HIPAA Privacy Practices

Effective Date: April 14, 2003

This notice describes how medical information about you may be used and disclosed and how you can obtain access to this information.

We are required by federal law to maintain the privacy of health information about you, called protected health information (PHI).  We are also required to provide you notice of our obligations to protect your PHI and to explain our privacy practices.
We must follow the terms of this Notice of Privacy Practices.  We may change the terms of this Notice in the future and make new Notice provisions effective for all PHI we maintain.  Copies of revisions are available from this health care provider and on the University’s website.

I.  Understanding Your Protected Health Information:
Every encounter you have with a health care provider¹ must be documented and become a part of your medical/mental health record.  This documentation may include your symptoms, laboratory results, diagnoses, examination, treatment, psychotherapy notes, and a plan for future care or treatment.  The information contained in your medical/mental health record serves as a(n): 

  1. Treatment - Basis for planning your care and treatment
  2. Communication - Means of communication among the health care professionals who contribute to your care
  3. Legal Document - Legal document describing the care you received
  4. Verification of Services - Means through which a third-party payer can verify the services you received
  5. Education - Tool for educating health care professionals
  6. Research - Source of data for medical research
  7. Public Health - Record of communicable diseases and information about the public’s health
  8. Planning - Source of data for facility planning and marketing
  9. Quality Assurance - Internal assessment tool for quality care improvement and achieving goals

Understanding what is in your medical/mental health record and how this information is used helps you to ensure that it is accurate, better understand the circumstances under which others may access your health information, and make more informed decisions when authorizing disclosure to others.

II.  Your Rights: 
Although your medical/mental health record is the physical property of this office, the information belongs to you.  The following is a list of your rights with regards to your medical/mental health records:

  1. Request a Restriction - You have the right to submit a written request for a reasonable restriction on certain uses and disclosures of your PHI and to restrict to whom the information is disclosed.
  2. Request a Paper Copy of this Notice - You have the right to request a paper copy of this Notice of Privacy Practices.
  3. Inspection & Amendment of your PHI - You have the right to submit a written request to inspect, copy, and/or request an amendment of your medical record.  The Request for Amendment/Correction of Protected Health Information form provided by this office must be filled out and submitted if you would like any of your PHI to be amended or corrected.
  4. Accounting of Disclosures - You have the right to submit a written request to obtain an accounting and explanation of disclosures of your medical/mental health record.  The Request for an Accounting of Disclosures of PHI form provided by this office must be submitted to receive an accounting of disclosures of your PHI.
  5. Confidential/Alternative Communications - You have the right to request reasonable confidential communications or alternative means of communications of your protected health information.  The Request for Confidential Communications supplied by this office must be submitted in order to receive alternative or confidential communications.
  6. Revoke Prior Authorization - You have the right to revoke any prior authorization for use and disclosure of your  PHI, to the extent that action has not already been taken, through a written request submitted to this office. 
  7. Accessing your PHI - No one, including your parents/family, faculty members, or outside health care providers, has access to your medical/mental health record without your written permission, except as listed in Section IV of this Notice.
  8. File a Complaint - You have the right to file a complaint with this office, WCU’s Privacy Officer, or the Secretary of the United States Department of Health and Human Services if you feel your privacy rights have been violated.  WCU’s Privacy Officer, Pamela Buchanan, can be reached at (828) 227-7640 or pmbuchanan@email.wcu.edu.  Federal law protects you and there will be no retaliation for filing a complaint.
  9. Refraining from Intimidating or Retaliatory Acts – WCU and its employees may not intimidate, threaten, coerce, discriminate against, or take any other retaliatory action against any individual for exercising his/her rights under this Notice or HIPAA, or for participating in any process established by this Notice, including filing a complaint or participating in an investigation, compliance review, proceeding, or hearing under any section of HIPAA.
  10. Waiver of Rights – WCU may not require an individual to waive his/her rights under this policy or HIPAA as a condition of treatment, payment, enrollment in a health plan, or eligibility for benefits.

