HIPAA regs seem to imply that patients must execute an authorization before their PHI can be shared with a CE's Business Associate. Various BAs will use various portions of the PHI for different lengths of time as they perform the contracted work. Since patient authorizations must be specific -- saying to whom PHI is released, for what purpose and for how long -- this raises a practical concern.
If a large organization has scores of BAs to which it releases PHI, does this organization need to give patients scores of authorization documents to sign? Or is it permissible under HIPAA to craft a single but less-specific authorization that would suffice? ________________________________________ James E. McNamee, PhD Associate Dean of Information Services and CIO School of Medicine University of Maryland, Baltimore Information Services, Room 214 100 N. Greene St. Baltimore, MD 21201 voice: 410-706-2881 fax: 410-706-4871 e-mail: [EMAIL PROTECTED] ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address.
