|
|
|
|
| |
| Privacy Policy |
| Western Slope Laboratory complies to the highest degree possible with the security rules and standards established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). |
For more information on Western Slope's Privacy Policy, click here. |
|
|
| |
| Procedure: Definitions |
| As specified in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Western Slope Laboratory uses the standard data code sets and “electronic data interchange" (EDI) formats, and maintains reasonable and appropriate administrative, technical, and physical safeguards to insure the integrity and confidentiality of healthcare information. |
For more information on Western Slope's HIPAA procedures and definitions, click here. |
|
|
| |
| Quality Within! |
| Look for the "Schneider" mark of quality! |
|
|
|
|
|
|
|
| Procedure: Definitions |
- Definitions:
1.1. Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA is comprehensive law enacted during the Clinton administration. The law has several subparts providing such benefits as guaranteed portability and renewal of insurance benefits between employers, tax provisions for medical savings accounts and administrative simplification to improve the efficiency and effectiveness of the health care system. During the latter part of the 1990’s, the Secretary of the Department of Health and Human Services drafted regulations for standardizing the electronic interchange of administrative and financial data and protecting the security and privacy of personal health information. HIPAA requires health care providers, health plans and health care clearinghouses to transition to the use of standard code sets and “electronic data interchange (EDI) and to maintain reasonable and appropriate administrative, technical, and physical safeguards to insure the integrity and confidentiality of healthcare information; to protect against reasonably foreseeable threats and hazards to the security or integrity of the information; and, to protect against unauthorized uses or disclosure of the information. Compliance with first of the HIPAA rules is scheduled for early 2003. HIPAA also provides criminal penalties for failure to comply with the regulations.
1.2. Individually Identifiable Health Information (IIHI). A subset of health information, including demographic information collected from an individual and that is created or received by a health care provider and relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual, and which identifies the individual, or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.
1.3. Protected Health Information (PHI). The final rule defines PHI as individually identifiable health information that is transmitted by electronic media; maintained in any electronic medium such as magnetic tape, disc, optical file; or transmitted or maintained in any other form or medium (i.e. paper, voice, Internet, fax etc.).
1.4. Treatment, Payment, Health Care Operations (TPO). With client consent, a healthcare provider, health plan or healthcare clearinghouse may use and disclose PHI (with certain limitations) within and outside the organization for client treatment, to facilitate the payment of the client’s bills, and for business and clinical operations of the organization. The following definitions apply:
1.41 Treatment: provision, coordination or management of health care (care, services or supplies related to the health of an individual) and related services by or among providers, providers and third parties, and referrals from one provider to another provider.
1.42 Payment: activities undertaken by a health plan to obtain premiums or determine responsibility for coverage, or activities of a health care provider or health plan to obtain reimbursement for the provision of health care. Payment activities include billing, claims management, collection activities, eligibility determination and utilization review.
1.43 Health Care Operations: activities of a covered entity to the extent such activities are related to covered functions including quality assessment and improvement activities; credentialing health care professionals; insurance rating and other insurance activities related to the creation or renewal of a contract for insurance; conducting or arranging for medical review, legal services and auditing functions (including compliance programs); business planning such as conducting cost-management and planning analyses to managing and operating the entity including formulary development and administration, development or improvements for methods of payment or coverage policies; business management and general administrative activities; due diligence in connection with the sale or transfer of assets to a potential successor in interest, if the potential successor is a covered entity or will become a covered entity; consistent with privacy requirements, creating de-identified health information, fundraising for the benefits of the covered entity, and marketing for which an individual authorization is not required.
1.5. De-identified PHI. A covered entity may use PHI to create de-identified information, whether or not the de-identified information is to be used by the entity. In order to be exempt from the privacy rule the information must not include any of the following identifiers for clients, relatives, household members, employers: names; geographic subdivisions smaller than a state (some specific exceptions); all elements of dates except the year, for all under 89, and all elements of dates for those over 89; telephone or fax numbers, e-mail or IP addresses and URLs; social security number; medical record number; health plan beneficiary (UCI) number; account numbers; certificate or license numbers; vehicle identifiers; device identifiers; biometric identifiers (finger, retinal, voice prints); full face photographic images and the like; any other unique characteristic or code. With statistical expertise and documentation it is determined that the risk is very small that information could be used alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual.
1.6 Minimum Necessary Standard. The organization shall make all reasonable efforts not to use or disclose more than the minimum amount of protected health information necessary to accomplish the intended purpose of the use or disclosure.
1.7 Business Associate. A business associate is a person or entity that provides certain functions, activities, or services for, or to a covered entity (healthcare provider, health plan, healthcare clearinghouse), involving the use and/or disclosure of PHI. A covered entity may be a business associate of another covered entity.
- Responsibility for Privacy of Protected Health Information. Everyone in the organization as well as associated covered entities and business associates shares a responsibility to ensure the integrity and confidentiality of clients’ protected health information and to protect against any unauthorized use or disclosure of such information.
2.1 Privacy Officer. The chief executive shall designate a privacy officer for the organization who will oversee all ongoing activities related to the development, implementation, maintenance and adherence to the organization’s policies and procedures related to the security of PHI in all forms. A job description for the privacy officer has been included as Attachment A. The privacy officer will work closely with others in the organization assure compliance with all federal and state laws and regulations related to information security.
2.11 Director of Information Services. The IS Director shall ensure that reasonable technical and physical safeguards are in place to minimize the risk of unauthorized use or disclosure of PHI stored and/or transmitted electronically within the organization and to external associates. The Director will also be responsible for written contingency plans to cope with the results of reasonably anticipated threats, hazards or crises related to the loss of access to electronic media.
