I’m catching up on the news from this past week, and I ran across a story from March 1 on the Department of Justice site of a systems auditor who was given access to place software on the computer he was auditing, and he "used that access on numerous occasions to view his supervisor’s email and Internet activity as well as other communications, and to share those communications with others in his office. Kwak carried out his crime and invaded his supervisor’s privacy for personal entertainment; there is no indication he profited financially from his actions." 

The auditor pleaded guilty and "faces a maximum penalty of five years in prison and a fine of $250,000 for the crimes to which he pled guilty."  The crimes included "unauthorized access to a protected computer in furtherance of a criminal or tortious act."

"The prosecution was part of the ‚Äúzero-tolerance policy‚Äù recently adopted by the U.S. Attorney’s Office regarding intrusions into U.S. government computer systems."

I think this type of activity probably occurs quite often.  As just one example, I know of a situation in one company where the documents within the print queue were viewable, and one middle-manager who discovered this made it a daily practice of constantly monitoring the documents printed…and he was quite proud of always having the inside scoop after reading all the emails and confidential memos.  He was very disappointed when the print queue documents became unviewable, along with the document names and those printing them.  He had been using the information he got on the sly to make proposals using others’ ideas, joke about others in the organization, and worse.  Too bad the company did not have a policy at the time covering this and his activity.

Many people often only think of criminal activity or fraud when considering the insider threat.  An additional insider threat is clear violation of confidentiality and privacy of others in the workplace.

Notice the actions and the resulting crime to which he pleaded guilty.  Let’s see…what types of activities are defined as "unauthorized access to a protected computer in furtherance of a criminal or tortious act"?  Let’s look at US Code Title 18, 1030, Fraud and related activity in connection with computers.   Likely this clause:

 
"(3) intentionally, without authorization to access any nonpublic computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects that use by or for the Government of the United States;"

But, wait…he had authorization…to the computer system…but was he also given authorization to the email and Internet logs to perform that work?

I wonder how the situation impacted that office? 

Yes, this news story is a few weeks old…but it is still a good example of one of the many types of insider threats that exist, and the consequences.

It is also an example of computer ethics…or the lack thereof.  Just because you have the ability to exploit the information to which you have access does not mean you should…ethics must be promoted and enforced in the workplace. 

Also something good for your awareness files, perhaps.

Technorati Tags
information security
insider threat
government
computer ethics
privacy

An interesting story was published in the Guardian Unlimited on Wednesday, "Q. What could a boarding pass tell an identity fraudster about you? A. Way too much."  So many little pieces of personal information floating around, and being tossed, it’s really amazing how much can be done with seemingly innocuous papers…such as those airline ticket stubs. 

The author of the article, Steve Boggan, indicated the stub contained the traveller’s name, was a discarded British Airways boarding-pass stub, contained the seat number, indicated he was a "Gold" standard passenger and had the frequent-flyer number.

The article author took the stub to a security guru, Adam Laurie, logged on to the BA website, bought a ticket in the traveller’s name and then, using the frequent flyer number on the boarding pass stub, without being required to submit a password, was given full access to all his personal details – including his passport number, the date it expired, his nationality and date of birth. The system also allowed them the opportunity to change the information.

They then used the information to find out on the Internet, within 15 minutes, where the traveller lived, who lived there with him, where he worked, the universities he had attended and how much his house was worth when he bought it.

Amazing…and scary…just a few pieces of seemingly innocent personal information can lead to so much…

Technorati Tags
information security
airline ticket stubs
Capps II
identity cards
privacy

Over the years I’ve thought about the many different issues involved with privacy, but something I had not pondered before came to my attention today as I read the just-released World Privacy Forum report, "Medical Identity Theft: The Information Crime That Can Kill You."

It has always been a concern of mine, and many others, that lack of security controls within computer systems and lack of privacy protections can have real, physical impact upon people.  For example, some small modifications to the hospital databases for the amounts of medicine to administer to the patients could have insidious widespread and lethal impacts.  However, this new report brings up another possibility…having medical files modified and/or falsified by unauthorized persons, and then the real persons receiving the wrong, potentially fatal, medical treatment based upon the modifications in the records. 

The report indicates that, according to their research, between 225,000 and 500,000 people in the United States have been victims of this type of medical identity theft.

This is a 57-page report, quite intriguing reading.  Here are a few of the many findings I found interesting and sometimes somewhat shocking:

First, their definition of medical identity theft: 

"Medical identity theft occurs when someone uses a person’s name and sometimes other parts of their identity ‚Äì such as insurance information — without the person’s knowledge or consent to obtain medical services or goods, or uses the person’s identity information to make false claims for medical services or goods. Medical identity theft frequently results in erroneous entries being put into existing medical records, and can involve the creation of fictitious medical records in the victim’s name."

Now, just a few of the other excerpts:

"There have been 19,428 complaints regarding medical identity theft to the Federal Trade Commission since January 1, 1992, the earliest date the FTC began recording such complaints.

• Data from government identity theft hotlines and from identity theft surveys containing questions about medical use of data point with some consistency toward a range of approximately 1.5 to 2 percent for the rate of medicallyrelated identity theft in comparison with other forms of identity theft.
• Medical identity theft, as articulated by these numbers, translates in number of victims in 2003 to a range of a minimum of about 3,500 victims to up to a theoretical maximum of almost 3.25 million victims. However, our best estimate is that there could be as many as a quarter to a half million people who have been victims of this crime."

"Victims do not have clear pathways for recourse and recovery. The Fair Credit Reporting Act allows for greater recourse for victims of financial identity theft than the HIPAA health privacy rule provides for victims of medical identity theft. For example, victims do not have the legal right to demand correction of their medical information that was not created by the provider or insurer currently maintaining or using the information. This circularity can make it impossible for a medical identity theft victim to erase false entries from a medical or insurance record. This is true even when false entries were put in the record during the commission of a crime, such as health care fraud or medical identity theft."

Hmm…is this completely true?  CEs are supposed to investigate, with demonstrated reasonable care, all requests from patients to correct PHI.  Of course, if the fraud is committed by an insider (which it sounds like many times it is), these tracks can be covered pretty easily.

Remember that incident that occurred in January 2006, where Providence Health System notified 365,000 individuals that on December 31, 2005 their protected health information was stolen from an employee’s car?  Well, after reading this report seems that that is the type of data that could be used to commit medical identity theft and not be readily noticed.  So many of the companies who have such incidents, and even judges who make determinations of the penalties (or lack of) for such incidents, take into consideration if any known fraud has occurred.  In the instance of medical identity theft it would be very hard to know until long after the fact, as in the cases of the victims that are described in this report.

The report’s summary and findings include:

"This report finds that medical identity theft is deeply entrenched in the health care system. Identity theft may be done by criminals, doctors, nurses, hospital employees, and increasingly, by highly sophisticated crime rings. The report finds that medical identity theft victims need an expanded right to correct their medical files in order to recover from this crime, and need more specialized consumer education that is focused on correcting the specific harms of medical identity theft. Key recommendations in the report include:

• Individuals‚Äô rights to correct errors in their medical histories and files need to be expanded to allow them to remove false information from their files.
• Individuals should have the right to receive one free copy of their medical file.
• Individuals should have expanded rights to obtain an accounting of disclosures of health information.
• Studies are needed to determine what the incidence of medical identity theft is, how and where it is occurring, and how it can be detected and prevented.
• Notification of medical data breaches to consumers has the potential to save lives, protect health, and prevent losses.
• All working prototypes for the National Health Information Network need comprehensive risk assessments focused on preventing medical identity theft while protecting patient privacy."

Technorati Tags
medical identity theft
World Privacy Forum
HIPAA
government
information security
patient privacy
privacy

Last Friday a news article was published in several places, "FBI sought information on 3,501 people last year using powerful investigative tool".  The story:

"The FBI secretly sought information last year on 3,501 U.S. citizens and legal residents from their banks and credit card, telephone and Internet companies without a court’s approval, the Justice Department said Friday. It was the first time the Bush administration has publicly disclosed how often it uses the administrative subpoena known as a national security letter, which allows the executive branch of government to obtain records about people in terrorism and espionage investigations without court approval.

Friday’s disclosure was mandated as part of the renewal of the Patriot Act, the administration’s sweeping anti-terror law.  The FBI delivered a total of 9,254 NSLs relating to 3,501 people in 2005, according to a report submitted late Friday to Democratic and Republican leaders in the House and Senate. In some cases, the bureau demanded information about one person from several companies.The department also reported it received a secret court’s approval for 155 warrants to examine business records last year, under a Patriot Act provision that includes library records. However, Attorney General Alberto Gonzales has said the department has never used the provision to ask for library records.  The number was a significant jump over past use of the warrant for business records. A year ago, Gonzales told Congress there had been 35 warrants approved between November 2003 and April 2005."

Hmm…well, curiosity led me to the Representative Fazio website, where I found a floor statement from November 8, 2005.  This statement indicates, among other things, that:

""Mr. Speaker, the Sunday Washington Post had an extraordinary story as a result of investigative journalism. The FBI has issued 30,000 national security letters. Now, we will have to back up for a moment to understand what that means. Four years ago, this Congress was stampeded under the anthrax attack and 9/11 into passing a bill it had not read, the U.S.A. PATRIOT Act, which contained many unconstitutional and dubious provisions, many bad ideas from past attorneys general, rejected by previous Congresses, passed in a hysterical time for the Congress.  Now it is about to be reauthorized, and, in fact, strengthened in many ways. This is one of the most disturbing aspects of that legislation. These national security letters used to be fairly rare. They used to issue about 300 a year. They are now issuing 30,000 a year, a 100-fold increase. This is an extraordinary intrusion into the personal lives of many Americans who are not accused of or even suspected of crimes."

I couldn’t find anything on the FBI site indicating 30,000 NSLs had been issued…but the first article indicated that this (2006) was the first year that the Bush adminstration publicly disclosed the number of NSLs…9,254 in 2005.  I’m trying to figure out the incongruity here…

I couldn’t find any official counts for the number of times NSLs have been used on the Dept of Justice site, nor on the FBI’s site, nor on the Government Accounting Office site.  Shouldn’t this information be available to the public under the FOIA, or does the USA PATRIOT Act trump that?  Is this information classified?

Just trying to figure out often NSLs really are used…

Technorati Tags
National Security Letters
USA PATRIOT Act
government
privacy

If you’ve read some of my previous posts or articles you know that I am a proponent of using encryption to protect confidential information.  Today I posted a podcast discussing how encryption supports compliance as well as effectively protects personal information. 

Encryption is an under-utilized security tool.  Considering the infinite number of today’s risks, threats and vulnerabilities, encryption can effectively keep unauthorized individuals and systems from accessing sensitive information and thwart many types of attacks.  In today’s business environment with sensitive information being stored in multiple locations, many of them mobile, encrypting information is an effective privacy safeguard organizations can add to their arsenal of safeguard tools.  I also discuss incidents that occurred and how the laws, regulations, and regulatory bodies encourage the use of encryption.

If you listen, please give me feedback on the content!  (Hey, I only know how to use my Audacity to record…I haven’t explored how to edit my podcasts…yet…so no, there are no fancy sound effects…just me talking!)  Also, if you have any thoughts about the issues I discuss, please let me know.

Technorati Tags
information security
compliance
encrypt
podcast
privacy

Well, the list of incidents involving the theft of a laptop containing personal information about a large number of people continues to grow.  A central Florida station reported:

"Health insurer Aetna Inc. reported that a laptop computer containing personal information on about 40,000 of its members was stolen, according to a Local 6 News report.  Aetna officials said that someone stole a laptop out of an employee’s vehicle.  The laptop contained personal information on 38,000 of its members, including names, addresses and Social Security numbers.  Aetna is sending letters to its members, Local 6 News has learned.  The insurance company said it has not detected that any of the information on the notebook computer has been used, the report said.  Watch Local 6 News for more on this story."

No mention of whether or not the data was clear text, but the report seems to imply it was not encrypted.

The mantra continues…

Encrypt personal information…don’t allow databases with large amounts of personal information on mobile computing devices…don’t leave laptops in cars…

Technorati Tags
stolen laptop
privacy
encrypt
personal information
identity theft
social security numbers

Today an interesting article, "HHS Data Not Secure," was published by the Heartland Institute that is quite interesting to read.

"A U.S. Government Accountability Office (GAO) report released March 23 pointed out possible flaws in data security at the Centers for Medicare & Medicaid Services (CMS).  The GAO–Congress’s investigative arm–noted current controls on government health programs may put information at risk due to several weaknesses in the way information is handled.  According to the study, the U.S. Department of Health and Human Services and CMS have significant "weaknesses" and "vulnerabilities" in their data-control systems–particularly those "designed to physically secure computer resources, conduct suitable background investigations, segregate duties appropriately, and prevent unauthorized changes to application software."

‘Swiss Cheese’ Security

The study, requested by Senate Finance Committee Chairman Charles Grassley (R-IA), stated the reason for the weaknesses is HHS’s failure to implement a "department-wide information security program." A program exists, the study said, but has not yet been put in place.  "HHS relies on automated information systems and interconnected networks to process and pay medical claims; conduct medical research; manage its wide spectrum of health, disease prevention, and food and safety programs; and support its department-wide financial and management functions," the authors note. "Interruptions in HHS’s financial and information management systems could have a significant adverse effect on the health, welfare, and mental well-being of millions of American citizens who depend on its services.""

Okay…as an aside, Senator Grassley is from my home state…and he’s been doing a pretty darn good job as a senator for several years!  🙂

"The authors cited several examples of potential data security problems. One CMS Medicare contractor used a privately owned vehicle and an unlocked container to transport approximately 25,000 Medicare check payments over a one-year period. In another instance, 440 individuals were granted unrestricted access to an entire data center, including a sensitive area, although their jobs did not require them to have such access."

Ouch!  Excessive access…if they were a covered entity (CE) that would be a noncompliance issue.

""We’re learning [Medicare/Medicaid recipients’] medical, personal, and financial information is vulnerable to fraud and abuse," Grassley said in a March 23 statement.  "Instead of firewalls to safeguard sensitive data, we have Swiss cheese," Grassley noted."

Great quote…I’m surprised he didn’t go on to say how it was probably attracting digital rats…

"Questions About Findings

But in a written response to Gregory Wilshusen, GAO’s director of Information Security Issues and the study’s author, HHS Inspector General Daniel Levinson stated, "The evaluation approach utilized by GAO does not provide an accurate or complete appraisal of the HHS enterprise-wide information security program.  HHS assesses risk periodically; disseminates necessary policies and procedures; develops security plans; delivers security awareness and training; tests and evaluates system controls at least annually; detects, responds to and reports incidents; plans continuity of operations; and maintains reliable monitoring and reporting capabilities," Levinson continued. "This programmatic structure, as mandated by law and proven in practice, led to the development of sound security practices and continuous improvement in HHS’s overall security posture."

While checks kept in unlocked cars are one issue, increased reliance on electronic data is another.  "Keep in mind that the electronic medical record (EMR) is not a mandate from the public," said Twila Brase, a registered nurse and president of the Citizen’s Council on Health Care, a Minnesota-based free-market health care organization. "It’s a mandate from payers, including government, health plans, and large employer groups. The public is not all that comfortable with the idea."

Patient Consent

A 2005 Harris Poll found 48 percent of those surveyed believe the benefits of a centralized database outweigh the risks, and 47 percent believe the risks outweigh the benefits, noted Brase. A 2000 Gallup poll found 95 percent of those polled didn’t want information released to a national database without their permission.  The only way to safeguard the information is to give patients consent over who gets access to their data, according to Brase.  "[The federal Health Insurance Portability and Accountability Act] allows data to be disclosed without ever telling the patient. States must pass strong patient-consent laws for electronic access to private data," Brase said.

In addition, the Health Information Technology Promotion Act of 2005 (H.R. 4157), currently pending in the House Subcommittee on Health, must not be allowed to pass in its current form, Brase said.  "It will abolish the right of states to enact real medical privacy laws," Brase said, "leaving all patients vulnerable to HIPAA’s permissiveness."

Slippery Slope

Rep. Nancy Johnson (R-CT), who introduced H.R. 4157 last October, said the bill would "make sure the national health [information technology] coordinator’s post is a permanent one" and "overcome some of the key obstacles that have slowed our progress toward adoption of a national, interoperable electronic system."  Brase said its effects will be felt more strongly in years to come.  "Everything will be recorded somewhere," Brase explained. "By electronically linking each child’s birth certificate with other seemingly innocuous government health databases [such as state immunization registries, newborn hearing screening registries, and newborn genetic testing registries], citizen profiles are being created from birth. This is a very slippery slope.  EMRs also can facilitate massive privacy breaches," said Brase. "It would require a truck in the middle of the night to carry 4,000 paper medical records out of a clinic, but it only takes a disk in a pocket or an e-mail transmission to steal those same records in electronic format in broad daylight."

For more information …

The U.S. Government Accountability Office’s Report to the Chairman, Committee on Finance, U.S. Senate February 2006, Information Security: Department of Health and Human Services Needs to Fully Implement Its Program, is available online at http://www.gao.gov/new.items/d06267.pdf."

If you are interested in patient privacy and HIPAA issues, it is a very good read indeed.

"Information about the Citizen’s Council on Health Care is available on its Web site at http://www.cchc-mn.org."

Can an oversight agency, namely the CMS, responsible for enforcing a regulation, namely HIPAA, be entrusted to do satisfactory Security Rule compliance reviews or investigations if they themselves do not have good security?  What impact would that have on the credibility of their review findings?  Hmm…

Technorati Tags
information security
patient information privacy
HIPAA
PHI
HHS
CMS
Senator Grassley
Chuck Grassley
government
GAO audit

If you do business internationally, it is good to track the country-specific privacy commissioner (or whatever the country-specific term happens to be) site.  It is also good to track the sites of organizations such as the European Union EU Working Party, Asia Pacific Economic Cooperation (APEC), and so on.

The EU Working Party posted the following notice in March about launching a data protection investigation specifically in the "private health insurance sector":

"The EU- Working Party for data protection is launching an investigation into the processing of personal data in the private health insurance sector early March 2006. It is the first time that the national Data Protection Authorities of the Member States, in the context of their activities in the Article 29 Working Party, undertake a co-ordinated EU-wide investigation. The aim of this investigation is to analyse whether and how the data protection regulations are being complied with in the private health insurance sector across the EU."

BTW, there are currently 25 EU member countries.

"This joint action will take place in the same time period. It starts in March and it is focusing on the processing of data by private health insurance companies offering private medical treatment insurance, in all the Member States. This sector has been selected because the processing of sensitive personal data is a key element of its activities and because of the potential impacts of non compliance upon a significant number of people across the European Union.

European citizens and the insurance sector have a shared interest in careful data management in compliance with the law and this joint investigation aims to contribute to this aim. In order to ensure a fruitful  cooperation with the sector involved, the CEA (European Federation of National Insurance Associations) has been regularly informed and an exchange of views has taken place during the preparation of the investigation action.

The investigation will be carried out through a questionnaire which is the same for each EU Member State, with questions focused on six areas in which data processing plays a particularly important role. The responses received will be evaluated both at national and at EU level. Based on the results, the Article 29 Working Party could subsequently decide to issue practical guidance for the sector at large and identify areas for future action with a view to improving compliance in the least burdensome way.

As a background to this, in a declaration of 25 November 20041, the Article 29 Working Party stated that the promotion of harmonised compliance with data protection legislation is one of its strategic and permanent goals. The declaration emphasizes the importance of enforcement as a means of increasing compliance. The Working Party expressed the aim of contributing to a more pro-active stance towards enforcement and announced that EU wide synchronized national enforcement actions would be undertaken in the years to come.

In addition to that, as a result of the first Report on the implementation of the Data Protection Directive in May 2003, the European Commission requested the Article 29 Working Party to consider the launching of sectoral investigations at EU level and the approximation of standards in this regard. These developments have resulted in the investigation action which will currently be undertaken."

There are likely many organizations impacted outside the EU.  I found a privacy self-assessment questionnaire on the site; I don’t know if it is the same one being used within this investigation or not.  However, even if your organization is not a health insurance company, if you do business in the EU you could benefit from doing this self assessment.  Sounds like sooner or later your organization may be part of a future investigation.

Technorati Tags
privacy
EU Data Protection Directive
EU Working Party
health insurance
health information privacy
privacy compliance
privacy self assessment

Today the Palm Springs, CA Desert Sun reported that a medical marijuana dispensary has to turn over client names; it discusses whether this is a violation of HIPAA.  The key to that answer is whether or not such an organization is considered as a covered entity.  Of course, there could very well be other privacy laws being violated; however, sometimes the main focus for an information health-related automatically goes to HIPAA…which makes sense, but could be the least effective route to take with regard to privacy rights.

"Palm Desert medical marijuana dispensary is being required to turn clients’ names over to authorities, and client advocates say that violates their privacy rights.  Palm Desert city attorney David Erwin said the deal between the city and the CannaHelp dispensary on El Paseo, is merely meant to ensure that the dispensary is obeying state law.  The agreement, negotiated by Erwin and James Warner of San Diego, a lawyer for the CannaHelp dispensary, requires the dispensary to turn over clients’ names and state ID card numbers to the Riverside County Sheriff’s Department.  Calls to Warner on Friday from The Desert Sun were not immediately returned.  Under the agreement, finalized and made public this week, CannaHelp is allowed to sell medical marijuana only to users with a state medical-marijuana ID card.

The Desert Sun obtained a copy of the March 31 agreement signed on April 10 through the city clerk’s office.  The dispensary must also provide the sheriff’s department with weekly sales records, including clients’ names and ID numbers, and allow officers to review sales records at the dispensary every other week.  And that, said Lanny Swerdlow of Palm Springs, head of the Marijuana Anti-Prohibition Project, a patient support group, is a violation of the federal Health Insurance Portability and Accountability Act – HIPAA – which ensures the confidentiality of patients’ medical records. Under the law, patient records can be released if the patient signs a waiver.  "The dispensary should be viewed as a health care provider; all health care providers are bound by HIPAA," Swerdlow said. "I can’t imagine any patient in their right mind wanting their name to be released to the sheriff’s office."

But Erwin said the state and federal laws do not apply to the dispensary because it is not a medical facility and its customers are not patients.  "We’re getting nothing about the individual or anything else," he said. "We are getting information to see if they are complying with the Compassionate Use Act of California.""

It’s not considered a covered entity?  What is a "medical marijauna dispensary"?  Every article I could find referenced the people who got their legal marijuana there as "patients" getting their doctor prescriptions.  It appears from a state of California website that the folks going to these dispensaries are considered as patients.  Would these dispensaries be considered as a type of pharmacy then…dispensing of what seems to be considered as drugs in similar ways?  That’s probably the sticky wicket in this case.

