Cannabis Therapy Institute Patient Advocacy Project Phone: 877-420-4205 Email: info@cannabistherapyinstitute.com Web: http://www.cannabistherapyinstitute.

com

August 15, 2013 TO: COLORADO BOARD OF HEALTH RE: PETITION FOR EMERGENCY RULES TO PROTECT PATIENT PRIVACY This is a petition for emergency rules pursuant to the state Administrative Procedures Act, C.R.S. 24-4-103 (6). I. STATUTORY AUTHORITY These rules are promulgated pursuant to C.R.S. 25-1.5-106 and Article XVIII, Section 14 of the Colorado Constitution. The Colorado Department of Public Health and Environment (CDPHE) is the state health agency responsible for the administration of the Confidential Medical Marijuana Registry created in Article XVIII, Section 14 of the Colorado Constitution. Colorado Constitution Article XVIII, Section 14 (3) (a) provides that: "The state health agency shall create and maintain a confidential registry of patients who have applied for and are entitled to receive a registry identification card." CRS 25-1.5-106 (3) (a) (I) provides that the state health agency shall administer "the establishment and maintenance of a confidential registry of patients who have applied for and are entitled to receive a registry identification card." 5 CCR 1006-2 Regulation ONE (1) of CDPHE rules concerning medical marijuana also provide for a confidential registry of medical marijuana patients. II. BASIS AND PURPOSE The purpose of these emergency rules is to protect the confidentiality of the CDPHE Medical Marijuana Registry. Colorado medical marijuana patients will suffer irreparable harm if their confidential Registry information is shared outside the state health agency or if their information is breached in an accidental leak. If it becomes known that a person uses marijuana and is on the Medical Marijuana Registry, that person faces discrimination and potential harm in the following areas: Employment Housing Child custody Health insurance Veteran's benefits Organ transplants Automobile insurance Firearm ownership Occupational licensing (including real estate, medical professionals, construction trades, and teachers) Student loans Loss of right to due process Interactions with law enforcement Incrimination in federal crimes

CTI/PCRLP MMJ Registry Emergency Rule Petition (08/15/13)

Page 1

A. Auditor's Report The Office of the State Auditor's report, dated June 2013 (attached), on the CDPHE's role in maintaining a confidential Registry details many instances when the confidentiality of the Registry has been breached. http://www.cannabistherapyinstitute.com/legal/colorado/audit/ The Auditor shows that the CDPHE is probably performing many functions that may be illegal. The Auditor's Report shows either a severe lack of respect for the confidentiality of the Medical Marijuana Registry or a severe lack of competence on the part of the CDPHE in keeping Registry information confidential. CDPHE has clearly failed in its duty to maintain a confidential Registry of Medical Marijuana patients. The Auditor's Report contained many egregious instances of breaches of Registry confidentiality and exposed many instances where CDPHE employees, or others, should have been subject to criminal prosecution for these breaches of confidentiality. Specifically, the Auditor's Report states that: Outside contractors and other state agencies have access to Registry data without signed confidentiality statements (p 62) Outside contractors and other state agencies have access to Registry data without CDHPE having adequate or control over work performance and is not able to ensure that these individuals maintain confidentiality of Registry data. (page 62) The Auditor "identified three areas in which law enforcement appeared to access Registry data under unallowable circumstances." (1) DOR staff "sought to verify red card information about multiple patients at one time, ranging from five to 107 patients" (p. 64) "We question whether Revenue enforcement offices have legal authority to verity patient Registry data during their dispensary investigations, because it is unlikely that those officers have actually 'stopped or arrested' every patient associated with a particular dispensary." (p. 64) (2) "The mechanism giving law enforcement 24-hour access to Registry data appears to provide more information than allowed under the Constitution." (3) "Confidentiality issue related to CBI's maintenance of the interface between the Registry and CCIC." The Auditor questions "whether they have the legal authority to access (5 years of) historical Registry data, because IT staff presumably are not stopping or arresting someone claiming to have a valid red card." Confidentiality Breaches 15 reported breach incidents during the approximately one-year time period of the Auditor's investigation Sometimes patients and caregivers were notified of breach, sometimes they were not 5400 caregiver names were "inappropriately proved to the State Auditor." The Attorney General stated that "the State Auditor cannot legally access personally identifiable data from the Registry." Caregivers were never notified. B. Law Enforcement Access to Registry is Illegal Patients are specifically concerned with preventing law enforcement from having access to the Registry. Despite patient concerns, the CDPHE has created a CCIC-Registry Online Database that all state law enforcement have access to. For years, Ron Hyman, director of the Medical Marijuana Registry, has told patients and advocates that the Registry is not available online, is in a locked room, and that only one backup disc exists for it. Mr. Hyman stated that law enforcement requests were handled by telephone, and that only "one or two requests a week" from law enforcement came after normal business hours. If it were not for the Auditor's Report, patients would never have known that the Registry is now available on the Internet and open not only to law enforcement access, but also to other state agencies and outside contractors, many of which have no confidentiality agreements on file with the Registry.

