Effective February 16, 2026

THE PRIVACY POLICY DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

Please download one of the versions and review it carefully. Both the English and Spanish versions are in PDF format.

• Click here to view the Privacy Notice English 
• Click here to view the Privacy Notice Spanish  

If you have any questions about the privacy notice, please contact Scotland Health Care System's Privacy Officer at 910-291-7087.

Scotland Health Notice of Privacy Practices

THIS NOTICE DESCRIBES HOW HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED, YOUR RIGHTS WITH RESPECT TO YOUR HEALTH INFORMATION, HOW YOU CAN GET ACCESS TO YOUR HEALTH INFORMATION, AND HOW TO FILE A COMPLAINT CONCERNING A VIOLATION OF THE PRIVACY OR SECURITY OF YOUR HEALTH INFORMATION OR OF YOUR RIGHTS CONCERNING YOUR INFORMATION. YOU HAVE A RIGHT TO A COPY OF THIS NOTICE (IN PAPER OR ELECTRONIC FORM) AND TO DISCUSS IT WITH PRIVACY OFFICER AT 910.291.7087 IF YOU HAVE ANY QUESTIONS. PLEASE REVIEW IT CAREFULLY.

Last Revised February 16, 2026

Scotland Health complies with applicable Federal civil rights laws and does not discriminate on the basis of race, color, national origin, age, disability, or sex. For more information, please see Scotlandhealth.org/policies-notices.

A copy of this Notice is also available in Spanish. (PDF)
Una copia de este anuncio esta disponible tambien en Espanol (PDF)

Protecting Your Privacy

At Scotland Health, we understand that your health information is personal. This Notice describes how your health information may be used and disclosed, how we protect your information and your rights under the Health Insurance Portability and Accountability Act (“HIPAA”). We are required by law to:

• Maintain privacy of your Protected Health Information (“PHI” or “your information”) as outlined in s Notice
• Implement safeguards to maintain the privacy of PHI
• Provide you with notice of our legal duties and privacy practices related to your PHI
• Follow the terms of the Notice currently in effect

This Notice only applies to those parts of our websites and mobile device applications where you can access your PHI or interact with a clinician regarding your specific care, such as the patient portal with respect to your PHI. However, these websites and applications may contain additional terms associated with your use. You should review those terms as well as the website terms contained on the website that you visit.

This Notice does not apply to health information that is not subject to HIPAA or similar state health information privacy laws, or information used or shared in a manner that cannot identify you.

Who Follows This Notice

Scotland Health encompasses the following health systems, including their affiliates and subsidiaries:

• Scotland Health Care System, Scotland Physicians Network, Scotland Memorial Hospital

Scotland Health entities also may participate in organized health care arrangements (OHCAs), such as with medical staff and care coordinators while at our locations, as well as in affordable care organizations (ACOs). These enable us to share information among participating entities and providers in a clinically integrated setting; for treatment, payment, and health care operations purposes; and, for joint activities in support of the OHCA’s purposes. 

Please note that this Notice does not apply to any Scotland Health entity in its capacity as an employer or to any Scotland Health health plan. Any Scotland Health health plan is considered a separate covered entity for the purpose of HIPAA and has its own notice of privacy practices.

Additionally, providers that are independent of Scotland Health are legally separate and responsible for their own acts. Scotland Health is not responsible for how they provide care or handle your information.

How Your PHI Is Used and Disclosed

For Treatment We may use and share your PHI to provide, coordinate, or manage your health care and related services, both with our own providers and with others involved in your care. Different personnel may also share your PHI to coordinate the different things you need, such as prescriptions, lab work and x-rays. For example, a doctor treating you for a broken leg may need to know if you have diabetes so she can treat you properly and work with our dietitian so you can have low sugar meals. Our case manager will need to know about your diabetes so he can connect with other agencies to get you access to the proper resources after discharge. We may also share your PHI with a health registry so we can access information that may help us identify a different way to treat you. We may share and receive your PHI from other providers, including within our system, to treat you.

Treatment Alternatives We may use and share your PHI to tell you about possible treatment options or alternatives that may be of interest. For example, if you have cardiac issues, we may tell you about exercise resources or apps that could support your heart health. In many situations, you sign up directly with a vendor to use the apps, not through Scotland Health. We encourage you to carefully review any terms of use that may apply to the apps or other tools that you may use, as we are not responsible for what they do with your information.