III.  Our Responsibilities:
We will not use or disclose your PHI without your authorization, except as permissible for treatment, payment, or health care operations (see Section IV).  Federal law requires this office to maintain the privacy and confidentiality of your medical/mental health record.  In order to abide with federal regulations our responsibilities are:

  1. Provide Notice of Privacy Practices - We must provide you with our Notice of Privacy Practices on the first encounter we have with you on or after April 14, 2003.
  2. Abide with this Notice - We must abide by the terms of this Notice.
  3. Minimum Necessary – We must limit the PHI that is disclosed to the amount reasonably necessary to achieve the purpose of the disclosure.
  4. Prohibited Medium - The use of email to share, disclose, or discuss your medical/mental health record is strictly prohibited.
  5. Faxing - Your medical/mental health record will not be faxed unless the identity of the person/provider receiving the information is known and has been approved as a secure line of communication.
  6. Further Disclosure of PHI - We must have an Authorization for Disclosure of Protected Health Information signed by you or a legal representative in order to release your medical/mental health record for reasons other than those listed in Section IV.
  7. Requested Restrictions - We must notify you if we are unable to agree to a requested restriction on the use and disclosure of your medical/mental health record.
  8. Accommodate Alternative Communication Requests - We must accommodate reasonable requests to communicate your health information through alternative means.
  9. Deceased – PHI regarding decedents may be disclosed to coroners, medical examiners and funeral directors, if necessary to carry out the duties of their positions.
  10. Whistleblowers – If a business associate or a member of our workforce believes that we have violated this Notice or otherwise engaged in unlawful conduct then he or she may disclose such information to a public health authority or attorney.
  11. Changes to the Notice - We reserve the right to change our policies with regards to protecting your medical/mental health record.  Should any policy changes effect our Notice of Privacy Practices, we will mail a revised Notice to the address you have supplied us, as well as post revisions on our website.

¹Health care includes, but is not limited to: preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care and counseling, service assessment, or procedure with respect to the physical or mental condition, or functional status of an individual or that affects the structure or function of the body; and sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.

IV.  Examples of Disclosures for Treatment, Payment, and Health Care Operations:

The following list contains examples of when your medical/mental health record may be released without obtaining your prior authorization:

  1. Treatment – Information, actions, and observations obtained by a health care provider will be recorded in your medical/mental health record and used to determine the appropriate treatment for your condition.  This information will also be provided to any physicians or health care providers that we refer you to or any providers who need this information for continuation of your care.  A separate authorization may be required for the disclosure of mental health records/psychotherapy notes.
  2. Payment – A bill identifying your diagnosis, procedures, and supplies used may be sent to you or a third-party payer for purposes of obtaining payment.
  3. Health Care Operations – Members of our quality improvement team may evaluate your medical/mental health record to assess the care that you received.  This information will be used to improve our quality of care.  This includes, but is not limited to student training; licensing; accreditation activities; conducting or arranging for other business activities.
  4. Appointment Reminders – We may contact you to provide reminders for treatment or care.
  5. Business Associates – In certain cases health care services may be contracted out to another health care provider or facility.  Examples include radiology exams, laboratory tests, and other physician services.  In order to protect your medical record, we require that business associates provide the appropriate safeguards to protect your privacy.
  6. Directory – Unless you notify us that you object, we will make your name, location in our facility, your condition described in general non-specific terms (e.g. stable or unstable), and your religious affiliation available to members of the clergy or to other persons who ask for you by name, except for religious affiliation.
  7. Communication with Family – In certain cases of a medical/psychological emergency or other cases when you are unable to make decisions regarding your medical care, the health care provider may disclose to a family member, other relative, close friend, or other elected representative health information which is vital to your continuation of care or necessary for payment purposes.  Once disclosed this information may not be re-released without your authorization.  A separate authorization may be required for the disclosure of mental health records/psychotherapy notes.
  8. Research, Statistics, & Assessments – We may disclose your PHI for purposes of research, statistics, and quality improvement assessments once a committee has determined that your privacy will not be compromised.  All PHI must be de-identified so that it does not contain any identifiable information about you before it can be used for this purpose.  If your PHI is used for this purpose we can provide you, at your request, with the PHI Disclosure Tracking Log that indicates how and where your PHI was released. 
  9. Marketing – We may contact you to provide appointment reminders, information about treatment alternatives, or other health related benefits and services that may be of interest to you.
  10. Fund Raising – We may contact you as part of a fund raising effort.
  11. Food & Drug Administration (FDA) – We may disclose to the FDA health information relative to adverse events with respect to food, supplements, product defects, or post marketing surveillance information to enable product recalls, repairs, or replacement.
  12. Workers Compensation – We may disclose protected health information regarding an individual to a party responsible for payment of workers compensation benefits and to an agency responsible for administering and/or adjudicating the individual’s claim for workers compensation benefits.
  13. Public Health – As required by law, we may disclose your health information to public health or legal authorities charged with preventing or controlling disease, injury, or disability.
  14. Correctional Institution – Should you be an inmate of a correctional institution, we may disclose to the institution or their agents health information necessary for your health and the health and safety of other individuals.
  15. Law Enforcement – We may disclose health information for law enforcement purposes as required by law or in response to a valid subpoena.  Federal law makes provisions for your health information to be released to an appropriate health oversight agency, public health authority, or legal representative, provided that an employee or business associate believes that we have been negligent in protecting your privacy or providing you a high standard of care.
  16. Military – We may share PHI with the Department of Veterans Affairs for eligibility determination.  We may also disclose your PHI to federal officials for conducting national security investigations.
  17. Coroners, Funeral Directors, & Organ Donation – We may share your PHI to a coroner or medical examiner for identification purposes or to determine a cause of death.  We may also disclose PHI with funeral directors to assist in their job duties.  PHI may be shared or used in the determination of tissue/organ donation.
  18. Abuse or Neglect – We may disclose, to the extent required or permitted by law, your PHI to a public health authority for reports of child abuse or neglect.  We may also share your PHI if we believe that you have been a victim of abuse, neglect, or domestic violence.
  19. Other PHI Disclosures – Any other use or disclosure of your PHI requires your written authorization. PHI that is disclosed, with your written authorization, to an agency that is not covered under these federal regulations (e.g. legal office or disability determination services) will no longer be protected under the safeguards of these regulations.

