COLORADO: Is Colorado’s MMJ patient registry being shared with law enforcement?
Among the many troubling findings of a report from the Office of the State Auditor on the administration of the state medical marijuana regulatory system is that confidential information about medical marijuana patients has and is being shared, possibly unconstitutionally, with other state agencies, private contractors and law-enforcement agencies.
Using the report’s findings, two advocacy groups, the Cannabis Therapy Institute and the Patient and Caregiver Rights Litigation Project, filed an emergency rules petition to the state Board of Health seeking to stop law enforcement from gaining direct access to the registry. The groups were hoping that the issue would be taken up at a Board of Health meeting in Denver on Wednesday. The state’s response wasn’t available at press time.
The implications are especially problematic for the more than 200,000 current or past Colorado medical marijuana patients and their caregivers on the registry, all citizens who signed up with the expectation that their information would be securely held by the Colorado Department of Public Health and Environment (CDPHE), the state’s administrator of the registry. Marijuana patients can face discrimination in many areas, including employment, housing, benefits, child custody, insurance and especially in interactions with law enforcement, and security of the registry is critical to that end.
The state constitution itself is clear about the registry, which was mandated by Amendment 20 in 2001. “The state health agency shall create and maintain a confidential registry of patients who have applied for and are entitled to receive a registry identification card.” It’s a simple idea to protect the security of patient records. The key word is “confidential.”
Until the audit came out in June, it was assumed the registry was located in a locked room on a single computer with only one backup disc and limited access by public health officials. It was not available on the Internet. Law enforcement could only receive information from the registry after someone who was stopped or arrested presented a Registry ID card. All law-enforcement inquiries were handled by telephone, and only “one or two requests a week” from law enforcement came after normal business hours.
The state auditor found out that state agencies and outside contractors working for public health during the period since 2009, when medical marijuana applications multiplied significantly, also had access to the registry, many apparently without even requiring a confidentiality agreement. Hundreds of people had access, with few, if any, safeguards on how the information might be used.
The audit found 15 reported breach incidents during the approximately one-year time period of the investigation, and that 5,400 caregiver names were “inappropriately provided to the State Auditor” at one point. Caregivers weren’t even informed that their information had been mistakenly leaked.
Even more disturbing, the audit found that the CDPHE, beginning in April of this year, “implemented an automated interface between the Registry and the Colorado Crime Information Center (CCIC), a statewide computer system that delivers criminal justice information to law enforcement agencies. Using the interface, law enforcement officers can query a patient’s name, date of birth, and red card serial number to determine if a patient’s card is valid. If the patient has a record in the Registry, the interface generates a response that includes the patient’s red card issuance and expiration dates, as well as the number of marijuana plants and ounces of medical marijuana that a physician recommended for the patient’s medicinal use.”