Protected Health Information (PHI) and HIPAA Compliance

Intended Data Use

LC-MS-IQ is intended for the analysis and review of laboratory analytical data and quality metrics.

LC-MS-IQ is not designed, marketed, or intended for the storage, management, transmission, processing, or archival of Protected Health Information (PHI), Personally Identifiable Information (PII), electronic Protected Health Information (ePHI), medical records, patient charts, patient identifiers, or other regulated personal information.

Users should upload only the analytical information necessary to perform quality review and data analysis.

Prohibited Data

Unless expressly authorized in writing by LCMS IQ, LLC through a separate executed agreement, users shall not upload, store, transmit, process, or otherwise provide:

• Patient names
• Dates of birth
• Medical record numbers
• Social Security numbers
• Patient addresses
• Patient telephone numbers
• Email addresses
• Insurance information
• HIPAA-regulated identifiers
• Protected Health Information (PHI)
• Electronic Protected Health Information (ePHI)

or any information that could reasonably identify an individual patient.

User Responsibility

The user is solely responsible for reviewing all files, exports, integrations, and uploaded data prior to submission to LC-MS-IQ.

The user represents and warrants that all uploaded information complies with applicable privacy laws, regulatory requirements, institutional policies, and contractual obligations.

The user is solely responsible for removing, redacting, or anonymizing any Protected Health Information prior to upload.

No Business Associate Relationship

Unless expressly stated in a separately executed written agreement signed by both parties, LCMS IQ, LLC is not acting as a Business Associate as defined by the Health Insurance Portability and Accountability Act (HIPAA).

No Business Associate Agreement (BAA) is created through the use of LC-MS-IQ.

Unauthorized Upload of PHI

If a user uploads Protected Health Information, Personally Identifiable Information, or other regulated data contrary to these terms, such upload shall be deemed unauthorized.

LCMS IQ, LLC shall have no responsibility for the user’s decision to upload such information in violation of these requirements.

The user assumes all responsibility and liability arising from the submission of unauthorized information.

Indemnification for Unauthorized PHI

The user agrees to defend, indemnify, and hold harmless LCMS IQ, LLC from and against any claims, investigations, penalties, regulatory actions, fines, damages, losses, liabilities, costs, and expenses arising from:

• Upload of PHI.
• Upload of ePHI.
• Upload of personally identifiable information.
• Failure to comply with HIPAA.
• Failure to comply with privacy regulations.
• Failure to comply with institutional privacy policies.
• Failure to remove patient identifiers prior to upload.

Future HIPAA Services

If LCMS IQ, LLC elects in the future to support PHI or ePHI, such services shall be governed by separate written agreements, security requirements, privacy requirements, and, where applicable, a Business Associate Agreement executed by both parties.