- Privacy Standards.
3.1 Notice of Privacy Practices. Under HIPAA, each client has the right to receive notice of the organization’s policies regarding its uses and disclosures of PHI, the individual’s rights under the Privacy Standards, and the organization’s legal obligations regarding PHI. The organization shall prepare and distribute a Notice of Privacy Practices, written in plain language, to each client. The organization shall also document that the client has received such notice.
3.2 Uses and Disclosures of Protected Health Information.
3.22 Authorization. The organization may not use or disclose protected health information without a valid authorization. The authorization is a document signed by the client that gives the organization permission to use specified health information for a specified purpose and time frame. The authorization is required for uses and disclosures of PHI for other than treatment, payment and operations.
3.23 Uses and Disclosures for Which Consent, Authorization or Opportunity to Object is Not Required. The organization may use and disclose PHI without the consent or authorization of the client for the following:
a. As required by law
b. For public health activities
c. About victims of abuse, neglect or domestic violence
d. To health oversight agencies for health oversight activities
e. For judicial and administrative proceedings
f. For law enforcement purposes
g. Regarding decedents, to coroners, medical examiners and funeral directors
h. For research if a waiver of authorization has been obtained by the IRB or a Privacy Board
i. To prevent serious and imminent harm to health or safety of a person or the public
j. For specialized government functions
k. Military and veterans activities
l. National security and intelligence
m. Protective services for the President and others
n. To the Department of the State to make medical suitability determinations
o. To correctional institutions and law enforcement officials regarding an inmate
p. Worker’s compensation if necessary to comply with the laws relating to worker’s compensation or other similar programs.
3.24 Minimum Necessary. The organization shall take steps to determine the extent to which various classifications of workers need access to client PHI and shall limit use and disclosure of PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure or request. The organization shall also maintain policies governing both routine and non-routine use of PHI. Top
3.25 Business Associates. A business associate is a person who, on behalf of the organization, performs a function or activity involving the use or disclosure of PHI including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management; or, provide legal, actuarial, accounting, consulting, data aggregation, management, administrative or financial serves to or for the organization where the service involves the disclosure of PHI. The organization may disclose PHI to a business associate and may allow a business associate to create or receive PHI on its behalf if the organization obtains satisfactory contractual assurance that the business associate will appropriately safeguard the information.
3.26 State Preemption of HIPAA Rules. Any provision of State law contrary to HIPAA is preempted unless the State laws provide more protection to health information or greater rights to the individual subject of the health information.
3.3 Client Rights Related to Protected Health Information.
3.31 Access. Clients shall have the right to access their own protected health information that is maintained in record sets of the organization and its business associates. The organization may deny access to records under certain specified circumstances and shall establish and maintain a process for appeal of the denial.
3.32 Restrictions. Clients shall have the right to request restrictions on how the organization will use or disclosure their own protected health information for treatment, payment or health care operations and how their information will be disclosed or not disclosed to family members or others involved in their care. The organization shall comply with the client’s reasonable request to receive communications of PHI by alternative means or at alternative locations.
3.33 Amendment. Clients shall have the right to amend erroneous or incomplete PHI unless the information:
a. Was not created by the covered entity
b. Is not in a designated record set or is not otherwise available to inspection
c. Is accurate and complete
d. Would not be subject to the right of access.
The organization shall maintain a procedure for appeal if the client’s request to amend is denied.
3.34 Accounting. Clients shall have the right to an accounting of disclosures of their own protected health information that is maintained in record sets of the organization and its business associates. Such accounting shall include a period of six years prior to the request, beginning on the first date on which the organization was required to be in compliance with the HIPAA Privacy Standards (April 14, 2003).
3.4 Workforce Training, Sanctions and Mitigation.
3.41 Workforce Training. All individuals of the organization’s workforce and business associates shall receive training about the entities privacy policies and procedures as necessary and appropriate to carry out their job duties. Training shall also be provided when there is a material change in the organization’s privacy practices.
3.42 Sanctions. The organization shall establish and apply appropriate sanctions against workers who fail to comply with privacy policies and procedures.
3.43 Mitigation. The organization shall do all that it can to mitigate any potential harmful results of an improper use or disclosure of PHI (in violation of the HIPAA Privacy Standards) by the organization, its workforce or its business associates.
3.5 Documentation. Documentation shall be required in support of policies and procedures and all other subparts of the privacy regulations that directly list documentation as a requirement. Documentation must be kept current to reflect changes in regulatory requirements and the organization’s privacy processes.
3.51 Retention of Documentation. Documentation required under the privacy regulations shall be kept in written or electronic form for a period of six (6) years from the date of creation or from the date when it last was in effect, whichever is later.
|
|
|
|
| Technology |
GC/MS/MS v. LC/MS/MS...
...Which technology is really the "Gold Standard?" |
| Gas chromatography separates drugs based on how easy they evaporate (volatilize). Unfortunately some substances, such as drugs of abuse, do not volatilize. |
However, liquid chromatography separates drugs and introduces them into the mass spectrometer.
The sample first passes through a mass filter which allows only the drugs we are testing for to pass through.
The drug is then broken apart with an argon gas stream. The fragments of any drug present then pass into a second mass filter and are then measured.
No sample pretreatment is necessary, removing one of the problem steps in the GC/MS method.
Only when drugs of abuse are present, are compounds noted by the instrument.
No compound matching is required.
The results are 99.9% accurate.
Liquid chromatography is the true "Gold Standard!" |
 |
|
| Western Slope Laboratory has four (4) liquid chromatographs in their primary facility. |
|
|
| |
| |
| |
|
| |
|
