HIPAA Privacy Practices
Western Carolina University
Notice of Privacy Practices
(Your Rights to Your Health Information)
Effective April 14, 2003
Revised August 1, 2014


Western Carolina University is committed to protecting the privacy of your health information.

 This notice describes how medical information about you may be used and disclosed and how you can get access to this information

Please Review Carefully



We provide services to our patients throughout several departments and areas of Western Carolina University.  This Notice applies to the collective entity known as “Western Carolina University, or WCU.

This Notice applies to the healthcare professionals and others who may be involved directly or indirectly in your care such as employees, physicians, allied health professionals such as physician assistants and nurse practitioners, residents, students, volunteers, business associates and others affiliated with WCU.  Your medical information may be shared as necessary for treatment, payment and health care operations relating to the clinical care that you are being provided. 


We are committed to maintaining the confidentiality of your medical and health information. We create a record of the care and services provided to you; and use this record to provide the highest quality of care to you while complying with state and federal requirements. The information created about you is called “protected health information” or “PHI”.  This notice applies to all of the records that we maintain. This notice will explain how we may use and disclose your PHI; and describes your rights regarding such information. We are required by law to make sure that medical information that identifies you is safeguarded; to give you our Notice of Privacy Practices; and to follow the terms of the current notice.


The following list contains examples of when your medical/mental health record may be released without obtaining your prior authorization.

  • Treatment: We may use your medical information to provide treatment and services. We may disclose your medical information to doctors, nurses, technicians, medical students and other personnel involved in your care. 
  • Payment: We may use and disclose your medical information to obtain payment for services through a third party payer source (insurance).   We may also tell your health plan about a treatment you need to obtain prior approval. We may give limited information to someone who helps to pay for your care. You have the right to restrict disclosure to your health plan for services you pay in full out of pocket. We may disclose protected health information regarding an individual to a party responsible for payment of workers compensation benefits.
  • Health Care Operations: We may use and disclose your information for ongoing clinical operations and quality assessment.   We may review medical information about several patients to decide what services we should offer and if new treatments are effective. We may share information with doctors, nurses, medical students and other personnel for learning purposes. 
  • Appointment Reminders/Treatment Options: We may contact you for appointment reminders or to tell you about treatment options, alternatives or other health related benefits/services that may be of interest to you. 
  • Fundraising/Marketing: We may contact you regarding fundraising activities. This information will be limited to name and dates of services, and would be for a specific fundraising activity.  We are prohibited from selling your information; most other uses for marketing purposes require your authorization. 
  • Directory: Unless you notify us to object, your name, location in our facility, your general, non-specific condition (i.e. stable or unstable), and your religious affiliation will be available to members of the clergy or to other persons who ask for you by name, except for religious affiliation.  
  • Others Involved in Your Care: We may disclose to a family member, close friend or other person identified by you, information relevant to the person’s involvement in your care or payment; unless you request a restriction; or we can reasonably infer from the circumstances and professional judgment that you do not object. Such disclosures may be made after your death unless we are aware that you do not want such disclosures to occur. 
  • Disaster Relief: We may disclose medical information about you to an authorized entity assisting in disaster relief so that your family can be notified about your condition or location. 
  • Business Associates: We may disclose information to those who perform functions on our behalf or provide us with services when the information is needed for such functions or services such as vendors. Our business associates are required through legal agreements to protect the privacy of your information and insure the use of safeguards to prevent any uses or disclosures not permitted other than as specified in the contracts. 
  • Other Purposes: We may use or disclose your medical information for other reasons; some of which may or may not require your authorization. When required, an authorization to release your information will be obtained. You may revoke an authorization in writing, unless we have taken action in reliance upon your prior authorization.

Examples of other uses and disclosures include but are not limited to:

  • Proof of immunizations to a school when required for attendance; with your permission
  • When required by federal or state law
  • To avert a serious threat to health or safety of the public or another person
  • To authorized federal officials for intelligence and national security activities
  • To authorized federal officials to protect the President or other persons or foreign heads of state or to conduct special investigations
  • As required by military authorities if you are a member of the armed forces
  • In response to a court or administrative order, subpoena or other lawful process
  • To law enforcement in response to a court order, subpoena or similar process for the purposes of identifying or locating a suspect, fugitive, material witness or missing person; about a victim of a crime; about a death believed to be the result of criminal conduct; about criminal conduct on our premises; and in emergency circumstances to report a crime including location of the crime or victims; the identity, location or description of the person who may have committed the crime
  • To report child or elder abuse or neglect or domestic violence
  • If you are an inmate, your information may be released to a correctional institution for your health care; to protect your health, the health and safety of others; or the safety of the correctional institution
  • To an organ donation bank or to facilitate organ or tissue donation
  • To workers’ compensation or similar programs for work-related injuries or illness
  • For public health activities such as to prevent or control disease, injury or disability; to report births and deaths; to notify a person who may have been exposed or who may be at risk of spreading a disease
  • To health oversight agencies for activities such as audits, investigations, inspections and licensure. For activities necessary for the government to monitor the health care system, government programs and compliance with civil rights laws
  • To a coroner/medical examiner to identify a deceased person or determine cause of death
  • To funeral directors to carry out their duties
  • For authorized research purposes. Research projects are subject to special approval processes. Before we use or disclose your information, the project will have been evaluated through this process.


