A Medical Marijuana Registry Should Protect Patient Privacy

Friday, September 9, 2011

Washington remains the only medical marijuana state not to have a patient registry. Washington’s medical marijuana law also fails to provide patients any protection from arrest. Law enforcement resistance to providing arrest protection has been based in part on the absence of a state-run registry.

Lawmakers tried to remedy this situation in the 2011 legislative session by including a cutting-edge, privacy-protecting patient registry in SB 5073 (sponsored by Sen. Jeanne Kohl-Welles).  Participation in the registry would have been voluntary, not mandatory. Patients who participated would have received protection from arrest. The legislature passed the bill; unfortunately, a partial veto by Gov. Gregoire eliminated the registry provisions – and the arrest protection as a result. The governor was not concerned about the patient registry design itself, but the language happened to be in the same section of the bill as separate registry provisions dealing with the licensing of medical marijuana producers, processors, and dispensers. The governor worried that licensing and regulating the production and distribution of medical marijuana would put state employees at risk of arrest and prosecution under federal law (an outcome which has not happened in any of the states which have dispensaries). These fears resulted in her vetoing the entire section, including the patient registry. 

Legislators may try again in 2012. If they do, they should build upon the multi-disciplinary collaboration among technology experts, lawyers, and policy wonks that led to a framework for creating the first medical marijuana registry designed with patient privacy foremost in mind.

The biggest reason a privacy-protecting medical marijuana patient registry is needed is the continued federal prohibition of marijuana. Federal agents have twice subpoenaed registry records: in Oregon in 2007 (the ACLU helped get the subpoena quashed) and more recently in Michigan (the records were ordered disclosed). In Hawaii, a state employee voluntarily turned over patient information to a newspaper reporter.

Patient registries contain sensitive medical information – most obviously, the fact that the registered patient suffers a serious illness like cancer or AIDS. This information should not be available to federal law enforcement; medical use of marijuana is not recognized as a defense in federal court, so there is no reason federal agents and prosecutors need to know about it. State employees certainly shouldn’t be allowed to disclose such information to reporters, and privacy-protecting features can ensure such disclosures don’t happen accidentally.

The registry requirements proposed in SB 5073 would have prevented disclosure of any personally identifying patient information (names, addresses, medical conditions) and thus would have made attempts by federal law enforcement to access the records pointless. They also would have avoided any inadvertent disclosure by state employees charged with maintaining the system. Designed after a series of consultations between the University of Washington – Security and Privacy Research Lab and the ACLU of Washington, a registry designed in compliance with SB 5073 could have worked as follows:

  •  A qualifying patient’s health care provider would register the patient with the Department of Health (DOH) by logging into the system with a unique identifier to verify her status as a Washington-licensed health care provider, and uploading a photo of the patient.
  •  The system would generate a random, unique number; provide the number to the registering health care provider to be noted in the provider’s private medical records; and create a wallet card with the number, patient’s photo, and an expiration date. DOH would receive no personally identifying patient information and would retain only the unique number and expiration date. The photo would be deleted after creation of the card.
  •  DOH would send the card to the health care provider who made the request. The health care provider would match the number against her records to deliver the card to the patient. DOH would never know the identity of the patient registered by the health care provider.
  •  The patient would then have a DOH-issued card he or she could present to law enforcement that would include a photo for identification purposes. Law enforcement would be able to check the validity of the randomly generated identification number against DOH’s database at any time.  

This type of system would protect patient privacy while giving law enforcement reassurance that a patient’s authorization was valid. It would also prevent the state from collecting large amounts of patient information that could end up in the hands of federal law enforcement or employers. This design would be unique among medical marijuana registries.

All too often, privacy-affecting policies are codified into law without the kind of cross-disciplinary consultation that provided the foundation for SB 5073’s registry design. Harmful, unforeseen results can occur. Technological advances, increased sharing of information, and government and commercial data mining practices all compromise individual privacy and can lead to unintended consequences.

To ensure that personal information is protected now and in the future, it’s important not only that privacy experts be consulted before new policies are adopted, but also that the policies mandate periodic updating. For example, SB 5073 required that “the registration system must be upgradable and updated in a timely fashion to keep current with state of the art privacy and security standards and practices.” Such foresight ensures that individuals – medical marijuana patients, prescription drug users, or anyone else asked to share private information – are protected today and into the future.