• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • location_onContact
  • (330) 673-9500

Ickes \ Holt LLC

Information Security. Corporate Law. Litigation

  • Home
  • Attorneys
    • James Ickes, Esq., HCISPP, GLEG
    • Joel A. Holt, Esq., CIPP/US
  • Practice Areas
    • INFORMATION SECURITY & PRIVACY
      • A Call to Action
      • Data Breach Lawsuits
    • MEDICAL CANNABIS
    • LITIGATION
    • CORPORATE LAW
    • TRANSACTIONAL LAW
  • Insights
  • Our Philosophy
  • Payment Portal
  • Search

Sep 01, 2017 Leave a Comment

REGARDING PRIVACY OHIO SETS A HIGH BAR FOR MEDICAL MARIJUANA

medical marijuanaOver the last few years, agencies such as the Federal Trade Commission have fostered a movement to encourage industry to implement the concept of privacy-by-design.  The idea behind privacy-by-design is that when developing new software, hardware, medical-devices or other such products that extract personal information, such as personally identifiable information (PII), health care information, geo-tracking data, etc., the manufacturer should consider privacy in the product’s design.

The European Union has historically been very aggressive on privacy matters and recently mandated privacy-by-design in its new General Data Protection Regulation (GDPR), which will become enforceable in May 2018. The GDPR will require companies to not only design compliant privacy policies, procedures, and systems at the outset of any product or process development, but must also employ a data protection officer to ensure compliance.

Although the US has industry specific regulations for healthcare (HIPAA) and banking (GLBA) that require organizations to address privacy and security, and the Securities and Exchange Commission requires auditing and reporting of controls associated with information security and cybersecurity, until now, there has been no legislative rubric mandating privacy-by-design.

Recently, the Ohio Medical Marijuana Control Program (OMMCP) created mandates for privacy and information security that are among the strictest in the country.

The long and short is that all medical marijuana industry participants (cultivators, processors, dispensaries, or testing facilities) that use an “electronic system” for storing and retrieving records required by the regulations or related to medical marijuana in any way (including all patient data for dispensaries) shall implement a system that does the following:

  • Guarantees the confidentiality of the information stored in the system (emphasis on the emphasis);
  • Is capable of providing safeguards against erasures and unauthorized changes in data after the information has been entered and verified;
  • Is capable of placing a litigation hold or enforcing a records retention hold for purposes of conducting an investigation or pursuant to ongoing litigation; and
  • Is capable of being reconstructed in the event of a computer malfunction or accident resulting in the destruction of the data bank.

One of the above requirements clearly stands out.  If medical marijuana businesses use a computer to store medical marijuana related data (which will be most if not all its data), the system must be capable to guarantee the confidentiality of the data. In other words, the Ohio medical marijuana industry must guarantee patient privacy and the security of its data systems.

The result is an entirely new, state-based industry which legally must be designed with privacy and security in mind.  Personally, I believe that guaranteed confidentiality is impossible and any cybersecurity, physical security, or privacy professional worth their salt will tell you “there is no such thing as perfect security.”  In fact, most, if not all, federal and state privacy and information security laws require reasonable security, a standard which itself is continually evolving in the law. Consequently, I also believe that the required guarantee will ultimately be amended, compelled by litigation, lobbying efforts, or both and Ohio’s medical marijuana regulations will move toward a standard something more akin “reasonable security”.

However, I have resolved that this ridiculously high standard will be a good thing for the Ohio medical marijuana industry. It will make the entire industry put privacy, information security, and date protection on the short list of organizational imperatives.  An organization simply cannot ignore a regulation that requires a guarantee of confidentially.  These fledgling companies must hardwire privacy and security into their businesses from the very start. Here are a few suggestions:

  1. Most privacy breaches are the result of human error. Develop a 21st century information governance program comprised of policies and procedures that clearly articulate how information will be handled within the organization.
  2. Regularly train all members of the organization on privacy and information and physical security. Training can be done in group settings or one-on-one, online, or in person. There are many privacy and security training options and most are not cost prohibitive.
  3. Document all your privacy and security incidents and all corrective measures taken.
  4. Engage legal counsel. Yes, I am an information security and privacy attorney who wants to help medical marijuana companies. Yes, I am self-interested. However, my self-interest doesn’t change the fact that one thing attorneys can do is provide virtually ironclad confidentiality related to client information under certain circumstances, particularly in anticipation of litigation or prosecution. With cannabis currently illegal on a federal level, wouldn’t all Ohio medical marijuana business be conducted under the auspices of federal prosecution?

With the OMMCP taking such a bold stance on privacy and security it will be interesting to see if such rigorous requirements will be a help or a hindrance to the industry. Although wouldn’t it be a sweet twist of fate if an industry imperiled by stigma of the black market and “reefer madness”, becomes a sterling example of privacy and security the modern age? It is our goal at Ickes\Holt to see that happen.

Stay tuned for our upcoming article on the privacy and information security requirements for Ohio medical marijuana dispensaries, which must be prepared to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Ohio Automated Rx Reporting System (OARRS) along with a whole host of particularized recordkeeping and reporting requirements.

Categories: Business Law, Consumer Privacy/Security, Cybersecurity, Data Breach, Data Security, HIPAA, Information Governance, Information Security, Legislation, Medical Cannabis, Medical Marijuana, Privacy, Uncategorized

Reader Interactions

Leave a Comment Cancel

Primary Sidebar

Articles & News

Dec 10

Co-Parenting through Covid

Apr 09

TELEHEALTH RESTRICTIONS LIFTED

Mar 24

Guidance from HHS to First Responders Related to COVID-19

Categories

Our Reviews

Laura Snyder
Laura Snyder

5 out of 5 stars

posted 2 days ago

This law firm is the best in the business! Joel was very detailed and attentive to our needs. I wouldn't hesitate to use their services in the future 😁

Dianna Hendrickson
Dianna Hendrickson

5 out of 5 stars

posted 4 months ago

We were very happy with the service provided us. Joel was keen on details and doing things right the first time. We truly appreciated his looking out for us on what some lawyers might have passed off as an insignificant matter.

Heather Richmond
Heather Richmond

5 out of 5 stars

posted 7 months ago

I have been working with Jim Ickes at Ickes & Holt for the last three years. He has literally helped me to navigate my business legally and strategically. Even in California were I have resided I avoided going with the firms out here in Los Angeles. With Jim and his team I appreciated there midwest values and there approach to working with clients. Not only would I recommend him and his firm to everyone I work with I will continue to seek this wise counsel and the work the really do care about. I really feel he has sincerely cared about helping my business grow, Thank you Jim and Ickes and Holt!!

Read All 45 Reviews

Footer

Let’s Talk

Recent News

REGARDING PRIVACY OHIO SETS A HIGH BAR FOR MEDICAL MARIJUANA

Over the last few years, agencies such as the Federal Trade Commission have fostered a movement to encourage industry to implement the concept of privacy-by-design.  The idea behind privacy-by-design ... Read More

NFL and Players May Join Forces on Medical Marijuana

The National Football League generated $13 billion in revenue in 2016.[i]  The next closest professional sports league was Major League Baseball at $9.5 billion.  In comparison, the Premier League and ... Read More

Social Media

FacebookLinkedin

4301 Darrow Road, Suite 1100 | Stow, OH 44224
(330) 673-9500 p

© 2021 Ickes Holt | a full-service law firm