Pubdate: Wed, 31 Aug 2011
Source: San Diego City Beat (CA)
Copyright: 2011 San Diego City Beat
Contact:  http://www.sdcitybeat.com/
Details: http://www.mapinc.org/media/2764
Author: Dave Maass, CityBeat interns Marshall Murphy and Andrea Aliseda contributed
reporting for this story. 

MEDICAL-MARIJUANA PATIENTS ARE IN COLLECTIVE DENIAL

Membership Agreements Favor the Pot Dispensary Over Personal
Privacy

Patient X decides to pursue the simplest path to obtaining medical
marijuana.

He visits the office of a doctor who specializes in medical-marijuana
evaluations. If Patient X can articulate why marijuana would help
alleviate his condition, the doctor issues what's essentially a
prescription: a one-page "recommendation." It costs maybe $30 or $40,
depending on whether Patient X has a coupon.

Patient X uses an iPhone app to locate the closest collective. In the
lobby, he fills out a few pages of paperwork and hands over his
recommendation and California-issued photo ID (e.g. driver's license)
to be photocopied or scanned. Once his recommendation is verified,
Patient X is allowed to join the collective as a private member and
access the part of the dispensary where he can purchase marijuana. The
whole process can take less than an hour.

Throughout the process, Patient X's anonymity has the potential to be
compromised. He's leaving a trail of sensitive data: medical
information and evidence that he procured a drug that's still illegal
under federal law.

The doctor's office may keep detailed records with a limited amount of
confidentiality, but it also transmits some of that information to a
third-party, online verification service for the collectives to
access. The iPhone app may track the patient's location, and, as a
byproduct, Apple and services such as Google Maps also collect data.
The ATM in the collective's lobby records information, as does the
bank on the other end.

Then there's the collective itself.

CityBeat obtained a variety of blank membership agreements from San
Diego collectives, a few directly from the dispensaries but most
through lawyers who represent multiple collectives. Some of the
agreements are a single page and took less than 30 seconds to fill
out, while others comprised several stapled pages requiring
item-by-item initialing.

For analysis, we provided the documents to the Privacy Rights
Clearinghouse (PRC), a locally based national organization that
advocates for consumer privacy through education and lobbying. The
conclusion was grim -- collectives seem more interested in protecting
their product than protecting patient privacy.

"The agreements, to me, are really more conditions that the members
have to abide by in order to participate in the program," PRC research
director Tena Friery says. "I don't see too much that's reciprocal on
the part of collective."

Unlike pharmacies, there are no regulations that universally govern
how collectives must handle personal information, leaving each
collective to make up its own rules.

"Right now, it is self-regulation," says Eugene Davidovich, the local
spokesperson for the pro-medical-marijuana Americans for Safe Access.
"It is an emerging field where standards are being developed as we
go."

However, there are some general principles, often referred to as FIPS
(Fair Information Practices), that the PRC looks for in privacy
agreements. These elements include disclosing what data is collected;
how it's used, stored and secured; and how long it's retained. For
medical-marijuana patients, the biggest question might be who has
access to the information.

"Several of these [agreements] mention that law enforcement could get
access, but they don't really mention, any of them, a requirement of a
court-ordered warrant," PRC director Beth Givens says. "So, you could
get an aggressive law-enforcement officer walking in without a warrant
just saying, 'Give me this information,' and it sounds to me like
these collective operators might just sort of roll over and say, 'Yup,
here is it.'"

That these collectives aren't even taking steps to disclose their
policies and the risks to patients is alarming. Giving patients notice
of the policy, Givens says, is the most important policy of all.

***

In July, Mother Earth's Alternative Healing Cooperative in East County
became the first dispensary to receive official clearance to operate
legally under San Diego County's collective ordinance.

Of all the collective paperwork CityBeat and PRC analyzed, Mother
Earth's agreement required the most information, including basic
medical history, current health problems and other medications taken.
It did not include anything in the way of privacy disclosures.
Nevertheless, Mother Earth spokesperson Bob Riedel says the collective
maintains a tight ship when it comes to privacy: Records are kept in
locked filing cabinets, they never the leave the site and they aren't
shared without written consent.

But the collective is also compiling new data on its roughly 2,000
members on every visit.

"We track how many dollars they've spent, how many types of medicine
they purchased, the type of medicine, the quantity of medicine,"
Riedel says. "Everything is tracked, just like if you go Rite Aid. You
can go to Rite Aid right now and say, 'I need my print-out for the
last year of what I've done with you guys.' They can give you that. We
can, too."

One reason they collect that information is that it's a requirement of
the county ordinance. Another clause in the ordinance says that the
San Diego County Sheriff's Department must have access to these
records, as well as a complete roster of the collective's membership.
This isn't spelled out on the membership agreements.

"This definitely needs to be disclosed to collective members," Givens
says. "I think there is a potential for abuse, and, to me, that's a
significant issue."

CityBeat asked Lance Rogers, the attorney who represents Mother Earth,
why its paperwork doesn't disclose the issue of warrantless
law-enforcement access to records. Rogers responded that the agreement
does state that the cooperative is "operating in full compliance" with
"San Diego County Code 21.2501," the ordinance that requires the
access. We asked Rogers whether it was fair to assume patients know
that's what "full compliance" means.

