In the News…Potential HIPAA Violations?

Today the Palm Springs, CA Desert Sun reported that a medical marijuana dispensary has to turn over client names; it discusses whether this is a violation of HIPAA.  The key to that answer is whether or not such an organization is considered as a covered entity.  Of course, there could very well be other privacy laws being violated; however, sometimes the main focus for an information health-related automatically goes to HIPAA…which makes sense, but could be the least effective route to take with regard to privacy rights.

"Palm Desert medical marijuana dispensary is being required to turn clients’ names over to authorities, and client advocates say that violates their privacy rights.  Palm Desert city attorney David Erwin said the deal between the city and the CannaHelp dispensary on El Paseo, is merely meant to ensure that the dispensary is obeying state law.  The agreement, negotiated by Erwin and James Warner of San Diego, a lawyer for the CannaHelp dispensary, requires the dispensary to turn over clients’ names and state ID card numbers to the Riverside County Sheriff’s Department.  Calls to Warner on Friday from The Desert Sun were not immediately returned.  Under the agreement, finalized and made public this week, CannaHelp is allowed to sell medical marijuana only to users with a state medical-marijuana ID card.

The Desert Sun obtained a copy of the March 31 agreement signed on April 10 through the city clerk’s office.  The dispensary must also provide the sheriff’s department with weekly sales records, including clients’ names and ID numbers, and allow officers to review sales records at the dispensary every other week.  And that, said Lanny Swerdlow of Palm Springs, head of the Marijuana Anti-Prohibition Project, a patient support group, is a violation of the federal Health Insurance Portability and Accountability Act – HIPAA – which ensures the confidentiality of patients’ medical records. Under the law, patient records can be released if the patient signs a waiver.  "The dispensary should be viewed as a health care provider; all health care providers are bound by HIPAA," Swerdlow said. "I can’t imagine any patient in their right mind wanting their name to be released to the sheriff’s office."

But Erwin said the state and federal laws do not apply to the dispensary because it is not a medical facility and its customers are not patients.  "We’re getting nothing about the individual or anything else," he said. "We are getting information to see if they are complying with the Compassionate Use Act of California.""

It’s not considered a covered entity?  What is a "medical marijauna dispensary"?  Every article I could find referenced the people who got their legal marijuana there as "patients" getting their doctor prescriptions.  It appears from a state of California website that the folks going to these dispensaries are considered as patients.  Would these dispensaries be considered as a type of pharmacy then…dispensing of what seems to be considered as drugs in similar ways?  That’s probably the sticky wicket in this case.

"Passed by ballot initiative in 1996, that act, better known as Proposition 215, legalized medical marijuana for individuals with a doctor’s letter of recommendation. Senate Bill 420, passed in 2003, provided guidelines for implementing the law and required counties to set up offices to help issue the state IDs, which are supposed to be voluntary.  Mike Lerner of La Quinta, a CannaHelp client, said he had not applied for an ID yet, but if he had, he would not mind the sheriff’s office getting his name and ID number.  "You’re putting your name on the county register when you sign up. It’s a matter of public record," he said.

Room for compromise?  At the dispensary, owner Stacy Hochanadel said he would comply with the agreement but was still uncomfortable about turning over clients’ names.  "I’m trying to figure out if giving them just the ID numbers would be good enough to see if they’re verified," he said. "I don’t want to be sued for divulging confidential client information.""

I don’t know…would this be a case of the state of California law preempting HIPAA? 

"Palm Desert Mayor Jim Ferguson indicated Friday there might be room for compromise.  "(The agreement) should probably (be limited to) the ID number," he said. "I am not of the mind to collect information on individuals and turn it over to law enforcement. We honestly are trying to do the right thing."  But Erwin said that without clients’ names, "the agreement is not very effective. All you get is a number. What are we going to do with a number?" 

Conflicts of law

The question of exactly which laws do and don’t apply to the dispensary is further complicated by the conflict between California and federal law.  Using, growing or selling marijuana is illegal under federal law, and the U.S. Supreme Court ruled in June in Raich v. Gonzales that federal law takes precedence over state medical marijuana laws like California’s.  Alan Zamansky of the California Office for HIPAA Implementation said that means medical marijuana users are not covered by federal privacy protections.  And he said SB420 allows the city "to adopt and enforce regulations and laws relative to (the dispensary). The conditions that they made would appear to be helping to enforce that by ensuring only appropriate people would be able (to buy medical marijuana).""

Well…this is interesting…a precedence has been established…that HIPAA should preempt the state law?

"On the other side of the argument, Peter Warren, spokesman for the California Medical Association, notes that the California Supreme Court ruled in 2004 that doctors’ records relating to a patient’s use of medical marijuana are confidential.  And, he said, that protection could extend to dispensary records, like ID card numbers or the doctors’ letters of recommendation required to get them.  "One can presume under Proposition 215, something that authorizes (medical marijuana use) in a legal circumstance for a medically approved use is a medical record," he said."

This is a very good point…if a doctor has to prescribe it to get it from a licensed dispensary, then that would certainly seem to fall under HIPAA TPO…and the accompanying HIPAA PHI protections.

"Another state Supreme Court decision, People v. Mower, in 2002, ruled that state officials have to treat medical marijuana the same as any other doctor-recommended drug, said Kenneth Michael White, a legal adviser for the Marijuana Anti-Prohibition Project, Swerdlow’s group.  "We’re talking about people’s medicine," White said. "You don’t usually have to waive medical privacy to get your medicine at a pharmacy."

Patients come first

Hochanadel said he will be posting notices at the dispensary advising clients that their names may be given to the sheriff’s department.  He is also concerned that sheriff’s officials could turn the biweekly reviews of his sales record into fishing expeditions.  "Am I going to have to justify every person? I have no idea who’s coming into my store, what their educational background is in medicine; it’s up in the air," he said. 

Representatives from the Riverside County Sheriff’s Department did not return calls seeking comment Friday.  Ryan Michaels, a former client at CannaHelp, said he had decided to find other sources for the medical marijuana he uses for his arthritis.  "My decision is to go to a different collective. I can’t be associated with that situation," he said. "When I look at medical marijuana, (dispensaries) come second, patients come first. You protect the patient.""

Hmm…does seem like HIPAA should protect this information, though, doesn’t it?

Technorati Tags





Leave a Reply