[godisred]

I don't think it currently exists, but I'd like to hear what the rest of the community thinks on this topic.

Here are my concerns.

I know for a fact it is easy to get verification of a patient, since they do it right in front of you.

Now imagine if I run background checks for companies on potential new employees. All I would need to know is names of clinics that offer doctor's recommendations for the use of mmj and google would provide that within seconds. Now armed with the clinics and employee information I can call and see if this person is verified to use mmj. Now this new employee even with the CA law on his side would most likely not get the job, because of the negative stigma of mmj.

The clinics need to work with the co-ops to provide a form of authentication when giving out information. My suggestion would be for clinics to provide co-ops with an UID number. This way when a verification on a patient is made the clinic can confirm that they are talking to a co-op.

Co-ops need to also stop placing scanned copies of patients CA ID/Driver license and information on computers with access to the Internet. These systems should be offline and not used for surfing the net.

Currently at this time I do not see any concern for security of patient information.

As mmj becomes more regulated this is something I think should be placed within the law. If co-ops and doctors are not willing to take steps on their own to help protect patient information then it should be mandated by law.

[medicalman]

Thats a nearly impossible scenario. With the number of physicians out there that give out MMJ Rec's, the employer would be calling around all day every day for months (hypothetically) before they found your actual physician.

Secondly, why would they even suspect that you were a patient? They dont have the time, resources, or willpower to investigate such a random and minute detail.

Thirdly, they would be violating your privacy. Medical records are private and Co-Ops are medical providers, by claiming that the employer/investigator was a Co-Op representative, that person is attempting to gain personal, private medical data under false pretenses.


To sum up, unless you have a prior offense for possession on a criminal record (prior to gaining a recommendation), you have nothing to worry about. And if an employer found out that you were a patient and refused to hire you solely based on that fact, you could (if you really really wanted the job and it wasn't a job with the federal government) claim medical discrimination. Case

[godisred]

It is even close to being nearly impossible, if a doctor can right a prescription for vicodin and I can take it to any Pharm and get it filled after they confirm the doctor is legit, then the same can be done for mmj.

Yeah that is true, they would not get everyone that they searched for, but they would catch some and even one is too many.

It is not about being suspect, it is about a through background check. Just because they don't suspect you of being a criminal doesn't mean they aren't going to check.

As for it being illegal does not matter, corporations and governments do things every day that are not legal. You may win in a court of law down the road, but the damage would have already been done.

My point is that this information should not be so easy to get. You cannot call my regular doctor and get him to verify that I am even a patient of his. So a system that works in verification of sensitive medical data should have a secure way of idenitifing the person requesting information.

So what is your view on co-ops being lax with patient data?

Now this hasnt happened to me personally, but I've heard rumours about "shady" co-ops selling patient data to other, usually new co-ops, and then the patient gets something in the mail, like an advertisement flyer, from the new co-op.
Has anybody else heard these rumors about co-ops doing this? Has anyone had this happen to them? Sounds quite shady if its true

Quote:

Originally Posted by reefers

Now this hasnt happened to me personally, but I've heard rumours about "shady" co-ops selling patient data to other, usually new co-ops, and then the patient gets something in the mail, like an advertisement flyer, from the new co-op.
Has anybody else heard these rumors about co-ops doing this? Has anyone had this happen to them? Sounds quite shady if its true

I'm registered at 25 co-ops, at least, and I've never received any cross promotional material about a new place in the mail, ever.

[Cuddy Rock]

Quote:

Originally Posted by medicalman

Thats a nearly impossible scenario. With the number of physicians out there that give out MMJ Rec's, the employer would be calling around all day every day for months (hypothetically) before they found your actual physician.

Secondly, why would they even suspect that you were a patient? They dont have the time, resources, or willpower to investigate such a random and minute detail.

Thirdly, they would be violating your privacy. Medical records are private and Co-Ops are medical providers, by claiming that the employer/investigator was a Co-Op representative, that person is attempting to gain personal, private medical data under false pretenses.