"It's my position that stating the law does put the patient on notice,
but if there is additional information that would make it more clear,
I'm happy to review it," Rogers says.

***

Although collectives often agree that privacy is a priority, their
lawyers say privacy does not trump a collective's capacity to defend
itself. In other words, most collectives would release information
about patients, perhaps even compel them to testify in court
involuntarily, if necessary to mount a criminal defense.

The standard collective agreement attorney Michael Cindrich uses
contains a privacy disclosure that most collectives don't have.
According to the document, patient records will be kept in a file at
the collective headquarters, but copies of those records will also be
kept with the marijuana during transport, and growers may also keep
the files with the plants. That way, collective employees and
volunteers who possess the marijuana have evidence nearby to show it
is for medicinal purposes. According to the disclosure, the collective
will never destroy records, but it will redact the names of patients
who terminate their memberships. The collective says it won't disclose
the identity of any patient, except under "severe legal
emergencies."

Patient privacy and the collective's self-protection are "competing
interests," Cindrich says.

"When I draft an agreement on behalf of a collective, my main goals
are to protect the collective, though I am conscientious of the
patient's privacy rights," he says. "But, overall, the patients aren't
really taking that big of a risk by joining a collective. These
collectives, by cultivating and providing medicine to patients, are
taking a huge risk."

Cindrich describes the member-collective relationship as a tradeoff:
If you want the ease of obtaining medicine through a collective, then
you have to be prepared to risk your privacy. He'd prefer not to
subpoena an unwilling member, but he would if the testimony was
necessary to defend his client.

"I think patients generally need to be aware, and if they're not
already aware, when you join a collective, there are certain
responsibilities in being a member of that collective," Cindrich says.
"One of those responsibilities is, if necessary, to assist that
collective in defending its organization should there be criminal
prosecution."

Alex Kreit, a professor at Thomas Jefferson School of Law and former
chairperson of the city of San Diego's Medical Marijuana Task Force,
says it may pose a problem when the same attorney who helps a
collective establish itself is also the attorney who defends it in
court.

"The attorney has a duty first and foremost to the person that hired
him," Kreit says. "But if you're talking about attorneys helping the
collective set up... I think they're a different story. You have a
much stronger argument that attorneys should consider very seriously
what [the collective] is going to do about patient records and what
policy it is going to have. That they're overlooking it right now, I
think that's a big omission."

***

The manager of the Green Door Collective on Adams Avenue, who asked to
be identified only as "Hopper," says patients should also be concerned
with the physical security of the documents. Unlike Cindrich's
clients, who are advised to keep the records with the marijuana at all
times, Hopper says he stores the bulk of the records at his attorney's
office. He keeps only the most basic information on site.

"Let's say, hypothetically, somebody broke into here and you were a
patient," Hopper says. "Would you want everything on you there? If
somebody stole it, they would know your name, where you live, all of
your information. I don't think that's right. I'm looking out for my
patients and their privacy."

That's one reason dispensaries should disclose how they store the data
and what methods they take to protect it. Robberies at collectives
have become common in San Diego, with three cases in August alone.
There's also the question of what happened to records that were
obtained during law-enforcement raids as far back as 2009. The
Sheriff's Department and the San Diego Police Department say they
don't maintain a database of patients. The U.S. Attorney's Office
didn't respond to inquiries, while the District Attorney's office
didn't deny the existence of such a list.

"The District Attorney's Office has not, and will not prosecute a
legal, legitimate patient who uses medical marijuana," the D.A. said
in a prepared statement sent via email. The office would not respond
to direct questions regarding patient privacy.

Davidovich, who became a leading figure in the collective community
after he was prosecuted for his involvement in a collective, believes
that law enforcement is, indeed, using the information to investigate
patients.

"They'll seize whatever they can in the collective, and later on,
they'll use that information to compile lists and databases of
patients for whatever future prosecutorial use they may have for it,"
he says. "That's a major problem, and I think that to protect the
collectives, I urge folks to keep patient records in electronic form
and keep it off site in case of a raid."

Incompetence can also threaten privacy. As KUSA-TV in Colorado
reported last year, a binder full of collective patient records --
including home addresses, Social Security numbers and medical
information -- was found outside by a dumpster in Boulder. In 2008,
Hawaiian officials accidentally emailed to a newspaper reporter a file
containing names and addresses of more than 4,200 patients who'd
registered with the state.

After researching the issue for the purpose of this story, the Privacy
Rights Clearinghouse says it's learned enough that it may begin
lobbying the state government to enact privacy standards for
collectives. But while medical-marijuana patients remain oblivious or
ambivalent to the consequences, reform may not gain much traction.

"One of the things we talk about as privacy advocates is the notion
that companies can and should compete on the issue of privacy," Givens
says. "Over the years, we kind of learned that, often times, that's
not a big selling item, but it becomes a big item when there's some
kind of a disaster or a crisis or a major breach, and maybe that's
what is needed here -- a breach or some sort of an egregious situation
where individuals who participate in these collectives have their very
sensitive personal information made public in some way. Unfortunately,
that all too often is what pushes the privacy agenda."
- ---
MAP posted-by: Richard R Smith Jr.