Too often I read in the news a story about another medical marijuana office being raided by the FBI with all of the medicine being taken, along with the patient records. While medicine can be replaced, the patient's privacy is priceless. What is being done to protect these records? What can be done to protect these records?
I will be honest in that I am not aware of all of the laws that may apply. But what I put below are just some suggestions on things that can be done to keep your office's records out of the reach of the feds. I value privacy and I see these raids as an affront to that privacy.
I am no specialist when it comes to medical records protection but I can tell you right now that there are multiple technologies available that could put these records beyond the reach of any physical search of the property. Even if physical retention is required by law there are things that can be done to protect these records.
- Out of country storage.
Why not put the records outside of the reach of the US's laws? Why not keep the files stored on a server in a country that actually values privacy? For $50 a month you can rent your own server in a country like Sweden. Configure that server with encrypted hard drives behind long passwords. Use an SSL encrypted connection between your office computer and your remote server to ensure that the traffic cannot be monitored. If you want to obscure the location and internet address of your server you can use a VPN service such as Relakks ($10 a month!) that you would first connect to with your office machine and then once that connection is established THEN connect to your server. From inside the US all they would see is a connection to a VPN server in another country. From your remote server side all they would see is a connection to your server from the VPN service's servers. There would be nothing that would link back to you here in the US, and nothing that would link you directly to your server. You pull your records down in the morning, and then upload them at night. If your office computer got taken, there wont be any records on there for the FBI to look at. While this sounds difficult, it really is no different than the tech worker that connects back to his office to do work from home. Its the same technology, just over a longer distance.
- External hard drives.
Keep your records on an encrypted external hard drive instead of on your office computer. Store that drive in a large safe on the premises. Or if you really want to be secure, take it with you. Often times a search warrant might be for the office, but does it also include your car or house? Usually not. Take backups on DVD and keep them in a personal safe deposit box.
- Removable RAID drives.
You might need an IT person to assist you with this. Keep the data stored on 3 removable drives configured in a raid 5 configuration. This way the data is striped across all 3 drives. Each night, 1 drive goes in your safe. One goes home with you. And one goes home with your trusted office person. What is so special about this? You need at least 2 of the drives to fully recreate the data. Even if your trusted office person absconds with one of the drives, you still have the drive in your posession as well as the one in your safe with which to recreate the full dataset. Your office gets raided, the feds are only getting 1 drive. They would only get a small portion of the data. On top of that, the data can be encrypted making it even more difficult to get at the data.
These are just some of the things that could be done to protect the privacy of your patients. Considering that here in California medical marijuana is legal, the federal government has no business enforcing their laws here. That they choose to do so means that we as a people need to do what we need to do to protect the patients and to protect our rights under the law. You CAN beat the feds at their game by denying them access to the data that they want. So they take your pot? Its California, who can't find pot within a few hours? So they break down your door? With the economy the way it is, any handyman would chomp at the bit for the chance to fix it. But do you really say "so what" when they take your patients medical records?
*I do not run a medpot office. I don't know anybody that does. I dont even hold a medpot card. I am just a tech worker that sees these raids and the loss of patient records as needless. There are things that can be done to protect the records. Before sending records out of the country, I would definitely consult an attorney as there may be laws I am not aware of (HIPPA?). And lastly, a big thank you to everybody that provides this medicine for people that need it. Obviously some abuse it, but there are those who need it just to get through their day without pain and you truly make a difference.