Many physician office display thank-you letters from patients or their families on a bulletin board or other type of display in a public area where visitors can read them. So is this a HIPAA violation? Is it a better practice to display this correspondence but de-identify the patient/family information? If you want to display thank-you letters from patients or their families in a public place, I believe the best course of action is to de-identify these items to protect the patients’ privacy. Otherwise, ask the patient or family for permission to post the letter publicly.