BY: SARAH LEE GOSSETT PARRISH, CANNABIS LAWYER
Oklahoma’s Governor Stitt signed the Oklahoma Medical Marijuana and Patient Protection Act (also known as the “Unity Bill” and now, the “Unity Act”) into law on March 14, 2019, and it becomes effective at the end of this month. In Unity’s wake, a series of trailer bills, including Senate Bill 1030, were passed and signed into law. I have written several Herb-Age columns and numerous blog posts2 about the Unity Act (“Unity”) and its trailer bills. Notably, the issue which is the subject of my writing here concerns HIPAA3, and Senate Bill 1030’s provisions that give courts and law enforcement access to the medical marijuana use registry information and patients’ cards—provisions which are, by their very existence, incompatible with HIPAA and contrary to the language of Unity.
Unity provides that “[t]he handling of any records maintained in the [medical marijuana use] registry shall comply with all relevant state and federal laws, including, but not limited to, the Health Insurance Portability and Accountability Act of 1996 (HIPAA). See Unity, Section 7., (A). and (C). Section (C) further provides that records “regarding a medical marijuana licensee” … “shall be marked as confidential, shall not be made available to the public and shall only be made available to the licensee, designee of the licensee, any physician of the licensee or the caregiver of the licensee…”. That’s all well and good. But then, there’s Senate Bill 1030.
SENATE BILL 1030 GIVES LAW ENFORCEMENT AND COURTS ACCESS TO PATIENTS’ CARDHOLDER STATUS AND INFORMATION.
S.B. 1030 states that “[t]he State Department of Health shall make available all information displayed on medical marijuana licenses, as well as whether or not the license is valid, to law enforcement electronically through the Oklahoma Law Enforcement Telecommunications System.” See S.B. 1030 at Section 4. (C).
HIPAA contains a few exceptions for law enforcement, none of which would apply to a routine traffic stop, although the language of Senate Bill 1030 will allow law enforcement to “run your patient card” along with your driver’s license.
What information is on an OMMA medical marijuana patient card? The patient’s name, date of birth, patient ID number, and city of residence are all on the card. In other words, “Protected Health Information” under HIPAA, because this information, including a person’s status as a medical marijuana patient, is personally identifiable information related to the person’s health (among other reasons too detailed to cover here).
As though this is not, in and of itself, disturbing enough, the website for the Oklahoma Law Enforcement Telecommunications System (OLETS) states that its “sole purpose is to provide for the interstate, intrastate and interagency exchange of criminal justice related information.” Thus, S.B. 1030 equates information on a medical marijuana patient’s license obtained from the Oklahoma Medical Marijuana Authority, including a person’s status as a licensed medical marijuana patient with “criminal justice related information.”
Equally disturbing, at Section 5 of S.B. 1030, is a provision that such information (displayed on medical marijuana licenses, as well as whether or not the license is valid,) “shall be accessible” to “[a]ny court in this state.”
Just let that one sink in. Medical marijuana patients’ status front and center in divorce proceedings, wrongful termination cases, the list goes on and on….
These provisions in S.B. 1030 clearly violate HIPAA, not to mention Oklahoma medical marijuana patients’ rights to privacy. This piece of legislation, which will become effective shortly, blatantly ignores the protections afforded Americans by HIPAA.
How can this be?