Health-Related Benefits and Services We may use and disclose your information to tell you about health-related benefits or services that may be of interest to you. For example, if you just had a baby, we may use that information to send you tips for caring for a newborn or resources for new Moms. As a general rule, we do not sell your information or get paid by vendors to communicate with you without your written authorization. You may choose not to receive any communication from us that encourages you to purchase or use any particular product or service.

Communicating With You We may use and share PHI to contact you about treatment, care, or payment. For example, we may use your phone numbers (including mobile) and email addresses that we have on file to send you phone calls, emails, text messages, or other communications related to your care. We may also send appointment reminders or remind you that it is time for an annual checkup. We may also reach out to you for feedback about a recent visit or to see if you are feeling better. We may also contact you about health-related benefits or services that may be of interest to you (such as information about upcoming health screening events or research information) or to tell you about a new practice opening near you. These messages may be sent using automated dialing and/or pre-recorded messages. You have the right to opt out of receiving these messages. To opt out of text messages, please follow the opt out prompt in the text message. If you send us unencrypted emails or texts, you understand there are security risks in doing so and you accept those risks.

For Payment We may use and share your PHI with others to bill and collect payment for the services we provide to you, such as with billing departments, vendors, collection agencies, insurance companies, health plans and their agents, and consumer reporting agencies. For example, if you broke your leg, we may need to share information about your condition, the supplies used, and the services you received (such as X-rays or surgery) with your health plan so they can pay your bill. We may also contact payors before you receive scheduled services, such as for pre-approval from your health plan or to confirm your procedure qualifies for coverage. Unless you specifically tell us otherwise, we will assume you want us to bill your insurance that is on file in our records.

For Health Care Operations We may use and share your PHI to carry out business activities that help us operate our health system, improve the quality and cost of patient care, perform case management and care coordination functions, and conduct other health care operations. For example, we may look at patient information to evaluate the performance of our staff, plan new services, identify new locations for services, or send you a survey about your experience. We may also use patient information to train personnel and students, respond to governmental agencies, support our licensing, analyze data, and for legal and other purposes. We can also share your PHI with other providers who have a relationship with you for their own health care operations. For example, if you come to us in an ambulance, EMS may want to know the resolution to your care to determine if their medics delivered appropriate treatment to you in the ambulance. We may also use and share your PHI to confirm the time, place, and attendance of your appointment for treatment with third-party transportation services.

Photos, Images, and Audio We may take, collect, capture, produce, use and store photos, video and/or audio recordings, reproductions and digital images, including biometric information for treatment, training, identification, education and health care operations purposes.

Artificial Intelligence We may utilize computers, electronic devices, artificial intelligence systems or other technology to provide and assist in providing our patients with care, treatment, and services.

Business Associates Sometimes, we hire other people and companies known as business associates to help us perform services and manage operations. We may need to share your PHI with these business associates so that they can perform their job for us. For example, we may hire healthcare monitoring companies, collection agencies, or information technology vendors. We may also share your PHI with a Business Associate who will remove information that identifies you so that the remaining information can be used or disclosed for purposes outside of this Notice. We require any Business Associate to sign a written contract requiring that they comply with HIPAA, protect your PHI and keep it confidential in the same manner as HIPAA requires of us.

Minors We may generally share PHI of minors with their parents or legal guardians acting as personal representatives, unless prohibited by law or in circumstances where the law permits us to withhold PHI, such as to prevent harm to the minor or another person or in cases of suspected child abuse or neglect.

Required by Law or Judicial or Administrative Proceeding We will use or disclose your PHI when required to do so by local, state, federal, and international law. For example, we may share your PHI as required to report a suspicious death or suspected child abuse or neglect. We may use and disclose your PHI in conjunction with judicial or administrative proceedings or for purposes of litigation as permitted by law. We may also share your PHI in response to an administrative or court order, or in response to a subpoena, a discovery request, or other legal process if we are advised that you have been made aware of the request or that efforts were made to secure a qualified protective order.

