Effective Date: March 26, 2026 · Last Reviewed: March 26, 2026

Rubrum Health designs and operates its products — including the Rubrum PA Portal and Rubrum PA API Management Interface — in full accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations. This page describes our compliance posture, the safeguards we maintain, and how we fulfill our obligations as a Business Associate and technology platform operating within the healthcare ecosystem.

Our role under HIPAA

Rubrum Health operates the Rubrum PA Portal and Rubrum PA API Management Interface, a technology platform used by healthcare providers and clinical organizations to submit and manage prior authorization requests. In providing these services, Rubrum Health may receive, transmit, and store electronic Protected Health Information (ePHI) on behalf of covered entities.

Depending on the nature of each engagement, Rubrum Health functions as a Business Associate of the covered entity (your organization) or, in limited circumstances, as a covered entity itself. In all cases, we are bound by HIPAA's Privacy Rule, Security Rule, and Breach Notification Rule.

We execute a Business Associate Agreement (BAA) with each covered entity partner prior to any exchange of ePHI. Our BAA obligations include protecting the confidentiality, integrity, and availability of ePHI; reporting breaches without unreasonable delay; and ensuring that any subcontractors handling ePHI are bound by equivalent contractual obligations.

The Rubrum PA Portal and Rubrum PA API Management Interface are built and maintained in partnership with Hiive Health, our technology partner, whose infrastructure and engineering teams support the security and operational integrity of our platform.

Administrative, physical, and technical safeguards

Rubrum Health's compliance program addresses all three categories of safeguards required by the HIPAA Security Rule (45 CFR §164.300 et seq.):

Administrative — Policies & training
Formal security and privacy policies are maintained and reviewed on a defined schedule. Workforce members with access to ePHI receive role-appropriate HIPAA training.

Physical — Infrastructure controls
The Rubrum PA Portal is hosted on cloud infrastructure with industry-standard physical access controls. No ePHI is stored on portable or unmanaged devices.

Technical — Access & encryption
Access to ePHI is role-based and least-privilege. All data in transit is encrypted via TLS. Authentication portals display required access warning banners prior to credential entry.

Access controls and audit logging

All authenticated portals that provide access to ePHI — including the Rubrum PA Portal and Rubrum PA API Management Interface — implement the following controls in accordance with 45 CFR §164.312(a)(1) and §164.308(a)(5)(ii)(C):

• Role-based access control limiting ePHI visibility to authorized users

• Automatic session timeout after periods of inactivity (30-minute idle timeout for the Rubrum PA Portal; 1-hour timeout for administrative sessions)

• Access activity logging and audit trail maintenance

• Login page warning banners notifying users that the system contains ePHI and that unauthorized access is prohibited

Tracking technology controls

Rubrum Health complies with the December 2022 HHS Office for Civil Rights guidance on the use of online tracking technologies by HIPAA covered entities and business associates.

We do not permit third-party tracking scripts, analytics pixels, or session replay tools on authenticated pages of the Rubrum PA Portal or Rubrum PA API Management Interface unless a valid Business Associate Agreement is in place with the applicable vendor and the tool has been confirmed to be configured in a HIPAA-compatible manner. Marketing retargeting pixels are prohibited on all authenticated pages.

Tracking technology use across all Rubrum Health web properties is subject to a formal audit policy, reviewed on a quarterly basis by our Security Officer.

Breach notification

In the event of a breach of unsecured ePHI, Rubrum Health will notify affected covered entity partners without unreasonable delay and in no case later than 60 days following discovery, as required by 45 CFR §164.410. Our breach response procedures include:

• Immediate containment and risk assessment upon discovery

• Notification to the covered entity with the information required under the Breach Notification Rule

• Cooperation with any required notifications to affected individuals or the Department of Health and Human Services

• Documentation and post-incident review

Ongoing compliance oversight

Our compliance program is not a point-in-time certification but an ongoing operational commitment. Key program elements include:

• Quarterly security assessments and tracking technology audits conducted by the Security Officer

• Annual review of all security and privacy policies

• Vendor due diligence requiring Business Associate Agreements with all subcontractors who handle ePHI

• Change control procedures requiring Security Officer review before any new third-party script or tool is deployed to authenticated pages of the Rubrum PA Portal or Rubrum PA API Management Interface

Contact

For compliance inquiries, Business Associate Agreement requests, or to report a potential security concern, please contact us:

Privacy & compliance inquiries: compliance@hiivehealth.com
Security incidents (monitored 24/7): security-officer@hiivehealth.com
Organization: Rubrum Health — Privacy & Security Officer

This page reflects Rubrum Health's compliance posture as of the effective date above. Rubrum Health reserves the right to update its compliance program and this page as regulations, guidance, and operational practices evolve. This page does not constitute legal advice. For patient privacy rights information, please refer to our Notice of Privacy Practices.