V.  Mental Health Services
North Carolina General Statute 122C-54(g); NCGS 122c-55(a), (a2), (d), (e)
“North Carolina law generally requires that we obtain your written consent before we may disclose health information related to your mental health services.  There are some exceptions to this general requirement however.  We may disclose health information to members of the Health Center workforce, to our professional advisors, including the university attorney, and to agencies or individuals that oversee our operations or that help us carry out our responsibilities in serving you.  We will disclose only the information that is necessary to the provision of services or operations, and the information will be disclosed only to individuals who have a need to know.  We also may disclose information to the following people: (1) a health care provider who is providing emergency medical services to you; and (2) to other mental health professionals when necessary to coordinate your care and treatment.  If we determine that there is an imminent threat to your health or safety, or the health or safety of someone else, we may disclose information about you to prevent or lessen the threat.  We also will release information about you if state or federal law requires us to do so, when a court of law orders us to do so, or to report suspected neglect or abuse of a child or disabled adult.”

VI. Alcohol and Drug Abuse Services
If you request and/or receive alcohol and/or drug abuse services from us, federal law generally requires that we obtain your written consent before we may disclose information that would identify you as a patient.  There are some exceptions to this requirement.  We may disclose information to members of our workforce as needed to coordinate your care, and to agencies or individuals that help us carry out our professional responsibilities in serving you.  We may disclose information to medical personnel in a medical emergency.

VII. Law Enforcement
If we suspect that a child is abused or neglected, state law requires that we report the abuse or neglect to the Department of Social Services, and we may disclose substance abuse information when making the report.  We will disclose information about you if a court orders us to do so.  If you commit a crime, or threaten to commit a crime, on the premises or against our workforce, we may report information about the crime or threat to law enforcement officers.

NC 130A-143 provides that anything that identifies a patient as being infected with AIDS is confidential except for epidemiological purposes (information is de-identified). Disclosure of HIV/AIDS information must have the patient’s specific consent. Disclosure of such information is allowed for health care operations, continuity of care and treatment without the patient’s written consent.


Copyright by Western Carolina University      •      Cullowhee, NC 28723      •      828.227.7211      •      Contact WCU
Maintained by the Office of Web Services      •      Directions      •      Campus Map      •      Emergency Information      •      Text-Only

Office of Web Services