Over the last few years, agencies such as the Federal Trade Commission have fostered a movement to encourage industry to implement the concept of privacy-by-design. The idea behind privacy-by-design is that when developing new software, hardware, medical-devices or other such products that extract personal information, such as personally identifiable information (PII), health care information, geo-tracking data, etc., the manufacturer should consider privacy in the product’s design.
The European Union has historically been very aggressive on privacy matters and recently mandated privacy-by-design in its new General Data Protection Regulation (GDPR), which will become enforceable in May 2018. The GDPR will require companies to not only design compliant privacy policies, procedures, and systems at the outset of any product or process development, but must also employ a data protection officer to ensure compliance.
Although the US has industry specific regulations for healthcare (HIPAA) and banking (GLBA) that require organizations to address privacy and security, and the Securities and Exchange Commission requires auditing and reporting of controls associated with information security and cybersecurity, until now, there has been no legislative rubric mandating privacy-by-design.
Recently, the Ohio Medical Marijuana Control Program (OMMCP) created mandates for privacy and information security that are among the strictest in the country.
The long and short is that all medical marijuana industry participants (cultivators, processors, dispensaries, or testing facilities) that use an “electronic system” for storing and retrieving records required by the regulations or related to medical marijuana in any way (including all patient data for dispensaries) shall implement a system that does the following:
- Guarantees the confidentiality of the information stored in the system (emphasis on the emphasis);
- Is capable of providing safeguards against erasures and unauthorized changes in data after the information has been entered and verified;
- Is capable of placing a litigation hold or enforcing a records retention hold for purposes of conducting an investigation or pursuant to ongoing litigation; and
- Is capable of being reconstructed in the event of a computer malfunction or accident resulting in the destruction of the data bank.
One of the above requirements clearly stands out. If medical marijuana businesses use a computer to store medical marijuana related data (which will be most if not all its data), the system must be capable to guarantee the confidentiality of the data. In other words, the Ohio medical marijuana industry must guarantee patient privacy and the security of its data systems.
The result is an entirely new, state-based industry which legally must be designed with privacy and security in mind. Personally, I believe that guaranteed confidentiality is impossible and any cybersecurity, physical security, or privacy professional worth their salt will tell you “there is no such thing as perfect security.” In fact, most, if not all, federal and state privacy and information security laws require reasonable security, a standard which itself is continually evolving in the law. Consequently, I also believe that the required guarantee will ultimately be amended, compelled by litigation, lobbying efforts, or both and Ohio’s medical marijuana regulations will move toward a standard something more akin “reasonable security”.
However, I have resolved that this ridiculously high standard will be a good thing for the Ohio medical marijuana industry. It will make the entire industry put privacy, information security, and date protection on the short list of organizational imperatives. An organization simply cannot ignore a regulation that requires a guarantee of confidentially. These fledgling companies must hardwire privacy and security into their businesses from the very start. Here are a few suggestions:
- Most privacy breaches are the result of human error. Develop a 21st century information governance program comprised of policies and procedures that clearly articulate how information will be handled within the organization.
- Regularly train all members of the organization on privacy and information and physical security. Training can be done in group settings or one-on-one, online, or in person. There are many privacy and security training options and most are not cost prohibitive.
- Document all your privacy and security incidents and all corrective measures taken.
- Engage legal counsel. Yes, I am an information security and privacy attorney who wants to help medical marijuana companies. Yes, I am self-interested. However, my self-interest doesn’t change the fact that one thing attorneys can do is provide virtually ironclad confidentiality related to client information under certain circumstances, particularly in anticipation of litigation or prosecution. With cannabis currently illegal on a federal level, wouldn’t all Ohio medical marijuana business be conducted under the auspices of federal prosecution?
With the OMMCP taking such a bold stance on privacy and security it will be interesting to see if such rigorous requirements will be a help or a hindrance to the industry. Although wouldn’t it be a sweet twist of fate if an industry imperiled by stigma of the black market and “reefer madness”, becomes a sterling example of privacy and security the modern age? It is our goal at Ickes\Holt to see that happen.
Stay tuned for our upcoming article on the privacy and information security requirements for Ohio medical marijuana dispensaries, which must be prepared to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Ohio Automated Rx Reporting System (OARRS) along with a whole host of particularized recordkeeping and reporting requirements.