PSA4 – Know your Exposure

PSA3 – Fair Trade Retailers
July 11, 2016
PSA5 – Know Who Your Dollars Support
July 16, 2016
Show all

PSA4 – Know your Exposure

Sure … it’s a class C felony if someone accesses the “patient database” in an unauthorized manner for unauthorized reasons in an unauthorized way.  Unless, of course, they are so authorized.

I just realized (thanks to Danielle’s 502Cannabis Google Groups’ forum) that retailers appear to be required to retain your database information (think scanned images of your patient card and other stuff) on file for at least 5 years.

As patients being forced to be illegal, be straight, or be monitored and punitively taxed, I thought you should add this into your decision-making regarding how to approach sourcing your meds in the world in which you are now allegedly being legislatively protected.

I’ve since confirmed that the language below resides in WAC 69.51A.230 (section 6):

The database administrator must retain database records for at least five calendar years to permit the state liquor and cannabis board and the department of revenue to verify eligibility for tax exemptions.

In our “every retailer is a database administrator” newly-minted medical world focused on Protecting the Patients with every Action taken, this strikes me as a patient confidentiality disaster just waiting to erupt.

Unedited … here was my off-the-cuff response when the existence of the  “5-year rule” first sunk in.

******************************(forum post follows)*********************************************

So … if I get this correctly, the new rules for medical Cannabis require retailers to hold, on file, images of their patients’ registration cards for a period of not less than 5 years.

(note … I’m not doing my usual fact-checking here … I’d appreciate if someone would confirm if this is true or not)

If so, our current rules ensure that, 5 years from now, there will be an accessible record of every access point used by every patient spanning the entire 5 year period in which dates, times and dollar amounts of purchases and what was purchased might be accessible.

The data geek (and voyeur) in me is just trembling.  Gotta sit down.  Gotta calm down.  Perhaps a drink would help?

Data good … people bad.

The patient in me, however, is finding yet another reason to be neither registered nor tracked as such.

Perhaps a very clear summary of the HIPAA (patient privacy) issues surrounding this might be in order.

One not written by lawyers (but, of course, vetted by them).

*******************************(end of forum post)*********************************************

After looking at some of the enabling legislation and related rules, DOH is clearly trying to keep the availability of your personal and immensely private health information heavily limited.  Regardless, the 5-year rule seems excessive, and the distributed database system comprising hundreds of retailers and their consultants/administrators seems like a house of cards ready to tumble (or be “Airlift”ed away?).

As you may have guessed,  I’m no longer an officially-recognized patient.  I suspect many of you are in a similar situation.

Here is something I have not fact checked (and likely won’t … so feel free to help out by doing so and posting your findings in a comment, if you’d be so kind).

I’ve heard some talk regarding an exemption or exemptions to standard HIPAA requirements (and accountability) in this newly-minted medical Cannabis world.  Is that true?  Do such things exist or are they being considered as insulation from the inevitable breaches that will occur?

If that’s true, then that might be worth some concern to those of you trusting the system to deliver on it’s promise of protecting both you and your sensitive and personally-identifying information not only today, but during the required multi-year window during which it must be kept on file.

I guess having a felony to deter potential data perps helps.  Just like the felonies for Cannabis helped stop it from being ingested.

Just more stuff for you to think about.

At least I was able to hold off on the fact that you’ll be on camera approaching the store, entering the store, shopping in the store, purchasing in the store and exiting the store (facial-recognition and license-plate recognition capabilities extra).  I know for a fact that all of you look just wonderful on camera … so no worries there.

I sincerely hope that you do not find my non-empirical concerns a burden.

I’ll have another data-based PPA out soon.






  1. SteveO says:

    Here’s another really great reason not to be registered in the state database, for a certain segment of the population called gun owners.

    Title 18 United States Code § 922 (g)(3) states that it is illegal for any user of any controlled substance, specifically including “Marihuana” (sic), to possess, use, etc. any firearm or ammunition. Violation: 10 years.

    Got a Concealed Pistol License from Washington? Kiss that goodbye! How long do you think it will take for various municipalities to inquire into the state database, especially for those municipalities where bans and moratoriums exist, or the chief LEO doesn’t like CPLs?