To sum up, unless you have a prior offense for possession on a criminal record (prior to gaining a recommendation), you have nothing to worry about. And if an employer found out that you were a patient and refused to hire you solely based on that fact, you could (if you really really wanted the job and it wasn't a job with the federal government) claim medical discrimination. Case

^^^^^^ What he said.^^^^^

[greenrip]

The overall concern is not anything to ignore as privacy issues and technology are going to continue to challenge us all as we continue to move into the future.

This scenario would not ever play out as if you listen to the verification process they have to have certain information on hand to provide as they are asked the patient name, physician, date of prescription and DL # / exp. date.

There is virtually no way an employer would be able to get all those different pieces of information and know which number to call in the first place. If they had the info about the day you got the prescription then they already knew! Without that they would never be able to verify.

No worries but I do wonder about co-ops that have been raided and their databases being confiscated by DEA or whomever. Now they have your information and that would be a major compromise to your medical privacy, regardless if it ever was used against you in the future or not.

[godisred]

Quote:

Originally Posted by greenrip

The overall concern is not anything to ignore as privacy issues and technology are going to continue to challenge us all as we continue to move into the future.

This scenario would not ever play out as if you listen to the verification process they have to have certain information on hand to provide as they are asked the patient name, physician, date of prescription and DL # / exp. date.

There is virtually no way an employer would be able to get all those different pieces of information and know which number to call in the first place. If they had the info about the day you got the prescription then they already knew! Without that they would never be able to verify.

No worries but I do wonder about co-ops that have been raided and their databases being confiscated by DEA or whomever. Now they have your information and that would be a major compromise to your medical privacy, regardless if it ever was used against you in the future or not.

The scenario did play out, even without physician name and date of prescription not not being used, it's called social engineering. I doubt these clinics train their employees in SE tactics, most Fortune 500 companies don't.

The concern of the Fed or local PD having my data after a raid is bad enough, but to have someone hack the co-ops computer is worse.
I highly doubt these co-ops have an info sec analysis of their network done. They are most likely have a basic DSL/Cable connection shard through a router and god forbid it is a wireless router.

Most people don't realize how much personal computers are attacked. Just install software like BlackICE and watch how many attempts to access your computer comes in within the hour.
95% of the computers I have checked have had tons of malware on it, this includes spyware, trojans, viruses and keyloggers.
You can have a hardware and software firewall running, along with AV and can still become infected. If co-ops are medical providers then I expect them to provide the same level of Info security as I would from Blue Cross.
The cost to them would be no more then $500 for a new computer and a KVM switch. This would allow them to have two PC towers hooked up to the same monitor, keyboard and mouse. This way they can switch over to the PC that is not connected to the net and when done switch back to the other PC and continue surfing the net.

I also am registered with multiple co-ops and have yet to receive any type of spam in the mailbox.

Here is a point blank question to all co-ops in the SoCal, since I didn't experience this in either of the two co-ops I visited in San Fran.

[b]Why do you make a photo copy of our IDs?[/b/]

Quote:

Originally Posted by lovethehash

I'm registered at 25 co-ops, at least, and I've never received any cross promotional material about a new place in the mail, ever.

I've been to at least that many as well, and never got anything in the mail either
thank god

I figured it was just a rumor, but you never know!

[Lou Weed]

I feel it is highly unethical for any person from any co-op/collective to utilize any information disclosed by a patient for personal gain.

Folks, we're a medical industry. If my phlebotomist ever lifted my phone number to tell me I'm a looker or sent car-repair advertisements to my home, I'd be a bit miffed and rightfully so. If you are a poke-and-prod technician, do your duty. Don't try to fix my car or take me to dinner.

Being a patient is a sensitive thing. Not all of us are going to don our status as patients via on-site activism or give our names to the press. We have our reasons and they are completely valid. As such, some patients do not wish to give their phone numbers or addresses to collectives.

Having endured a few unsavory experiences concerning how collectives have treated this sort of information, I understand why.

As far as the Big Boys fronting these Untied Skates of America, they don't really care about the quantities that personal-use patients tend to keep on hand. Having endured police invading the collective I work at while I was carrying roughly 3.8 grams of medicine and admitting to as much without receiving a citation, I'm a whole lot more scared of your run-of-the-mill robbery these days.

If you are uncomfortable at a collective because of any reason at all, always tell the staff. Help us be a self-accountable community by being accountable.

