Notice of Privacy Policy




In order to provide high-quality care, Western North Carolina Community Health Services, Inc. (WNCCHS) must obtain and store personal information about you. The Federal law called Health Insurance Portability and Accountability Act (HIPAA) refers to this information as Protected Health Information (PHI). 


Protected Health Information (PHI) is any information we collect about you. Examples of PHI include the following: your health problems or diagnoses, the results of laboratory tests, the medications you are prescribed, notes that document our recommendations to you to improve your health.


HIPAA and the Privacy Rule require that we inform you about the steps we take to protect your privacy.

Below is a summary of how we protect your privacy.


Policies and Procedures: We have established written policies and procedures that our staff must follow to handle and safeguard your PHI.


Training: At the time of hiring, and at least once a year afterwards, we provide detailed training to all our staff on the requirements of HIPAA and the Privacy Rule—including the penalties for violations.   


Restricted Access: Employees are granted access to PHI according to their need to use the information in order to do their jobs. For example, front desk staff members have no access to your medical record, medical assistants have limited access to certain parts of your chart (e.g., they cannot view your problem/diagnosis list or the notes your medical provider writes about you).  


Physical Safeguards: Paper documents containing PHI are filed in secured areas under lock and key. All paper documents containing PHI that we no longer need are shredded. Most PHI is stored in computers that can only be accessed by authorized personnel using unique passwords. This way we can better track who has seen your PHI.    


Disciplinary Action: We promptly investigate any claim or possibility of unauthorized use or disclosure of PHI and take disciplinary action—including termination of employment—against any employee who we have reason to believe breached the law or our policies and procedures:


HIPAA and the Privacy Rule require that we inform you about when and how we disclose your PHI to other parties.

Below is a summary of when and how we disclose PHI.


Disclosures With/Without Written Authorization: As permitted by HIPAA and the Privacy Rule, WNCCHS will disclose PHI with or without your written permission for the following purposes: treatment (e.g., if a hospital calls us because you are being admitted); payment (e.g., when submitting claims to Medicaid/Medicare/ insurance company we have to provide your diagnoses); health care operations (e.g., when our records are audited to evaluate the quality of care we deliver). We can also disclose PHI for other purposes specifically allowed by law (e.g., to a court of law). When we disclose PHI in this way, we must do it according to the law.


Disclosures with Written Authorization: For any other purpose, we must have your written authorization to disclose PHI (e.g., to send records to an attorney or Disability Determination Services). The authorization must be very clear and specific about the PHI to be disclosed and who it can be disclosed to.

Marketing: We do not disclose PHI for marketing or similar purposes.        


HIPAA and the Privacy Rule require that we inform you about the rights listed below.        


Privacy: Your PHI must be carefully protected. We have to make sure all our staff members handle your PHI with great discretion and respect. This includes taking disciplinary action against personnel who do not comply with the law or our policies and procedures for safeguarding your PHI.


Review: You can review your PHI. (We may restrict access to psychotherapy notes, but we have to explain to you why we think we need to do that.) You may request access to your PHI at the front desk. You may also request copies of any document we have that contains PHI about you. You may have to wait a couple of days for copies. You will also be charged a fee as allowed by law.


Amend: Except for PHI produced by other entities (e.g., specialists’ offices), you have a right to request that we change information that is in your medical record. We may accept or deny your request. If we deny you request, we have to explain why in writing.    


Restrict: You can request that we restrict the disclosure of PHI. However, WNCCHS declines such requests as permitted by HIPAA and the Privacy Rule.


Authorize: In all cases where the law requires it, we must have your written authorization to disclose any PHI about you. The written authorization must be specific and we must comply with its instructions completely (e.g., we have to make sure it is actually sent to where you want it sent.) The written authorization must have an expiration date. You may revoke your consent—except to the extent we have disclosed PHI relying on a previous authorization you gave us.       


Complain: You have the right to complain to us and/or to the Secretary of the United States Department of Health and Human Services if you think your rights under HIPAA and the Privacy Rule have been violated. You must file your complaint either with us or with the Secretary within 180 days when you think your rights were violated. The WNCCHS Privacy Officer is responsible for receiving and investigating all complaints. We will respond to your complaint in writing as soon as we can. You will not be discriminated or retaliated against by WNCCHS because you have filed a complaint.       


Question: We encourage you to ask any questions you have about your PHI or our policies and procedures. We will answer your questions to the best of our ability. If you have any questions, please direct them to the Privacy Officer at (828) 285-0622.