Abuse, Neglect, and Domestic Violence or Other Threats to Safety Your PHI will be disclosed to the appropriate government agency if we believe that a patient has been or is currently the victim of abuse, neglect, or domestic violence and the patient agrees to the disclosure or we are otherwise permitted or required by law to do so. In addition, your PHI may also be disclosed when necessary to prevent a serious threat to your health or safety or the health and safety of others to someone who may be able to help prevent the threat. State laws may require such disclosure when an individual or group has been specifically identified as the target or potential victim.

Law Enforcement We will disclose your PHI for law enforcement purposes when all applicable legal requirements have been met. This includes, but is not limited to, law enforcement due to identifying or locating a suspect, fugitive, material witness or missing person; complying with a court order or warrant, and grand jury subpoena; reporting information about a victim of a crime, reporting a death we believe resulted from criminal conduct, reporting criminal conduct occurring on our premises, or reporting crime in an emergency, such as the location of the crime or victims or the identity, description, or location of the person who committed the crime.

Public Health Your PHI may be disclosed and may be required by law to be disclosed for public health purposes. This includes: to prevent or control disease; report births and deaths; reporting of reactions to medications or problems with health products; reporting a person who may have been exposed to a disease or may be at risk of contracting and/or spreading a disease or condition. We may share your PHI with public health authorities for public health purposes to prevent or control disease, injury, or disability and for conducting public health monitoring, investigations, or activities.

Health Oversight Activities We may disclose your PHI to a health oversight agency for audits, investigations, inspections, licensures, and other activities as authorized by law. The relevant agencies include governmental units that oversee or monitor the health care system, government benefit and regulatory programs, and compliance with civil rights laws.

Military, National Security, and Other Specialized Government Functions We may disclose your PHI, if you are in the Armed Forces, for activities deemed necessary by appropriate military command authorities for determination of benefit eligibility by the Department of Veterans Affairs or to foreign military authorities if you are a member of that foreign military service. We may disclose your PHI to authorized federal officials for conducting national security and intelligence activities or special investigations (including for the provision of protective services to the President of the United States, other authorized persons, or foreign heads of state) or to the Department of State to make medical suitability determinations.

Inmates and Correctional Institutions If you are an inmate at a correctional institution, then under certain circumstances we may disclose your PHI to the correctional institution or law enforcement official. This may be necessary 1) for the institution to provide you with health care; 2) to protect your health and safety or the health and safety of others; or 3) for the safety and security of the correctional institution and its staff.

Workers Compensation We disclose PHI only necessary for Worker's Compensation in compliance with Worker's Compensation laws. This PHI may be reported to your employer and/or your employer's representative regarding an occupational injury or illness.

Change in Ownership If our business is sold in whole or part, acquired, or merged with another entity, your PHI may become the property of the new owner. However, you will still have the right to request copies of your records and have copies transferred to another provider.

Research We may disclose your PHI to researchers for the purpose of conducting research when an Institutional Review or Privacy Board has approved the research and in compliance with law governing research, or where you have provided your authorization. You may choose to participate in a research study that requires you to obtain related health care services. In this case, we may share your PHI 1) with the researchers involved in the study who ordered the hospital or other health care services; and 2) with your insurance company in order to receive payment for those services that your insurance agrees to pay for. We may use and share your PHI with a researcher if certain parts of your PHI that would identify you are removed before we share it with the researcher. This will only be done if the researcher agrees in writing not to share the information, will not try to contact you, and will obey other requirements that the law provides.

Decedents We may disclose your PHI to coroner, medical examiner, funeral director if needed to perform duties.

Organ, Eye or Tissue Donation Purposes If you are an organ donor, we may disclose your PHI to organizations that handle organ procurement or organ, eye, or tissue transplantation, or to an organ donation bank, as necessary to facilitate organ or tissue donation and transplantation.

Breach Notification Purposes If for any reason there is an unsecured breach of your PHI, we will utilize the contact information you have provided us with to notify you of the breach, as required by law. In addition, your PHI may be disclosed as a part of the breach notification and reporting process.

Right to Opt Out of Certain Uses and Disclosures

Fundraising Activities We may use some of your PHI to identify causes you may care about and wish to support through a donation to advance patient care, health care education, and research. This information may include your contact, demographic, and insurance information; date(s) and location of treatment; provider name; and if you would be likely to support our charitable causes. You have the right to opt out of fundraising communications. Opting out of fundraising communications will not affect your ability to obtain health care at Scotland Health. Note: Your household may still receive general fundraising materials from us that do not require use of PHI.