[tommyz1052]

Quote:

Originally Posted by godisred

I don't think it currently exists, but I'd like to hear what the rest of the community thinks on this topic.

Here are my concerns.

I know for a fact it is easy to get verification of a patient, since they do it right in front of you.

Now imagine if I run background checks for companies on potential new employees. All I would need to know is names of clinics that offer doctor's recommendations for the use of mmj and google would provide that within seconds. Now armed with the clinics and employee information I can call and see if this person is verified to use mmj. Now this new employee even with the CA law on his side would most likely not get the job, because of the negative stigma of mmj.

The clinics need to work with the co-ops to provide a form of authentication when giving out information. My suggestion would be for clinics to provide co-ops with an UID number. This way when a verification on a patient is made the clinic can confirm that they are talking to a co-op.

Co-ops need to also stop placing scanned copies of patients CA ID/Driver license and information on computers with access to the Internet. These systems should be offline and not used for surfing the net.

Currently at this time I do not see any concern for security of patient information.

As mmj becomes more regulated this is something I think should be placed within the law. If co-ops and doctors are not willing to take steps on their own to help protect patient information then it should be mandated by law.

For this reason at least in my practice I have tried to convince clubs to move to using our online system.
Our system works like a swiss bank account.
Since you need the actual recommendation the userid and password. It prevents the random call to see if someone is a patient.

However since there are so many doctors out there you would have to call at least 20-30 of them to get a hit.

In addition I disagree with these third party verification systems. The chain of custody of medical information should be as small as possible.

[AliceinBudland]

I know with some Dr. Offices., the number on the Rec is not the same # called to verify. I was questioned completely before given the # to verify a patient. So some measures are being done to make sure that the right people are doing the verifying, etc.

_Alice

[godisred]

Quote:

Originally Posted by tommyz1052

For this reason at least in my practice I have tried to convince clubs to move to using our online system.
Our system works like a swiss bank account.
Since you need the actual recommendation the userid and password. It prevents the random call to see if someone is a patient.

However since there are so many doctors out there you would have to call at least 20-30 of them to get a hit.

In addition I disagree with these third party verification systems. The chain of custody of medical information should be as small as possible.

How can lack of the rec, a physical piece of paper, be needed in a digital authentication? Unless that rec is tagged with information from the doctor and this information is stored in your database.

So you coded this online system and sell it or is it just one you use in your business?

What is the name of this system?

[godisred]

Quote:

Originally Posted by AliceinBudland

I know with some Dr. Offices., the number on the Rec is not the same # called to verify. I was questioned completely before given the # to verify a patient. So some measures are being done to make sure that the right people are doing the verifying, etc.

_Alice

_Alice,
What do you mean by 'questioned completely'? Because unless there is some UID on the rec that only a person holding the rec would know I don't see any security that SE wouldn't be able to overcome.


Some clinics give out cards, all they have to do is place a UID on the card kinda like the one on back of credit cards. Tag your file by this UID so when a co-op calls the clinic to verify all they have to do is inform the co-op to ask the patient to provide his card. Once the patient does they provide the UID to the clinic. Without the UID no information can be given. This method would be good since it doesn't require any type of corporation between co-ops and doctors prior to getting a call.

Granted all clinics or doctors don't provide cards, but maybe they should.

[AliceinBudland]

There is only one Medical Group that is doing this (that I know of), giving out cards with coded #'s. The rest don't.

[Darter]

I have registered with many co ops too. I have lost count in fact. I have had my rec only under two years now. I have had only one experience that leads me to beleive my med records are a concern. I use an address that looks like a street address but is really a PO box.. and I got a mailer about two months or three months ago... from a co op .. a simple flyer really... and it from a co op I had never been to or heard of. I also noticed they had a label so I peeled it back and there was some lawyers letterhead underneath it. A very weird thing... but if thats the only contact I have had from a co op.. I feel fortunate...

As for the finding that a patient has an mmj rec... My wife has a rec... she works for a national company that has ZERO tolerance.... when she became eligible for full time employment they tested her. The Labratory was from out of state and called us to tell us there were illegal drugs in her system .... she presented her mmj rec to the human resources lady along with test results.. and she is still severy pay grades above those around her.

There is My input.. for what its worth ..

Darter