Medical Marijuana and Privacy
Related to patient autonomy is a patient's right to privacy (ie, to control his or her own body and his or her own personal information). The ancient Hippocratic Oath included the statement that "Whatever I see or hear in the lives of my patients, whether in connection with my professional practice or not, which ought not to be spoken of outside, I will keep secret, as considering all such things to be private."
When personal health information is likely to result in social stigma or negative consequences, such as when psychiatric, drug, or alcohol treatment information is released or when the patient is a celebrity, the duty to protect patient privacy is heightened. This special circumstance has long been an issue and is recognized under the Health Insurance Portability and Accountability Act (HIPAA) of 1996 (PL 104–191; 42 U.S.C. §§1320d et seq.). The use of therapeutic cannabis is likely to be in this category, as long as its use remains illegal or continues to be viewed negatively by society. Even if medical use is a defense, association with a drug that many consider illicit could impact a person's ability to be employed or create other social handicaps. Therefore, caregivers, including APRNs, need to be prepared to extend these additional protections of privacy for a patient who is using medical marijuana.
Where the possession of therapeutic cannabis is illegal, patients have an additional concern about criminal penalties and may well be concerned about the protection of their information from release to organizations and individuals. HIPAA does exempt certain entities from the confidentiality requirement and grants them access to patient information without patient consent for the greater good of society. Law enforcement is not generally an exception. Examples of exceptions include public health reporting requirements and regulators like the US Department of Health and Human Services, which needs access in order to enforce HIPAA. APRNs can reassure their patients that most entities are not entitled to the patient's health records without the patient's consent, including the US Drug Enforcement Administration (DEA). HIPAA (the Privacy Rule, at 45 C.F.R. §§160 and 164) specifically limits access to identifiable health information, whether it is medication listings, discharge, or progress reports, including those cases in which DEA officers request information to show the patient's criminal intent. All health entities and caregivers are held accountable by HIPAA to protect patient privacy and generally are not required to expose the patient's past or present medical history, including prescriptions or drug use, to authority outside of that health entity.
Until recently, patients had few legal remedies when the privacy of their medical records was breached. Today, state and federal laws provide patients with legal remedies to compensate them for confidentiality breaches. The regulations issued under HIPAA that govern the privacy of personal health information also provide penalties for health care providers who fail to comply, including substantial fines and/or prison.
As the electronic health record becomes the rule, and diagnostic codes in the new International Classification of Diseases, Tenth Revision coding more accurately describe health issues (scheduled for implementation in October 2014), new confidentiality challenges will emerge. APRNs and other caregivers should expect their professional organizations to help them stay on top of and to anticipate changing regulations, to provide input regarding exceptions for patients whose need for privacy protection is heightened, and to give guidance regarding compliance.