Facility Directory We may include your name, your location in the hospital, and your general condition (e.g., good, fair, serious, etc.) in our hospital directory while you are a patient. We will share this directory information with people who ask for you by name. We can also share your religious affiliation with clergy affiliated with your faith, regardless of whether they ask for you by name. To opt out of being included in the facility directory, please notify the staff member registering you or providing your care. The opt out only applies to that encounter, and you will have to make a new request to opt out if you would like to be removed from the directory during your next stay.

Individuals Involved in Your Care or Payment We may share your PHI with a family member, personal representative, friend or other person you identify or who is involved in your care or payment, unless you object. For example, if you bring a sibling to your appointment or have a friend pick you up from a procedure and you do not object to them hearing your medical information, then we can share relevant information with them or when they are present. We could also tell your family how to care for you at home or share billing information if they are helping with your bills or covering your services. We may also share information to notify people involved in your care about your location, general condition or death. Some laws also require us to notify those involved in your care that you have been admitted, transferred, or discharged from facility. To opt out of these notifications, please notify staff member registering you or providing your care. If you’re unable to make decisions for self, or if emergency, we use professional judgment if in your best interest to share your PHI with those involved in your care.

Disaster In the event of a disaster, we may disclose your PHI to disaster relief organizations to coordinate your care and/or to notify family members or friends of your location and condition. Whenever possible, we will provide you with an opportunity to agree or object. 

Health Information Exchanges We may participate in certain health information networks or exchanges ("HIEs") that permit health care providers or other health care entities, such as your health plan or health insurer, to share your PHI for treatment, payment and other purposes permitted by law, including those described in this Notice. Your health information will be stored in our electronic medical record, including Epic, so your care community can help you. Your information may also be available through health information exchanges or through clinically integrated networks that allow member providers to securely exchange health information for treatment purposes. By seeing records of past care received at other locations in an HIE, providers can make more informed decisions about care plans and avoid duplicative or unnecessary treatment. You do not have to participate in an HIE to receive care from us, and may choose to opt out, though note that opting out of an HIE does not stop us from using or sharing your information as otherwise described in this Notice. Your decision to opt out of sharing your PHI through an HIE does not affect the information that was exchanged prior to the time you opted out of participation.

Use and Disclosure of Substance Use Disorder Records Subject to Part 2

We generally need your written consent to use or disclose records protected by 42 CFR Part 2. Once you complete a single consent for treatment, payment, and healthcare operations (TPO) when receiving substance use disorder (SUD) treatment, your Part 2 records may be shared consistent with HIPAA unless you revoke your single TPO consent in writing.  We will not use or disclose SUD treatment records received from programs subject to 42 CFR part 2, in any civil, criminal, administrative or legislative proceedings against you unless you have given your specific written consent, or a 42 CFR Part 2, Subpart E, court order is received.

Your Rights Regarding Your PHI

You have certain rights regarding the PHI we maintain about you, which are outlined below. Our Health Information Management Department (HIM) oversees many of these rights. Your patient portal account also has some of these request forms. If you have any questions or need help obtaining these forms, please contact HIM and they will be happy to help you. All rights and their limitations with respect to your PHI apply equally with respect to your Part 2 Records.

Right to a Copy of Your Health Records

You can ask to inspect or ask for a copy of part or all of your designated record set (defined by HIPAA as the grouping of records including your medical records, billing records and other information used to make decisions about your health care), though certain exceptions may apply that permit us to deny your request. For example, if your doctor decides something in your record might endanger you or someone else, your request may be denied in whole or in part. There are also records which may contain information about you, but that you don’t have a right to access, such as psychotherapy notes or records compiled in anticipation of a legal proceeding. To request a copy of your record, go to the HIM website and submit the Patient Request for Access form, submit the request form electronically through the patient portal, or request a copy of such form from your provider and submit it to the HIM Department. In most cases, you will receive the information within 30 days of when we receive your request, unless we let you know we need another 30 days, such as if the records are in storage. Where permitted by law, we may charge a reasonable fee for the costs of copying, mailing, or other supplies associated with your request, including where you designate a third-party recipient. If we deny you access to your PHI for certain reasons, we will provide you with an opportunity to request that the denial be reviewed. A licensed health care professional chosen by us will perform such a review. This person will not be the same person who refused your request.

