James, if your BA's are performing "treatment, payment or healthcare operations" functions on your behalf you will not require authorizations. I can't imagine sharing individually identifiable info with scores of BA's for other purposes, and the list should be quite manageable. Note that you probably already have an authorization ( as part of the "informed consent" in IRB common rule language) that you are using in order to share info with your research BA's
a. Albert Oriol, CHE, CISSP Privacy & Data Security Officer The Children's Hospital [EMAIL PROTECTED] (303) 861 6094 "All things should be as simple as possible, but no simpler" -- Albert Einstein -----Original Message----- From: McNamee, James [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 20, 2002 9:09 AM To: [EMAIL PROTECTED] Subject: Business Associates and Patient Authorization HIPAA regs seem to imply that patients must execute an authorization before their PHI can be shared with a CE's Business Associate. Various BAs will use various portions of the PHI for different lengths of time as they perform the contracted work. Since patient authorizations must be specific -- saying to whom PHI is released, for what purpose and for how long -- this raises a practical concern. If a large organization has scores of BAs to which it releases PHI, does this organization need to give patients scores of authorization documents to sign? Or is it permissible under HIPAA to craft a single but less-specific authorization that would suffice? ________________________________________ James E. McNamee, PhD Associate Dean of Information Services and CIO School of Medicine University of Maryland, Baltimore Information Services, Room 214 100 N. Greene St. Baltimore, MD 21201 voice: 410-706-2881 fax: 410-706-4871 e-mail: [EMAIL PROTECTED] ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address. CONFIDENTIALITY NOTICE: The information contained in this message is legally privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the author immediately by replying to this message and delete the original message. Thank you. ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address.