    • Jim MacRae says:

      Wonderful point, Steve.
      In one of the ironies I love so much in life, this almost makes being a Cannabis consumer a “Federal Enhancement”.

      It seems that this may further nurture the for-profit penal system beloved by many and, indirectly, will further nurture all those in the judicial and enforcement arms that feed off the system.

      I have a proposed solution in need of a technical answer (and will pay $100 to anyone that comes up with a defensible and patentable specific answer and that is also willing to sign their rights to said solution over to me for said $100).

      This solution is inspired by the cluster-fuck of excuses and brain-farts that seem to stem from officials whose hands are partially tied by the Federal Guvdurnment refusal to recognize Cannabis for what it is and for what hundreds of thousands of Washingtonians are now regularly using it.

      Here’s the idea… it’s simple. If anyone steals this idea, please at least set it free after awhile.

      Since Cannabis is not Federally regulated, we simply need a hemp-based cylinder (cone-shaped may have both physical and imaginative benefits) to be designed and produced that is capable of delivering a cannabis-seed-shell-based compressed and very dense projectile-like object following sudden propulsion by a cannabis-flower-based rapidly-combusting material.

      We could brand it the “PotGun” and it would not be covered by any Federal Law or statute, because Cannabis is not real to the Feds (except, of course, on that farm they contract with down South). We could call the flower-based material that combusts quickly “dabpowder”. It also would not exist, Federally, given the non-plant plant from which it was derived. We would, of course, have to extract most (if not all) of the restricted Cannabinoids out of the raw material prior to manufacture (side benefit for employees of “PotGun, Inc”?).

      I’m thinking that my niche in this new market could be designing different strain-specific projectile-like seed hull objects. The brand name possibilities just make me shiver:

      The Shatterer – our frangible round, employing BHO in it’s manufacture.

      The Vape – our practice round, which vaporizes upon impact, leaving a wee splotchy stain behind

      The Skunk – our make-the-target-remember-they-were-a-target-and-regret-that-fact-for-awhile round*

      * Note re: The Skunk: I am not sure if this crosses any lines re: international laws concerning chemical/biological weapons, or ethical bounds concerning the appropriate use and treatment of real living skunks commercially, but I like the idea of something that smells bad being able to be delivered in a non-lethal way across long distances with some precision. Something that sticks with the target.

      We’d start the company with these three non-lethal (less-lethal?) product lines.

      With only less-lethal, Cannabis- and Hemp- derived components, there should be no problems with law or regulation … they will simply all not apply. So long as B&O is paid, should be good to go.

      If we are successful in this effort, and if emerging forms of alternate law enforcement become interested, perhaps we’d have to add a more task-appropriate product line:

      The Bomb – our larger-caliber line, one that tends to put one on the floor(or couch) with one hit

      Our new industry organization, defending the right of Americans (the rest of the Human Beings in the country) everywhere to bear these “non-Arms”, would — I hope you will agree appropriately — be called the Non-Rifle Association.

      Thanks again, Steve … the point you raise is an important one and I hope you know that this lengthy commentary is not intended to make light of it (says Jim as he stares through the looking glass you so nicely placed before him this morning).

      Two questions …. If we were unable or unwilling to extract the Cannabinoids from the raw material, would we still be allowed to carry the PotGun without a concealed carry permit? It is, after all, a non-arm by my argument above.

      I’m also curious as to whether this would only be an issue in cases where the PotGun gun weighs more than an ounce? As a follow-up, will patients now be allowed to have a PotGun that weighs more than one OZ adding to the many benefits of being a regulated and tracked patient? (my early mental research has suggested that The Bomb would likely require such a modification).

  2. liz hallock says:

    as a retailer we would not have access to purchase amounts, that would be theoretically in the hands of the lcb/dor traceability system.
    why we have to KEEP a copy of every card on file (albeit w/out conditions listed) is a mystery if we are already entering the patient id # into biotrack/state traceability in order to report the sales tax fee sale.

    • Jim MacRae says:

      The fact that personally-identifying-patient-information is required at the point of every sales-tax-free purchase is what causes the potential problem. A retailer really obsessive about backing up information, for example, might just be keeping electronic logs of the chitchat that their POS does with Biotrash’s back-end system. For that matter, some POS’s may do that without user intervention, as well.

