Christina Dickinson and Dave Delozier report:
It was the last thing Harold Morton expected to find while taking some recyclables out to the alley behind his home. When he walked past a Dumpster, he saw it in a cardboard box: a thick blue binder.
“I picked the book up and I opened it and right away. I noticed the top of each page; medical marijuana registry forms. The next thing I noticed is there is all these people’s personal information on each one of those sheets,” Morton said.
The forms were inside plastic sleeves and contained social security numbers and dates of birth, along with patient names, addresses and telephone numbers. The binder contained the personal and medical information of dozens of patients.
The forms were on letterhead identified as Apothecary of Colorado, a dispensary in Denver.
Read more on 9News.
The present owners of the dispensary suggest that the records may have belonged to the previous owners.
At the time of this posting, there is no notice on the Apothecary of Colorado’s web site. Although this would appear to be a reportable breach under HIPAA, because there are less than 500 patients involved (based on the news story), I don’t expect that we’ll see this incident on HHS’s breach tool.
Update: I realized that I may not be correct in viewing this as a reportable breach under HIPAA and am trying to verify whether medical marijuana dispensaries are covered entities under HIPAA. As I read the language of the statute, they should be, but then, I am not a lawyer.
Update 2: HHS informs me that because a prescription is required, dispensaries are providing health care. BUT: in order to determine whether any particular dispensary is a covered entity under HIPAA, we’d need to know whether insurance companies are being billed or queried electronically or if the dispensary conducts cash-only transactions. If the former, then they’d be a covered entity. If the latter, then no. Thanks to HHS for clarifying this.
Update 3: Video of 9News coverage of the story shows a binder with hundreds of pages in it and indicates that driver’s license numbers were also included. HIPAA releases were also visible, so it appears that AOC is a HIPAA-covered entity after all. Other coverage indicates that the files also contained copies of birth certificates. Now the dispute boils down to who is responsible for those records and how did they get into the dumpster — was it the former owners of AOC or the current owners? Both deny responsibility. So who will notify HHS and the patients?