  • Special Cases: We must also comply with North Carolina laws and/or other federal laws about certain types of information. Examples of these include but are not limited to:
    • Communicable Diseases: We are required to report certain communicable diseases to appropriate public health authorities such as sexually transmitted diseases, food poisoning and others.  This reporting does not require your permission.  NC 130A-143 provides that anything that identifies a patient as being infected with AIDS is confidential except for epidemiological purposes (information is deidentified)  Disclosures of HIV/AIDS information must have the patient’s specific consent.
    • Mental Health Services: North Carolina General Statute 122C-54(g); NCGS 122c-55(a), (a2), (d), (e) states: “North Carolina law generally requires that we obtain your written consent before we may disclose health information related to your mental health services.  There are some exceptions to this general requirement however.  We may disclose health information to members of the University Health Services staff or to the personnel employed in the Counseling and Psychological Services department, to our professional advisors, including the university attorney and university administrators as appropriate, and to agencies or individuals that oversee our operations or that help us carry out our responsibilities in serving you.  We will disclose only the information that is necessary to the provision of services or operations, and the information will be disclosed only to individuals who have a need to know.  We also may disclose information to the following people: (1) a health care provider who is providing emergency medical services to you; and (2) to other mental health professionals when necessary to coordinate your care and treatment.  If we determine that there is an imminent threat to your health or safety, or the health or safety of someone else, we may disclose information about you to prevent or lessen the threat.  We also will release information about you if state or federal law requires us to do so, when a court of law orders us to do so, or to report suspected neglect or abuse of a child or disabled adult.”
    • Alcohol and Substance Abuse Services: If you request and/or receive alcohol and/or drug abuse services from us, federal law generally requires that we obtain your written consent before we may disclose information that would identify you as a patient.  There are some exceptions to this requirement.  We may disclose information to members of our workforce as needed to coordinate your care, and to agencies or individuals that help us carry out our professional responsibilities in serving you.  We may disclose information to medical personnel in a medical emergency
    • Pharmacy Services: North Carolina law limits the sharing of pharmacy information. This information is generally only shared with those involved in your care or who have oversight of the organization. 


Right to Inspect and Obtain a Copy: You have the right to request to see and obtain a copy of the medical information that may be used to make decisions about your care as maintained in our designated record set. There may be exceptions to this such as access to psychotherapy notes, information compiled in anticipation of or for use in civil, criminal or administrative proceedings or information that may be governed by other regulations. To view and request a copy of your medical records, you must go to or submit a request in writing to the appropriate department or facility.

There may be costs for copying, mailing or other supplies associated with your request. We will make every effort to respond to your request within the legal timeframes. If we are unable to do so, we will notify you of the delay and the approximate time your request will be completed.

 Your request may be denied under certain circumstances. Examples include if the information was obtained under a promise of confidentiality; if access is reasonably likely to endanger the life or safety of you or anyone else; if the information makes reference to another person and your access would likely cause harm to that person or if you

are an inmate of a correctional facility. If the access is denied, you may request that the denial be reviewed by submitting your request to us in writing. Every effort will be made to provide you with access to your protected health information in the form and format requested; as long as it is readily producible. If not readily producible, a hard copy or other agreed upon form will be provided in a timely manner. If your request includes instruction to provide and send a copy to another person designated by you, such request must be in writing, signed and clearly identify the other person and location. Charges may apply. 

Right to a Paper Copy of this Notice: You have the right to a paper copy of this notice. Even if you have agreed to receive an electronic copy, you are still entitled to a paper copy. This Notice is posted within our facilities; paper copies are available at any time; and it can be found on our website. Translated copies in other languages may also be available. We encourage you to obtain a copy for review and let us know of your questions. 