• Right to a summary or explanation of your PHI: You have the right to request only a summary of your PHI if you do not desire to obtain a copy of your entire record. You also have the option to request an explanation of the PHI to which you were provided access when you request your entire record.
• Right to Obtain an electronic copy of your medical records: You have the right to request an electronic copy of your medical record for yourself or to be sent to another individual or organization when your PHI is maintained in an electronic format. We will make every attempt to provide the records in the format you request; however, in the case that the information is not readily accessible or producible in the format you request, we will provide the record in a standard electronic format or a legible hard copy form. Please note we provide access to patient portals as one option for patients to electronically access their PHI. You may set up a patient portal through our websites. There is no fee for you to access through the patient portal.

Right to Revoke or Cancel an Authorization

You can sign an Authorization to give us permission to share your PHI with others, such as with your employer or a life insurance company. You can revoke (cancel) that permission at any time by going to the HIM website and submitting the Revocation of Authorization for Release of Information form or request a copy of such form from your provider and submit it to the HIM Department. Once we have processed your revocation, we will no longer use or share your PHI under the revoked Authorization. We cannot, however, take back information we have already shared. Revocation of an authorization also does not affect our ability to share information in accordance with applicable law in manners described in this Notice that do not require your authorization.

Right to Request Changes to Your PHI

You can ask to change or add information to your designated record set that you think is wrong or incomplete for as long as the information is kept by Scotland Health. For example, you may remember telling the doctor that you fell riding your bike, but the record says you tripped over your dog. To request an amendment, go to the HIM website and submit the Health Information Amendment form, submit the request form electronically through the patient portal, or request a copy of such form from your provider and submit it to the HIM Department. Your provider has the right to decide whether to accept or deny your request in whole or in part. We will let you know the decision within 60 days, though we may let you know if we need another 30 days and why. We may deny your request if you ask us to amend PHI that is not part of the PHI maintained by us or was not created by us, unless the person or entity that created the information is no longer available to make the amendment; is not part of the information which you would be permitted to inspect and copy or is accurate and complete. Regardless of the decision, your amendment request will be noted in your record, as well as your disagreement letter if you choose to send one. We may also include a rebuttal to your disagreement letter in the record.

Request an Accounting of Disclosures

You have the right to ask for a list of the persons and entities with whom we’ve shared your PHI over the last 6 years, known as an “accounting of disclosures”. Note that, as provided by the HIPAA regulations, the list will not include certain disclosures, such as those made to those involved in treatment, payment, or for health care operations, or those authorized by you. To request an accounting of disclosures, go to the HIM website and submit the Request for Accounting form or request a copy of such form from your provider and submit it to the HIM Department. You must include the time frame for the request. You can get one accounting of disclosures at no charge every 12 months; after that, there may be a fee. In most cases, we will send the accounting of disclosures within 60 days. If we need an extra 30 days, we will let you know. If you are requesting an accounting of disclosures of Part 2 Records made pursuant to your written consent in the 3 years prior to the date of the request (or a shorter time period chosen by you), we will provide such accounting consistent with HIPAA requirements and Part 2. When regulations are effective requiring such accountings pursuant to HIPAA and Part 2, we will provide a patient with an accounting of disclosures of records for treatment, payment, and health care operations only where such disclosures are made through an electronic health record and during only the 3 years prior to the date on which the accounting is requested.

Request Restrictions on Sharing Your Information

You have the right to ask that we limit how we use or share your PHI for treatment, payment or health care operations. You can also ask us to limit sharing your PHI with others involved in your care, such as a family member or friend. To request a restriction, go to the HIM website and submit the Request for Restrictions on Use and Disclosure of Information form or request a copy of such form from your provider and submit it to the HIM Department. Note that we are not required to agree to your request, except as stated below. If we do agree to the restriction, it goes into effect when we notify you and even then, it may not be followed in some situations, such as emergencies or when required by law. If you restrict us from sharing your PHI with your health plan by paying for the visit in advance, we will not share your information (note this does not affect our ability to share your information for treatment). You must complete certain forms for a self-pay billing restriction at each location of care, which are available at registration.