      I live my life by the credo that anything you place onto a computer that is connected with other computers is, effectively, in the public domain. If the computer in question is talking to a Government computer, then it is DEFINITELY in the public domain.

      I know that it these data are not, strictly speaking, in the public domain.
      I also know that a diligent individual (or well-capitalized diligent entity) can, if they apply themselves, break any security system.

      Encryption, for example, is just applied math (with, occasionally, a bit of applied psychology thrown in for good measure). A good mathematician can de-crypt encrypted stuff. It can take a prohibitive amount of computing time to decrypt, but it can be done. I know, as I enjoy breaking codes (it’s right up there with watching the hummingbird battles in my yard).

      Similarly, a good hacker, can hack systems. I suspect a mediocre one could hack the LCB’s (and Biotrash’s) systems while quaffing a few pitchers of IPA one afternoon by the river if they wanted to (assuming they had good wifi down by the river, of course).

      Bottom line, a retailer DEFINITELY has access to the purchase amounts, as they are entering them into the traceability system.

      The question should be: “Does the retailer have the capability of linking together individual patient-identifying information with that individual’s purchase information”.

      Many likely do not. I’m just guessing some do … we do operate in a land full of tech and full of tech skills, after all.

      Personally, I’d love to get access to these data (preferably with appropriate de-identification in place). Perhaps I should buy some more mass storage (patient stuff should NEVER be in The Cloud) … but more likely I should spend my time mastering the data I DO have access to.

  3. Denise Harrington says:

    As I understand it, the DOH says HIPAA does not apply to medical cannabis patients because the cannabis retailers are not covered entities under HIPAA, The “medical consultants” are not covered entities under HIPAA, nor are any of the employees of any retail cannabis store in Washington state. Since they are not covered entities under HIPAA, patients privacy rights do not apply. I am pretty sure that is why the medical cannabis counsel for the DOH is an attorney and not a medical person. Ms. Weeks is there to make sure that the rules are written in such a way that they are not required to follow HIPAA or the patients bill of rights.

    • Jim MacRae says:

      Interesting, and thank-you, Denise … I’d like to see if others see the DOH rules (in conjunction with related LCB stuff) as resulting in this quagmire of severely diminished patient rights. Those rights (and expectations of privacy) are clearly diminished, but I wonder if they are actually “legally” non-existent? That might explain the mandatory (but totally discretionary) $1 fee required of Patients at initial registration in the self-incrimination-voyeur-enabling database that is ready to serve their (and the Feds’ and the State’s and the hacker’s) needs for years to come.

      Perhaps I can create a business model extorting Patients with the information they have consciously and willingly shared with “The Man”.

      I hope you are wrong and still believe that Judge Weeks did a good job (overall) in writing these rules. The structure and wording of the rules clearly reflect the language and world-view that her Justice-centric career necessitated. The resulting rules certainly fulfill what she no doubt viewed as essential “legal” needs. They also fulfill (sometimes subtly) some very important Patient needs. This first round of rules is, however, clearly imperfect and inadequate in meeting Patient needs. As those needs are acute, we (industry, Patients, providers, compassionate Citizens) should pull out all stops in getting good rules in place ASAP (emergency rules can be used for good, as well as evil!) and getting enabling legislative changes in front of Legislators well in advance of the 2017 session. The Patients can’t wait. Some will already be dead by then (and no, Mr. Gates … that is not hyperbole).

      In the meanwhile, I would absolutely love to hear what others think about the existing DOH rules (preferably after having read them, as Denise appears to have done).

      Thanks again, Denise … this is a critical problem that needs to be set right as immediately as bureaucratic inertia and pig-headedness will allow. The quicker “we” can get a compelling and consistent message in front of the legislature and the public, the quicker we can stop the angst, suffering and degradation of health currently being suffered by the forgotten medical Cannabis Patients of Washington State.

  4. Dena says:

    Fantastic site. Plenty of useful info here. I am sending it to several friends ans also sharing in delicious. And obviously, thanks for your effort!

Leave a Reply

Your email address will not be published. Required fields are marked *