DENVER – When Colorado voters approved medical cannabis in 2000, Amendment 20 established a registry of patients, physicians and caregivers – a confidential database protected by the constitution.
But an audit of the Department of Public Health and Environment found that the confidentiality of the medical marijuana registry has been breached numerous times. Security issues cited in the report include:
Workers, who were hired through a temporary employment agency, processed hundreds of “red card” applications and entered the information into the registry database;
Confidential patient information or “red cards” were mailed to the wrong recipients at least 15 times;
Department of Revenue enforcement officers, who were investigating medical marijuana dispensaries, requested information about hundreds of “red card” recipients;
The Colorado Crime Information Center (CCIC) allows law enforcement officers to access the registry to verify the “red card” status of an individual as well as find out how much marijuana – the number of ounces or plants – the patient can have;
Employees from the Division of Central Services under the Department of Personnel and Administration, accessed the registry to enter data and scan records;
The names of 5,400 medical marijuana caregivers were sent accidentally to the State Auditor’s office in December 2012.
“The constitution restricts registry access to authorized employees of public health, and law enforcement officers who have stopped or arrested someone who is claiming to be using or possessing medical marijuana,” said Jenny Atchley, a legislative auditor.
According to the auditors, attorneys in the Office of Legislative Services said it is reasonable for the state public health department to allow access to the registry by outside employees if the contract includes an understanding of confidentiality, and the department has control over the work performed.
The public health department said that staff members of contractors and other state agencies are required to sign confidentiality agreements to protect the registry data. However, the auditors checked a sample of 10 outside workers and found just three signed agreements.
The public health department has a policy to notify individuals when their privacy has been breached, but auditors said that does not always occur.
“Confidentiality of the data is very important to the department,” said Karin McGowan, interim director of the Department of Public Health and Environment.
“Last year we processed 280 applications – whether it was a (record) change or the actual application – and there are 108,000 (active) patients in the registry, and we’ve had 15 breaches,” said McGowan. “So while that’s not perfect, to err is human. We do try our best.”
The 5,400 names of medical marijuana caregivers sent to the State Auditor’s office, she said, “was obviously an error.” McGowan said it would have been more risky to send notifications to those individuals, whose addresses may not be current, than to assume the State Auditor’s office would keep that information confidential.
McGowan also questioned whether applications for medical marijuana “red cards” should be classified as confidential information.
Members of the Legislative Audit Committee plan to address that issue and discuss legislative bills to close legal loopholes in the statutes regulating medical marijuana. They plan to consult Attorney General John Suthers before drafting the bills that would be introduced in legislative session next year.
“Statutorily we need to make some clarifications on the intent of the law,” said Rep. Angela Williams (D-Denver) who chairs the Legislative Audit Committee.
“It’s a very complicated business that we are implementing here in the state of Colorado,” Williams told the committee on Tuesday. “(We want) to make sure that we run a quality system as we implement the (retail) marijuana piece of this.”
“Confidentiality is a constitutional principle,” said Sen. Lois Tochtrop (D-Thornton). “I want to see protection of people on medical marijuana… and the confidentiality of applicants should also be protected.”
Rep. Daniel Nordberg (R-Colorado Springs) said there is no question that the constitutional rights of individuals in the registry should not be violated.
“There’s a disturbing trend of government being put in a position of trust – and abusing it,” said Nordberg.