RubinBrown Team Member Manual

Section: Protected Health Information Privacy and Security Including Release of PH 1203 Risk Management

Policy Title: Policy Number:

Effective Date:

Supersedes Policy Dated:

06/01/2024

06/01/2023

Policy: It is the policy of RubinBrown to comply with Federal and State laws and the implementation of the Health Insurance Portability and Accountability Act (HIPAA). RubinBrown upon occasion may work with or observe a client’s information, which includes Protected Health Information (PHI). PHI is defined as individually identifiable information regarding the health of a person held by a HIPAA covered entity. If, during the course of business, a RubinBrown team member is required to access, observe or work with PHI, RubinBrown must keep this information private and secure. Procedure: The following procedures apply if PHI will be accessed as part of an engagement with a HIPAA covered entity: A client’s PHI should be kept private and secure. PHI should be avoided unless essential to the successful completion of an engagement. If essential to observe or work with this information (see Policy 1204 regarding the use of Business Associate Agreements), every effort should be made to keep the PHI on the client’s premises and not included in the work papers. If PHI is part of the engagement and kept on the client’s premises, RubinBrown’s team members should adhere to the client’s compliance plan. If PHI is required to be used off the client’s premises, a detailed list of PHI should be made and agreed to with the client. Once the project is completed, the PHI should be returned to the client and a signed receipt of the return of • If PHI is maintained as part of the engagement work papers, the firm’s record retention policy should be referenced. HIPAA requires the need to keep PHI for six years and RubinBrown’s record retention policy is seven years. • The engagement work papers must be marked as containing PHI so the filing personnel will know to not review the work paper information and ensure that the work paper documentation is kept onsite at RubinBrown and not at offsite storage. If the PHI is shared with any person who is not an RubinBrown team member, the client must approve the release of information in writing. Written approval from the client is not necessary for the following conditions: • Required by law • Legal or judicial proceedings • Public health purposes If the PHI is shared (a copy) with any person who is not a RubinBrown team member, regardless of the reason, a recorded record of whom the information was released to and the reason for the release of information must be maintained with the work papers and maintained for a period of six years from the date of release. The Firm's HIPAA compliance officer and the engagement partner must approve the request for release, regardless of reason for the release. The Release of Protected Health Information form must accompany all requests The form is attached to this policy. the PHI should be obtained from the client and included in the engagement work papers. If PHI is required for the work papers, then the following procedures must be adhered to:

If PHI is used or maintained off the client’s premises the information must be kept private and secure as follows:

• PHI should not be left in open work areas when the information is not being used • PHI should only be shared with team members that need to work with this information • PHI should be kept in file cabinets or drawers when not in use to limit its exposure • If being transported to or from the client work site, PHI:

RUBINBROWN TEAM MEMBER MANUAL | 109