Request That We Change How We Contact You

You can make reasonable requests to be contacted at different places or in different ways. For example, you may ask that we call you on your cell phone instead of your home number or that we send results to your office instead of your home. To request confidential communications, go to the HIM website and submit the Request for Confidential or Alternative Means of Communication form or request a copy of such form from your provider and submit it to the HIM Department. You are not required to tell us the reason for your request. We will accommodate reasonable requests, but your request must specify how or where you wish to be contacted.

Right to A Paper Copy of This Notice

You have the right to a paper copy of this Notice upon request. You may also obtain a copy of this Notice at any time from our websites or from the location where you obtained treatment.

Right to Be Notified of a Breach

You have the right to be notified if your unsecured PHI is acquired, used, or shared in a manner not permitted under law that results in more than a low risk of compromise to its security or privacy.

Right to appoint a personal representative

You have the right to appoint a personal representative, such as a medical power of attorney or if you have a legal guardian. Your personal representative may be authorized to exercise your rights and make choices for you about your PHI. We will confirm person has authority and can act for you before we take action based on their request.

Other State and Federal Laws

Where state and federal laws require additional privacy protections or grant you additional rights, we will comply with such state and federal laws to the extent applicable. For example, if you receive treatment at one of our licensed behavioral health facilities, some state laws may allow you to restrict your PHI from being shared with providers outside of those facilities (certain exceptions apply). Ask your behavioral health facility for more information. Other types of information that may be subject to more stringent state or federal law requirements include, but are not necessarily limited to, behavioral health information, drug and alcohol treatment information, reproductive health information, and information related to HIV/AIDS or other communicable diseases.

Electronic Medical Information Sharing Through Application Programming Interfaces

You have the right to request or authorize that your electronic PHI in your designated record be transmitted to you or another person or organization through an application programming interface (API). APIs are computer coding mechanisms that permit two or more electronic computer applications or software programs to communicate with each other and share information. Scotland Health is required by law to comply with requests regarding API transmissions, subject to certain exceptions. You understand that PHI transmitted through an API at your request will no longer be under Scotland Health’s protection and control, will no longer be subject to the protections and rights outlined in this Notice, and may no longer be subject to the same laws, regulations, policies or procedures regarding its confidentiality, security, privacy, use, or disclosure. You understand and agree that you make any request to Scotland Health to transmit your PHI through an API at your own risk and you assume all liability for the consequences of such action taken by Scotland Health at your direction. Scotland Health cautions you to confirm any confidentiality, security, or privacy protections with respect to your transmitted PHI with the recipient of the PHI prior to submitting a request to Scotland Health to transmit your PHI through an API.

Notice of Redisclosure

PHI that is disclosed pursuant to this Notice may be subject to redisclosure by the recipient and no longer protected by HIPAA. Law applicable to the recipient may limit their ability to use and disclose the PHI received, such as if they are another covered entity subject to HIPAA or a program or entity subject to Part 2.

Changes to this Notice of Privacy Practices

We reserve the right to change and update this Notice at any time. The revised Notice will be effective for PHI we already have about you, as well as for any PHI we create or receive in the future. The effective date is listed on the first page of the Notice and we will post the current copy at each registration location and on our websites.

Complaints and Contacts

If you believe we impermissibly shared or used your PHI or that your rights were denied under HIPAA, you can file a complaint with Scotland Health by calling the Compliance Hotline at 910.291.7087.

To file a complaint with the Secretary of the Department of Health and Human Services, go to the Office for Civil Rights (www.hhs.gov/ocr/hipaa/), call 202-619-0257 (toll free 877-696-6775), or mail to:

Secretary of the US Dept of Health and Human Services, 200 Independence Ave S.W., Washington, D.C. 20201

To file a complaint with the Secretary, you must 1) name the Scotland Health place or person that you believe violated your privacy rights and describe how that place or person violated your privacy rights; and 2) file the complaint within 180 days of when you knew or should have known that the violation occurred. Violation of Part 2 is a crime. You may report suspected violations of Part 2 to the Secretary of the United States Department of Health and Human Services in the same manner that you report HIPAA violations. You will not be punished for filing a complaint.

If you have any questions in reference to this Notice, you may contact Scotland Health Privacy at 910.291.7087.