RubinBrown Team Member Manual

Section: Business Associate Agreement 1204

Policy Title: Policy Number:

Risk Management

Effective Date:

Supersedes Policy Dated:

06/01/2024

06/01/2023

Policy: It is the policy of RubinBrown to comply with Federal and State laws and the implementation of the Health Insurance Portability and Accountability Act (HIPAA). RubinBrown upon occasion may work with or observe a client’s information, which includes Protected Health Information (PHI). If an RubinBrown team member during the course of business is required to observe or work with this information from a HIPAA covered entity, RubinBrown will be required to implement a Business Associate Agreement. Procedure: The determination must be made if RubinBrown is required to enter into a Business Associate Agreement (BAA) with a client. If possible, the BAA should be referenced in the engagement letter, but not included as part of the engagement letter. If a team member will observe or use PHI (individually identifiable information regarding the health status of a person held by a HIPAA covered entity) as part of an engagement, RubinBrown will be required to enter into a BAA. If there is any question if a BAA should be entered into, the information should be presented to the firm’s HIPAA compliance officer or the partner in charge of the health care business unit for the determination. If a BAA is required, RubinBrown will offer the Firm’s standard BAA signed by the Firm's HIPAA compliance officer or the Firm's managing partner to the client for their signature. Every effort should be made to ensure that the client uses RubinBrown’s approved BAA. If the client requires RubinBrown to use their own BAA, the BAA should be given to the Firm's HIPAA compliance office or the partner in charge of the health care industry group for review and comparison to RubinBrown’s standard BAA. The Firm's HIPAA compliance officer or the managing partner will have final approval for the use of a BAA other than the firm’s standard BAA. Once the BAA is approved and signed by the client and RubinBrown, the executed document original should be given to the financial management department, a copy should be kept in the client engagement file, the Risk Management Committee must be notified and all team members working on the engagement must be notified, (See Policy 1203 regarding the privacy and security of a client’s PHI.)

RUBINBROWN TEAM MEMBER MANUAL | 111