Compliance
We recognize that the healthcare industry is in a state of constant change in laws, regulations and other government requirements, reimbursements and payor requirements, and commercial and patient expectations. We provide software as a service (SaaS) that enables our customers to comply with applicable legal and contractual obligations. We also provide services that make compliance by our customers easier and reduce the compliance concerns that they have to consider.
XiFin RPM Software & Services Compliance
We provide services for our XiFin RPM software customers that make their compliance efforts easier, including:
Outsourced Billing Services & Compliance
Many of our customers prefer to have XiFin provide outsourced billing services, further reducing their compliance concerns:
XiFin Information Management & Collaboration Software
Our information management and collaboration software, including XiFin ProNet and our LIS (XiFin LIS), are provided as SaaS to reduce the compliance activities required for their users.
XiFin maintains a compliance program designed to exceed legal requirements and demonstrate the highest level of ethics and legal compliance by our workforce and our company in all of our activities.
XiFin's Compliance Program
Our compliance program is based on an annual assessment of the relevant compliance risks to XiFin based on its business activities and environment. Given our role as a leading provider of revenue cycle management (RCM) software and services, and information and collaboration systems, our compliance program prioritizes fraud, waste and abuse and data privacy and security compliance, while recognizing our other compliance obligations throughout our organization.
Our compliance program begins with the seven factors required for an effective compliance and ethics program as described by the Office of the Inspector General (OIG) and the Federal Sentencing Guidelines:
Standards and Procedures
We have developed our Standards of Conduct to guide the performance of our workforce and establish our expectations for the highest level of ethical and lawful conduct. We maintain written policies and procedures appropriate for our business and the compliance risks we have identified.
Oversight
We have established a Compliance Committee that oversees our compliance activities and that guides the activities of our Chief Compliance Officer and their team. Our Compliance Committee’s charter includes a review of our business annually to identify the material enterprise compliance risks in our business, and the responsibility to maintain appropriate compliance program features regarding such risks. Our Compliance Committee is chaired by our General Counsel and Chief Compliance Officer, Marty Barrack, who brings a deep background in compliance and a number of well-recognized certifications in compliance. Our Chief Compliance Officer reports directly to our CEO, Lâle White, and our Board of Directors.
Reporting to our Chief Compliance Officer is our Vice President, Security, and Compliance, Bill Floeter, an experienced computer security professional holding a CHPS (Certified in Healthcare Privacy and Security) from the American Health Information Management Association (AHIMA). Bill implements and manages our information security and compliance program and has a team of skilled professionals reporting to him.
Due Diligence
We have implemented procedures to review the backgrounds of our workforce before we hire them, and while they are part of our workforce.
Communication, Training & Education
We identify our training and education needs through a matrix approach that considers our workforce roles and responsibilities and the compliance issues relating to their specific positions. We communicate to our workforce the importance of compliance and our Standards of Conduct, and our policies and procedures as they evolve.
Auditing and Monitoring
We audit and monitor our activities considering the compliance risks we have identified. We maintain a hotline provided by a third-party service for reporting of compliance concerns, and reports can be submitted anonymously.
Enforcing Standards
We are sensitive to our “tone at the top,” and our executives consistently message the importance of compliance throughout our organization. Compliance is considered in performance evaluations, and appropriate disciplinary measures are taken for violations of our compliance program, and our policies and procedures.
Responding to Issues
After any compliance issue has been raised, we conduct a thorough investigation and address the issue to respond appropriately to the issue and to prevent similar further issues from arising.
You can reach our compliance team at compliance@xifin.com, whether you want to discuss compliance, report any concerns or for any other reason.
Key XiFin Compliance Activities
Fraud, Waste, and Abuse
We are keenly aware of the OIG’s Compliance Program Guidance for Third-Party Medical Billing Companies. We work internally and with our customers to operate consistent with that guidance, and to address fraud, waste and abuse compliance issues relating to our business and that of our customers.
Data, Privacy, and Security
We manage and maintain personal information protected under HIPAA and other state, federal and foreign laws. We obtain an annual third-party review of our HIPAA compliance, as well as third party reviews of our operations. We monitor the laws and industry practices relating to data privacy and security and maintain an active program consistent with the NIST Cybersecurity Framework.
XiFin Exceeds Stringent SSAE 18 Auditing Requirements
In today's global economy, service providers must demonstrate that they have adequate controls and safeguards when they host or process data belonging to their customers. In addition, the requirements of Section 404 of the Sarbanes-Oxley Act of 2002 make SSAE 18 audit reports even more important to the process of reporting on the effectiveness of internal control over financial reporting.
XiFin maintains proper controls and safeguards in place when delivering and supporting data belonging to our customers. XiFin has successfully completed all of our audits under SSAE 18 and its predecessor standards as determined by an independent accounting and auditing firm, since first undergoing such audits in 2009. This designation distinguishes XiFin as a provider of reliable software and services, built upon a solid set of operational controls and business processes.
XiFin annually obtains SOC 1 and SOC 2 Type 2 audits.
What is SSAE 18?
Statement on Standards for Attestation Engagements no. 18 (SSAE 18) is a Generally Accepted Auditing Standard issued by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA). The SSAE 18 standard went into effect for any reports dated after May 1, 2017.
SSAE 18 superseded SSAE 16, which in turn superseded the SAS 70 audit standard. When the SSAE 18 standard was released, it added reviewing the company’s Third-Party Vendor Management Program and required a formal Annual Risk Assessment process be performed for both the SOC 1 and SOC 2 audits.
A service auditor's examination performed in accordance with the SSAE 18 standard represents that a service organization has been through an in-depth audit of its control objectives and control activities. SOC audits that are of Type 2 means that the auditors reviewed evidence that the controls were in place over a specified time-period. By contrast, a Type 1 audit confirms that the controls were in place at a single point in time. Generally, the Type 1 audit is done first to discover any gaps, and once the gaps are closed Type 2 audits are performed going forward to demonstrate the continuous implementation of the controls.
