Jopari ProPay®

Compliance and Security Risk Management Program Overview
 

Jopari’s ProPay Products and Services comply with state and federal security, privacy and payment regulations. These requirements include, but are not limited to, (1) building and maintaining a secure network (e.g., maintaining a firewall configuration to protect data), (2) protecting  data (including encryption of transmitted and stored data), (3) maintaining a vulnerability management program, (4) implementing access control measures, (5) regularly monitoring and testing networks, (6) maintaining  information security and privacy policies, (7) fraud detection and prevention and, (8) industry payment best practices. The following is an overview of Jopari’s ProPay compliance and security risk management program.

Regulatory Compliance and Annual Independent Third-Party Audit Certifications

Jopari is a SOC Certified organization that is audited annually by an independent certified public accountant (AICPA accredited). The purpose of the compliance risk management audits is to verify that Jopari has established and follows strict information security policies and control procedures encompassing the security, availability, processing, integrity, and confidentiality of customer data as required by regulations and industry payment best practices. The Audit Certification include the following reports, that are available for review upon request:

Jopari Certification Audit Reports

  • SOC 2 Type II Audit Certification
  • SOC 3 Cybersecurity Audit Certification
  • Shared Assessment AUP Risk Management Evidence Based Audit Certification

Regulatory Compliance

Jopari ProPay regulatory program keeps you in compliance with federal mandated payment regulations, such as OFAC, FFIEC, KYC, Beneficial Ownership and other requirements. We are able to proactively validate business and entity identification in real time at the time of enrollment, across multi government databases to ensure regulatory compliance by utilizes the ECHO’s Payment Model Risk Management Engine. This robust automated identity verification engine provides clients with improved accuracy and a reduction in the number of false positives. The following is an overview of Jopari’s regulatory payment compliance program.

Federal Mandated CAQH CORE EFT/ERA Operating Rules

NACHA Healthcare Electronic Funds Transfer (EFT) Standards and Operating Rules. (Requires NACHA login to view)

  • Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Cybersecurity NIST Framework
    Defines privacy and security guidelines and standards for the healthcare industry, and the Health Information Technology for Economic and Clinical Health (HITECH) Act (https://www.hhs.gov/hipaa/index.html)
  • Federal Bank Secrecy Act (BSA) – 31 USC 5311 – 5330
    BSA is the primary U.S. anti-money laundering (AML) law and has been amended to include certain provisions of Title III of the USA PATRIOT Act to detect, deter and disrupt terrorist financing networks
  • Foreign Assets Control Regulations (OFAC)31 CFR 500
  • Financial Record Keeping and Reporting of Currency and Foreign Transactions – 31 CFR 1010.310
  • USA PATRIOT Act
    Requires anti- money laundering (AML) policies and internal controls to be able to identify, monitor and report suspicious activity
  • Know Your Customer (KYC) Identity Verification Requirements
    https://www.fincen.gov/resources/statutes-regulations/federal-register-notices/customer-due-diligence-requirements
    Know Your Customer (KYC) compliance controls are a critical function to assess customer risk and a legal requirement to comply with Anti-Money Laundering (AML) laws. Jopari’s KYC compliance controls includes Customer Due Diligence (CDD) standards of beneficial ownership to know a customer’s identity, their financial activities and the risk profile.
  • Gramm-Leach-Bliley Act (GLBA), Federal Privacy of Consumer Financial Information Regulations
    ( https://www.fdic.gov/regulations/compliance/manual/8/viii-1.1.pdf)

Fraud Detection and Prevention Risk Management Controls
Jopari’s fraud detection and prevention risk management controls consist of a multi- tier defense strategy to be able to quickly identify fraudulent activity. We use the ECHO Payment Model Decision Engine to be able to deploy a combination of artificial intelligence fraud risk monitoring and prevention controls to prevent fraud at each processing touch point in the payment process. The following is an overview of Jopari’s multi- tier defense risk management controls

Enrollment – Real Time Risk Management Controls

  • Verify bank account ownership and identify verification at the point of enrollment
  • 24/7 Automated monitoring controls at every touch point to manage client enrollment and identify any changes in existing
    accounts to prevent identify fraud and or account breach attempts

