Patient X decides to pursue the simplest path to obtaining medical marijuana.
He visits the office of a doctor who specializes in medical-marijuana evaluations. If Patient X can articulate why marijuana would help alleviate his condition, the doctor issues what’s essentially a prescription: a one-page “recommendation.” It costs maybe $30 or $40, depending on whether Patient X has a coupon.
Patient X uses an iPhone app to locate the closest collective. In the lobby, he fills out a few pages of paperwork and hands over his recommendation and California-issued photo ID (e.g. driver’s license) to be photocopied or scanned. Once his recommendation is verified, Patient X is allowed to join the collective as a private member and access the part of the dispensary where he can purchase marijuana. The whole process can take less than an hour.
Throughout the process, Patient X’s anonymity has the potential to be compromised. He’s leaving a trail of sensitive data: medical information and evidence that he procured a drug that’s still illegal under federal law.
The doctor’s office may keep detailed records with a limited amount of confidentiality, but it also transmits some of that information to a third-party, online verification service for the collectives to access. The iPhone app may track the patient’s location, and, as a byproduct, Apple and services such as Google Maps also collect data. The ATM in the collective’s lobby records information, as does the bank on the other end.
Then there’s the collective itself.
CityBeat obtained a variety of blank membership agreements from San Diego collectives, a few directly from the dispensaries but most through lawyers who represent multiple collectives. Some of the agreements are a single page and took less than 30 seconds to fill out, while others comprised several stapled pages requiring item-by-item initialing.
For analysis, we provided the documents to the Privacy Rights Clearinghouse (PRC), a locally based national organization that advocates for consumer privacy through education and lobbying. The conclusion was grim -- collectives seem more interested in protecting their product than protecting patient privacy.
“The agreements, to me, are really more conditions that the members have to abide by in order to participate in the program,” PRC research director Tena Friery says. “I don’t see too much that’s reciprocal on the part of collective.”
Unlike pharmacies, there are no regulations that universally govern how collectives must handle personal information, leaving each collective to make up its own rules.
“Right now, it is self-regulation,” says Eugene Davidovich, the local spokesperson for the pro-medical-marijuana Americans for Safe Access. “It is an emerging field where standards are being developed as we go.”
However, there are some general principles, often referred to as FIPS (Fair Information Practices), that the PRC looks for in privacy agreements. These elements include disclosing what data is collected; how it’s used, stored and secured; and how long it’s retained. For medical-marijuana patients, the biggest question might be who has access to the information.“Several of these [agreements] mention that law enforcement could get access, but they don’t really mention, any of them, a requirement of a court-ordered warrant,” PRC director Beth Givens says. “So, you could get an aggressive law-enforcement officer walking in without a warrant just saying, ‘Give me this information,’ and it sounds to me like these collective operators might just sort of roll over and say, ‘Yup, here is it.’”
That these collectives aren’t even taking steps to disclose their policies and the risks to patients is alarming. Giving patients notice of the policy, Givens says, is the most important policy of all.
In July, Mother Earth’s alternative Healing Cooperative in East County became the first dispensary to receive official clearance to operate legally under San Diego County’s collective ordinance.
Of all the collective paperwork CityBeat and PRC analyzed, Mother Earth’s agreement required the most information, including basic medical history, current health problems and other medications taken. It did not include anything in the way of privacy disclosures.
Nevertheless, Mother Earth spokesperson Bob Riedel says the collective maintains a tight ship when it comes to privacy: Records are kept in locked filing cabinets, they never the leave the site and they aren’t shared without written consent.
But the collective is also compiling new data on its roughly 2,000 members on every visit.
“We track how many dollars they’ve spent, how many types of medicine they purchased, the type of medicine, the quantity of medicine,” Riedel says. “Everything is tracked, just like if you go Rite Aid. You can go to Rite Aid right now and say, ‘I need my print-out for the last year of what I’ve done with you guys.’ They can give you that. We can, too.”
One reason they collect that information is that it’s a requirement of the county ordinance. Another clause in the ordinance says that the San Diego County Sheriff’s Department must have access to these records, as well as a complete roster of the collective’s membership. This isn’t spelled out on the membership agreements.
“This definitely needs to be disclosed to collective members,” Givens says. “I think there is a potential for abuse, and, to me, that’s a significant issue.”
CityBeat asked Lance Rogers, the attorney who represents Mother Earth, why its paperwork doesn’t disclose the issue of warrantless law-enforcement access to records. Rogers responded that the agreement does state that the cooperative is “operating in full compliance” with “San Diego County Code 21.2501,” the ordinance that requires the access. We asked Rogers whether it was fair to assume patients know that’s what “full compliance” means.
“It’s my position that stating the law does put the patient on notice, but if there is additional information that would make it more clear, I’m happy to review it,” Rogers says.
