Federal officials have been asking states where marijuana is legal to turn over demographic data of patients who have obtained a medical marijuana card, raising privacy concerns and compliance questions over whether state officials should cooperate with the federal government.

Is your weed buying history safe from the government? To put it bluntly, it may not be. One of the White House’s anti-drug initiatives is seeking information about patient demographics from states where medical marijuana is legal, including California.

On August 1, 2017, Dale Quigley, Deputy Coordinator of the National Marijuana Initiative (NMI), asked California’s Department of Public Health to turn over the age, gender, and affliction of the 86,723 patients who have obtained a medical marijuana card between 2012 to 2016.

While federal officials state that the data will be used in connection with research to study any correlation between how strictly states regulate medical cannabis and the usage rates among different age groups, cannabis advocates worry that such a probe will scare off patients, sending them to the black market for cannabis.

In response to NMI’s data request, California’s health department indicated that it only administers the ID program and does not have any information, causing a concern that NMI officials may start probing dispensaries or physicians for the data.

Because protecting patient anonymity is among the chief concerns for health officials, cannabis advocates are encouraging dispensaries and physicians not to share information with the federal government until the Department of Justice has stated its position with regard to state cannabis laws.

Under the Health Insurance Portability and Accountability Act (HIPAA), it is illegal for a covered entity to disclose private patient records without the patient’s consent. However, under HIPAA, protected health information may be disclosed by covered entities for research purposes if the patient has authorized such a disclosure or if an institutional review board has approved the disclosure. See 45 CFR § 164.512 (i) and 45 CFR § 164.508.

Research is defined as:

“A systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.” See 45 CFR § 164.501.

A covered entity is defined as:

A health care provider who transmits any health information in electronic form in connection with a [covered] transaction. See 45 CFR § 160.103.

A “health care provider” is any person or organization that furnishes or is paid for care, services, or supplies related to the health of an individual. See 45 CFR § 160.103. Accordingly, a physician would be subject to the HIPAA requirements.

Whether dispensaries are covered entities is a question that has not been answered. Some argue that since dispensaries provide medical marijuana in order to treat illnesses, they are almost certainly “health care providers” as defined by HIPAA. However, the rules require covered entities to transmit health information in electronic form in connection with a covered transaction. If the dispensary does not transmit information in electronic form, then arguably it is not a covered entity.

Nonetheless, a covered entity under HIPAA may disclose for research purposes health information which has been de-identified (in accordance with 45 CFR § 164.502(d) and 45 CFR § 164.514(a)-(c)). Information is de-identified when the patient’s name, Social Security number, photos, and among other things, unique characteristics have been removed from the data. 45 CFR § 164.514(a)-(c).

As a result, the government may be able to obtain the age, gender, and medical condition of the individuals who obtained medical marijuana cards for research purposes from covered entities if the patient has authorized the disclosure or if an institutional board has approved the disclosure.

Because HIPAA laws are very complex, it is important that dispensaries, physicians, and advocates consult with an attorney before providing any demographic data of patients.