Q&A: Donor lists

Q. I work in a hospice environment where we get donations that are often given in memory of deceased patients that were in our program. Would you please advise if it is a HIPAA violation to list the donor names as well as the names of those "memorialized" (former patients), on our website and in our newsletter? And, if so, can this be remedied by adding language to our Notice of Privacy Practices (NPP) advising that this practice will occur unless the patient objects?

A.  Listing the names of deceased patients without permission may be considered a violation of the Privacy Rule. You could add language to your NPP, but it is likely that the patient’s family will not be familiar with your NPP. It would be better to ask permission from the donor and the patient’s family to publicly acknowledge the donation.

Editor's note: This question was answered by Mary D. Brandt, MBA, RHIA, CHE, CHPS for Briefings on HIPAA. Brandt is a healthcare consultant specializing in healthcare regulatory compliance and operations improvement. She is also an advisory board member for BOH. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS.