Was Marijuana Mishap a Privacy Breach?Pot Dispensary Potentially Violated Mass. State Law
Massachusetts' first registered medical marijuana dispensary just began operating in June. But it didn't take long for the pot business to potentially violate state privacy regulations with a breach impacting 157 patients.
Alternative Therapies Group, based in Salem, Mass. on Aug. 13 reportedly sent a group email to some of its patients. However, instead of blind copying the patients - or hiding their email addresses in the "BCC" line of the message - each individual's email address was visible, according to the Boston Globe, which reported the incident.
A woman who answered the phone at ATG declined to discuss the incident, referring Information Security Media Group to the dispensary's executive director, Chris Edwards, who did not immediately respond to a request for comment.
But in a statement issued to the Boston Globe, the dispensary said it regretted the error involving sensitive personal information. "We assure you that proper controls will be implemented immediately to prevent this from happening in the future." In a comment to the Globe, Edwards called the incident an "honest error."
State Regulation Violation?
A spokeswoman for the Massachusetts Department of Health and Human Services tells ISMG that it appears ATG "violated the privacy piece of the licensure for a medical marijuana dispensary" in the state.
"As we would with any licensed facility, DPH is investigating the incident," the spokesperson said. "DPH holds patient privacy and safety paramount and will take action as necessary." The department of public health is the unit responsible for medical marijuana dispensaries.
The spokesperson notes that there are two related state regulations regarding confidentiality in the Massachusetts medical marijuana program. "Every registered marijuana dispensary [RMD] shall have and follow a set of detailed written operating procedures. ... Operating procedures shall include, but need not be limited to, the following: ....[including] a plan describing how confidential information will be maintained."
The second state regulation says that information held by a RMD about registered qualifying patients, personal caregivers, and dispensary agents is "confidential and shall not be disclosed without the written consent of the individual to whom the information applies, or as required under law or pursuant to an order from a court of competent jurisdiction, provided however, the Department [of public health] may access this information to carry out official duties."
Not a HIPAA Breach
Privacy attorneys say the breach does not appear to violate federal HIPAA laws.
That's because the dispensary does not send medical claims to health insurers. "Healthcare providers - including medical marijuana dispensaries - are only subject to HIPAA if they electronically conduct certain administrative transactions involving health plans, such as electronically submitting a healthcare claim or checking an individual's health plan eligibility," says privacy attorney Adam Greene of the law firm Davis Wright Tremaine.
"If a medical marijuana dispensary does not submit claims to or otherwise interact with health plans, then it likely is not subject to HIPAA," he says.
In a statement, the Department of Health and Human Service's Office for Civil Rights, which oversees HIPAA enforcement, tells ISMG, "The HIPAA Rules apply to healthcare providers that conduct certain standard health care transactions electronically, health plans, healthcare clearinghouses and their business associates. If an entity is covered by the Rules, the individually identifiable health information maintained by the organization is protected under HIPAA. However, regardless of whether an entity is covered by HIPAA, it may also be subject to other federal or state confidentiality laws that also restrict certain disclosures."
The incident leaves "lots of open questions," says privacy attorney Kirk Nahra of the law firm Wiley Rein. "Any entity that has a security breach of any kind needs to think about state law," he says.
Most state breach laws apply only to limited kinds of information, such as Social Security Numbers and credit card numbers, Nahra says. Under these laws, an email address by itself isn't covered information that requires a breach notification.
"There may be reasons to notify in any event, but that wouldn't be a specific requirement of the state law," Nahra says.
Whether a healthcare provider must abide by HIPAA privacy and security requirements, the answer can sometimes get foggy, Nahra says.
"There are two questions under HIPAA: Are they a 'healthcare provider' and then, if they are, do they use any of the HIPAA standard transactions? Not all healthcare providers are covered by the HIPAA rules," he explains. "Through the convoluted history of the HIPAA statute, compliance obligations for healthcare providers for privacy and security are dependent on whether the provider uses the standard transactions - such as submitting an electronic claim to a health insurer."
For instance, a doctor who only uses paper, or doesn't directly bill insurance, is not a HIPAA-covered healthcare provider because of the "tortuous route of HIPAA compliance obligations," Nahra says.
"It makes little sense if your goal is to protect privacy, but that's how the statute and the rules work. So, even if they are considered a healthcare provider - and I'm not sure if [medical marijuana dispensaries] are, if they only take cash from patients, they likely aren't subject to the HIPAA rules, including the breach notification rule. "
It's possible that privacy and security issues could become even hazier, as more states legalize medical marijuana, experts say.
"As the acceptance of the therapeutic use of marijuana grows, we are witnessing a budding medical marijuana industry take hold to meet the needs of patients," notes privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek. However, while 17 states currently allow marijuana to be sold through dispensaries or other outlets, it's doubtful that these business will be held accountable for complying with federal privacy rules anytime soon, he says.
That's because OCR's authority to apply the HIPAA rules is limited to the jurisdiction set by Congress, he says. "Since the federal government does not allow for the dispensing of marijuana for therapeutic use, it is unlikely that these healthcare providers will be covered by HIPAA without express Congressional action to amend the law."
HIPAA aside, "in my opinion, a marijuana dispensary serving patients who are permitted to use this product for medical therapy breached their moral obligation to maintain the confidentiality of the individuals who were served through the organization," he says.