"Passed by ballot initiative in 1996, that act, better known as Proposition 215, legalized medical marijuana for individuals with a doctor’s letter of recommendation. Senate Bill 420, passed in 2003, provided guidelines for implementing the law and required counties to set up offices to help issue the state IDs, which are supposed to be voluntary.  Mike Lerner of La Quinta, a CannaHelp client, said he had not applied for an ID yet, but if he had, he would not mind the sheriff’s office getting his name and ID number.  "You’re putting your name on the county register when you sign up. It’s a matter of public record," he said.

Room for compromise?  At the dispensary, owner Stacy Hochanadel said he would comply with the agreement but was still uncomfortable about turning over clients’ names.  "I’m trying to figure out if giving them just the ID numbers would be good enough to see if they’re verified," he said. "I don’t want to be sued for divulging confidential client information.""

I don’t know…would this be a case of the state of California law preempting HIPAA? 

"Palm Desert Mayor Jim Ferguson indicated Friday there might be room for compromise.  "(The agreement) should probably (be limited to) the ID number," he said. "I am not of the mind to collect information on individuals and turn it over to law enforcement. We honestly are trying to do the right thing."  But Erwin said that without clients’ names, "the agreement is not very effective. All you get is a number. What are we going to do with a number?" 

Conflicts of law

The question of exactly which laws do and don’t apply to the dispensary is further complicated by the conflict between California and federal law.  Using, growing or selling marijuana is illegal under federal law, and the U.S. Supreme Court ruled in June in Raich v. Gonzales that federal law takes precedence over state medical marijuana laws like California’s.  Alan Zamansky of the California Office for HIPAA Implementation said that means medical marijuana users are not covered by federal privacy protections.  And he said SB420 allows the city "to adopt and enforce regulations and laws relative to (the dispensary). The conditions that they made would appear to be helping to enforce that by ensuring only appropriate people would be able (to buy medical marijuana).""

Well…this is interesting…a precedence has been established…that HIPAA should preempt the state law?

"On the other side of the argument, Peter Warren, spokesman for the California Medical Association, notes that the California Supreme Court ruled in 2004 that doctors’ records relating to a patient’s use of medical marijuana are confidential.  And, he said, that protection could extend to dispensary records, like ID card numbers or the doctors’ letters of recommendation required to get them.  "One can presume under Proposition 215, something that authorizes (medical marijuana use) in a legal circumstance for a medically approved use is a medical record," he said."

This is a very good point…if a doctor has to prescribe it to get it from a licensed dispensary, then that would certainly seem to fall under HIPAA TPO…and the accompanying HIPAA PHI protections.

"Another state Supreme Court decision, People v. Mower, in 2002, ruled that state officials have to treat medical marijuana the same as any other doctor-recommended drug, said Kenneth Michael White, a legal adviser for the Marijuana Anti-Prohibition Project, Swerdlow’s group.  "We’re talking about people’s medicine," White said. "You don’t usually have to waive medical privacy to get your medicine at a pharmacy."

Patients come first

Hochanadel said he will be posting notices at the dispensary advising clients that their names may be given to the sheriff’s department.  He is also concerned that sheriff’s officials could turn the biweekly reviews of his sales record into fishing expeditions.  "Am I going to have to justify every person? I have no idea who’s coming into my store, what their educational background is in medicine; it’s up in the air," he said. 

Representatives from the Riverside County Sheriff’s Department did not return calls seeking comment Friday.  Ryan Michaels, a former client at CannaHelp, said he had decided to find other sources for the medical marijuana he uses for his arthritis.  "My decision is to go to a different collective. I can’t be associated with that situation," he said. "When I look at medical marijuana, (dispensaries) come second, patients come first. You protect the patient.""

Hmm…does seem like HIPAA should protect this information, though, doesn’t it?

Technorati Tags
privacy
HIPAA
protected health information
Proposition 215
law
government

I recently spoke with Jenny Wiseman at TechTarget about some common compliance myths.  The story, "Compliance Q&A: Myths, mistakes and management advice," was published today.

Check it out and let me know what you think…especially if you think I left out something critical during my discussion.

Technorati Tags
compliance
information security
TechTarget