Payment – Real Time Risk Management Monitoring Controls

  • Verify bank account status in real-time prior to one-time or reoccurring debits to reduce NSF and administrative returns
  • Verify bank account ownership and client identity verification prior to paying out disbursement.
  • Automated Red Flag Alerts to identify in real time inaccurate data, including name, addresses, and phone numbers to mitigate false declines
  • Multi- factor authentication controls are used as an additional layer of control for identity verification

Data Security Risk Management and Monitoring Prevention Controls

Jopari’s Security Risk Management Controls are based on the Federal Government National Institute Standards and Technology Security Standards:

  • Federal Government Cybersecurity Framework (https://www.nist.gov/cyberframework)
  • NIST SP800 53 Rev 4. Security and Privacy Controls for Federal Information Systems and Organizations (https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/fina)l
  • NIST SP800 63 Series on Digital Identify Guidelines (https://csrc.nist.gov/publications/detail/sp/800-63/3/final
  • NIST Cryptographic Standards and Guidelines (https://csrc.nist.gov/Projects/cryptographic-standards-and-guidelines/publications)
  • Jopari uses TLS1.2 and AES- 256  encryption with DigiCert Certificates to provide trusted, secure connectivity at every transaction touch point (digicert.com)
  • 24/7 IDS Intrusion detection that monitors network security  
  • Host IDS monitoring of operating system
  • Secure, Redundant Data Centers that are geographically dispersed
  • Annual SOC 2 and SOC Cybersecurity Audits to ensure compliance with federal and state security regulations and industry best practices
  • Business Continuity and Disaster Recovery Plan tested annually
  • Forensic Policy and Procedures and Data Loss Prevention Automated Monitoring
  • All Jopari employees are required to complete annual regulatory Security and Privacy Compliance Training and Certification
  • Since its foundation in 2003, Jopari has never had any Breach Incident History.

Additional Jopari ProPay Services

Flexible EDI Electronic Remittance Solutions

Jopari provides flexible EDI solutions based on the provider’s technology ability (low tech to high tech) to deliver the Electronic Remittance Advise (ERA) in a format that can be consumed by their practice management and revenue cycle management processes based upon the payment method selected.

Explanation of Benefits (EOB) and Electronic Remittance Compliance Solutions

    • Jopari Maintains and Monitors State ERA and EOB Payment Regulations
    • Compliance Data Mapping to State EOB Formats
      Jopari’s ERA process also includes compliance mapping of your payment summary data, to accommodate for those states that have mandated paper Explanation of Benefit (EOB) format requirements, such as Florida
    • Compliance Mapping for Payer Proprietary Claims Adjudication Reason Codes
      Jopari ERA services also includes coordination with your claim adjudication staff and or bill review vendor to assist in mapping your proprietary claims adjustment reason codes to:
      • National ANSI Claim Adjustment Reason Codes (CARC) and Remittance Advice Remark Codes (RARC) that are required to generate a compliant ASCX12 835
      • To the State mandated Claims Adjustment Reason Codes to generate a compliance state EOB
    • Access to Jopari Compliance Services and Industry Experts
      • Compliance Team is proactively engaged in payment and industry regulatory rule making at the State and Federal Level
      • National Security Committees and National Standard Setting Organizations
        • Private Sector Incident Response Team – US Department of Homeland Security
        • US CERT Private Sector Incident Response Team
        • HHS Cybersecurity 405 (d) Task Force Committee
        • NACHA Health Care Committee
        • National Institute for Standards and Technology (NIST) Review Committee
        • CAQH CORE Security and Connectivity Committee
        • Chair National Clearinghouse Cybersecurity and Privacy Committee
        • IAIABC, International Workers’ Compensation Standards Organization
        • National CODE CARC Committee – National Workers’ Compensation Industry Voting Representative
        • WEDI Co Chair Property and Casualty Workgroup
        • ASCX12 N Insurance Board – Accredited Standards Committee
        • National Clearinghouse Association – Past Chair and Board Member
        • HL7 International Attachment Standards Organization