place over a specified time-period.  By contrast, a Type 1 audit confirms that the controls were in place at a single point in time.  Generally, the Type 1 audit is done first to discover any gaps, and once the gaps are closed Type 2 audits are performed going forward to demonstrate the continuous implementation of the controls.

Understanding SOC 1 and SOC 2

SOC 1

A SOC 1 Report focuses on the internal controls of the system related to financial reporting.  This document will often satisfy a customer’s auditor requirement for SOX (Sarbanes-Oxley) reporting.

SOC 2

A SOC 2 Report focuses on the information security of the system.  This document conveys that XIFIN’s people, infrastructure, software, data-handling, and procedures are prepared to handle customer data and protect it accordingly.