Although collectives often agree that privacy is a priority, their lawyers say privacy does not trump a collective’s capacity to defend itself. In other words, most collectives would release information about patients, perhaps even compel them to testify in court involuntarily, if necessary to mount a criminal defense.
The standard collective agreement attorney Michael Cindrich uses contains a privacy disclosure that most collectives don’t have. According to the document, patient records will be kept in a file at the collective headquarters, but copies of those records will also be kept with the marijuana during transport, and growers may also keep the files with the plants. That way, collective employees and volunteers who possess the marijuana have evidence nearby to show it is for medicinal purposes. According to the disclosure, the collective will never destroy records, but it will redact the names of patients who terminate their memberships. The collective says it won’t disclose the identity of any patient, except under “severe legal emergencies.”
Patient privacy and the collective’s self-protection are “competing interests,” Cindrich says.
“When I draft an agreement on behalf of a collective, my main goals are to protect the collective, though I am conscientious of the patient’s privacy rights,” he says. “But, overall, the patients aren’t really taking that big of a risk by joining a collective. These collectives, by cultivating and providing medicine to patients, are taking a huge risk.”
Cindrich describes the member-collective relationship as a tradeoff: If you want the ease of obtaining medicine through a collective, then you have to be prepared to risk your privacy. He’d prefer not to subpoena an unwilling member, but he would if the testimony was necessary to defend his client.
“I think patients generally need to be aware, and if they’re not already aware, when you join a collective, there are certain responsibilities in being a member of that collective,” Cindrich says. “One of those responsibilities is, if necessary, to assist that collective in defending its organization should there be criminal prosecution.”
Alex Kreit, a professor at Thomas Jefferson School of Law and former chairperson of the city of San Diego’s Medical Marijuana Task Force, says it may pose a problem when the same attorney who helps a collective establish itself is also the attorney who defends it in court.
“The attorney has a duty first and foremost to the person that hired him,” Kreit says. “But if you’re talking about attorneys helping the collective set up... I think they’re a different story. You have a much stronger argument that attorneys should consider very seriously what [the collective] is going to do about patient records and what policy it is going to have. That they’re overlooking it right now, I think that’s a big omission.”
The manager of the Green Door Collective on Adams Avenue, who asked to be identified only as “Hopper,” says patients should also be concerned with the physical security of the documents. Unlike Cindrich’s clients, who are advised to keep the records with the marijuana at all times, Hopper says he stores the bulk of the records at his attorney’s office. He keeps only the most basic information on site.
“Let’s say, hypothetically, somebody broke into here and you were a patient,” Hopper says. “Would you want everything on you there? If somebody stole it, they would know your name, where you live, all of your information. I don’t think that’s right. I’m looking out for my patients and their privacy.”
That’s one reason dispensaries should disclose how they store the data and what methods they take to protect it. Robberies at collectives have become common in San Diego, with three cases in August alone. There’s also the question of what happened to records that were obtained during law-enforcement raids as far back as 2009. The Sheriff’s Department and the San Diego Police Department say they don’t maintain a database of patients. The U.S. Attorney’s Office didn’t respond to inquiries, while the District Attorney’s office didn’t deny the existence of such a list.
“The District attorney’s Office has not, and will not prosecute a legal, legitimate patient who uses medical marijuana,” the D.A. said in a prepared statement sent via email. The office would not respond to direct questions regarding patient privacy.
Davidovich, who became a leading figure in the collective community after he was prosecuted for his involvement in a collective, believes that law enforcement is, indeed, using the information to investigate patients.
“They’ll seize whatever they can in the collective, and later on, they’ll use that information to compile lists and databases of patients for whatever future prosecutorial use they may have for it,” he says. “That’s a major problem, and I think that to protect the collectives, I urge folks to keep patient records in electronic form and keep it off site in case of a raid.”
Incompetence can also threaten privacy. As KUSA-TV in Colorado reported last year, a binder full of collective patient records -- including home addresses, Social Security numbers and medical information -- was found outside by a dumpster in Boulder. In 2008, Hawaiian officials accidentally emailed to a newspaper reporter a file containing names and addresses of more than 4,200 patients who’d registered with the state.
After researching the issue for the purpose of this story, the Privacy Rights Clearinghouse says it’s learned enough that it may begin lobbying the state government to enact privacy standards for collectives. But while medical-marijuana patients remain oblivious or ambivalent to the consequences, reform may not gain much traction.
“One of the things we talk about as privacy advocates is the notion that companies can and should compete on the issue of privacy,” Givens says. “Over the years, we kind of learned that, often times, that’s not a big selling item, but it becomes a big item when there’s some kind of a disaster or a crisis or a major breach, and maybe that’s what is needed here -- a breach or some sort of an egregious situation where individuals who participate in these collectives have their very sensitive personal information made public in some way. Unfortunately, that all too often is what pushes the privacy agenda.”