Right to Request an Amendment: If you feel that your medical information is incorrect, you have the right to request an amendment. Your request must be in writing and submitted to the appropriate facility. The request may be denied if not in writing; or if you ask us to amend information that was not created by us; or is not part of the medical information kept by the facility; or is not part of the information which you have a right to access or copy; or is deemed accurate and complete. After review of your request we will notify you with the specified timeframe of the acceptance or denial of your request. If accepted, the amendment will be made. If denied and you wish to disagree, you can document your disagreement to be included in your record.

Right to an Accounting (list) of Disclosures:  You have the right to request a list of the disclosures we have made of your information.  This list will not include disclosures made for treatment purposes, payment or health care operations; made to you or authorized by you; from the clinic directory; to persons involved in your care; for national security purposes; relating to inmates, incidental purposes; or related to a limited data set. To obtain a list, you must submit a request in writing to the other appropriate facility. Your request must state a time period no longer than six years and may not include dates before April 14, 2003. The first list within a 12-month period is free; charges may occur for additional requests by the same individual within a 12-month period. We will notify you of the cost and you may choose to withdraw or revise your request before any costs are incurred. Your right to a request may be temporarily suspended at the request of a health oversight or law enforcement agency if we are notified that the disclosure will impede the activities of the agency.

Right to Request Restrictions/Confidential Communications: You have the right to request a restriction on certain uses and disclosures of your medical information that we use or disclose for treatment, payment or healthcare operations.  You also have the right to request that we communicate with you in a certain way or at a certain location such as at your work location instead of your home. Your request must be in writing and submitted at the time of each new visit. We are not required to fulfill all requests but will gladly review your request and attempt to accommodate all reasonable requests.

Right to Restrict Disclosure to Health Plan: You have the right to restrict disclosure of your information to your health plan (insurance) for services that you pay in full out of pocket.


Our Legal Duty to Protect Your Information: We are required by law to maintain the privacy of your protected health information as outlined by state and federal regulations; and to give you notice of this duty and our privacy practices. We are also required to notify you of a breach that involves the access or disclosure of any unsecured protected health information about you. WCU may not require an individual to waive his/her rights under this policy or HIPAA as a condition of treatment, payment, enrollment in a health plan or eligibility for benefits.

 Changes to this Notice of Privacy Practices: We have the right to revise this Notice of Privacy Practices and to make the new notice effective for all the protected health information we maintain. Each new edition will have an effective date posted in a place you can see. We will offer you a copy of the most current edition each time you are registered in one of our covered departments. This Notice is posted within our facilities; paper copies are available at any time; and it can be found on our website. Translated copies in other languages may also be available. We are required to abide by the most recent version of our notice.

Uses and Disclosures not Covered by this Notice: We have attempted to include most known uses and disclosures that relate to how we use and disclose your information. There may be other uses and disclosures not covered by this Notice. In such cases, we will request your written authorization unless the use or disclosure is otherwise permitted by law or regulation. An inmate does not have a right to a Notice under the HIPAA Privacy Rule standard regarding Notice of Privacy Practices.

Questions or Complaints: We value your privacy and want to maintain a trusting relationship with you. If you have a question or believe that your privacy rights have been violated, we want to hear from you. For letters, please include your name, address, telephone number and a brief description. We will follow up with you as soon as possible.  To contact the University’s HIPAA Compliance Officer, please call 828-227-7640 and ask for Pam Buchanan.  You can also email pmbuchanan@email.wcu.edu.  Federal law protects you and there will be no retaliation for filing a complaint.  WCU and its employees may not intimidate, threaten, coerce, discriminate against, or take any other retaliatory action against any individual for exercising his/her rights under this Notice of Privacy, or for participating in any process established by this Notice, including filing a complaint or participating in an investigation, compliance review, proceeding or hearing under any section of the Privacy Rules.

You may also file a complaint with the Department of Health and Human Services (DHHS), Office for Civil Rights (OCR).  For up to date information, please refer to the Office for Civil Rights website at www.hhs.gov/ocr/privacy. OCR has ten regional offices and each office covers specific states.  The address for the regional office for North Carolina is:


Office for Civil Rights
US Dept of Health and Human Services
Atlanta Federal Center, Suite 16T70
61 Forsyth ST, S.W.
Atlanta, GA 30303-8909
Phone: 800-368-1019
Fax: 404-562-7881
TDD: 800-537-7697



Copyright by Western Carolina University      •      Cullowhee, NC 28723      •      828.227.7211      •      Contact WCU
Maintained by the Office of Web Services      •      Directions      •      Campus Map      •      Emergency Information      •      Text-Only

Office of Web Services