Virtual patient records provide a means for integrated access to patient information that may be scattered around different healthcare organizations (or hospital departments). As Intranets provide, among others, secure access to medical information, they constitute an appropriate technological infrastructure for a virtual patient record implementation. In such cases, a security policy can be enforced by combining the security features of the Intranet with the security features of the intraorganizational systems. However, when a workflow system is implemented to automate interorganizational healthcare processes, an additional security layer is needed. An authorization architecture that serves this purpose is presented in this paper.