CTI/PCRLP MMJ Registry Emergency Rule Petition (08/15/13)

Page 2

The CDPHE has no legal authority to link up the confidential medical marijuana Registry with the CBI-CCIC crime computer. As such, the CDPHE must disable these systems immediately and permanently. 1) The Constitution does not grant CDPHE legal authority. Article XVIII, Section 14 specifically protects the patient Registry, calling it "confidential" and allowing law enforcement to "gain access" only when they have "stopped or arrested" a person who presents a Registry ID card to them. Article XVIII, Section 14 (3) (a): "No person shall be permitted to gain access to any information about patients in the state health agencys confidential registry, or any information otherwise maintained by the state health agency about physicians and primary care-givers, except for authorized employees of the state health agency in the course of their official duties and authorized employees of state or local law enforcement agencies which have stopped or arrested a person who claims to be engaged in the medical use of marijuana and in possession of a registry identification card or its functional equivalent." 2) Statute does not give the CDPHE authority to allow law enforcement direct access to the Registry. The CDPHE claims (in the Auditor's report) that statutes created by House Bill 10-1284 in 2010 gave them the authority to give law enforcement full access to Registry data, including caregiver and physician information and plant count and marijuana amounts over 2 ounces that were recommended by physicians. However, HB1284 specifically DID NOT allow the police to access the Registry directly, but rather required the CDPHE check the Registry for them. CRS 2.25-1.5-106 (7) (d) states that, "Upon inquiry by a law enforcement officer as to an individual's status as a patient or primary caregiver, the state health agency shall check the registry." 3) Regulations promulgated by the CDPHE do not give authority. 5 CCR 1006-2 (2) (b) states, "Authorized department employees may respond to an inquiry from state or local law enforcement regarding the registry status of a patient or primary care-giver by confirming that the person is or is not registered. The information released to state and local law enforcement must be the minimum necessary to confirm registry status." 4) Direct Law Enforcement Access to the Registry Violates the Spirit of the Constitution and the Intention of the General Assembly in Statute The purpose of the confidential Registry was to make sure patients were protected from arrest if they were stopped by the police. The authors of Article XVIII, Section 14 knew that patients could not trust police, so they limited the power of law enforcement to access the Registry, in order for patients to feel secure about the Registry's confidentiality. If the intent of Article XVIII, Section 14 had been to allow law enforcement direct access, the authors could have done so in the language of the article. The intent was to protect patient information from law enforcement scrutiny. The state legislature agreed when it passed the statute regarding registry inquiries: CRS 2.25-1.5-106 (7) (d) states that, "Upon inquiry by a law enforcement officer as to an individual's status as a patient or primary caregiver, the state health agency shall check the registry." If the General Assembly had wanted to give law enforcement direct access to the Registry, they could have done it in writing the above statute. However, they specifically ordered that the "state health agency shall check" the Registry, not law enforcement directly.

CTI/PCRLP MMJ Registry Emergency Rule Petition (08/15/13)

Page 3

5) Direct Law Enforcement Access is an Over-Reaching Solution Since the Registry's creation in 2001, CDPHE maintained the Registry on a single computer, in a locked room, with only one backup disk copy of the Registry. The new CCIC-Registry Online Database is clearly a substantive change in policy for the CDPHE. For 12 years, it was accepted CDPHE policy and practice to keep the Registry offline and respond to law enforcement inquiries through the telephone. Law enforcement would call the CDPHE if they had stopped someone with a Registry card, and the CDPHE would check the Registry to make sure it was valid. By the CDPHE's own admission, they only received one to two calls per week from law enforcement after normal business hours. Creating the CCIC-Registry Online Database was a over-reaching solution that was not necessary to fix the problem. The CDHPE could easily have hired one person for an overnight shift to answer the phone after standard business hours, especially considering that, according to the Auditor, CDPHEhas an extra $12 million in fees that they over-collected from patients. 6) Administrative Procedures Act Violated Pursuant to C.R.S. 24-4-103, this new CCIC-Registry Online Database constitutes a substantial change from the current system and should be subject to procedures for making new regulations under the state Administrative Procedures Act, including proper public notice and comment opportunities. 7) Open Meetings Laws Violated Pursuant to C.R.S. . 24-6-402, any meeting to discuss the CCIC-Registry Online Database should have been announced to the public. There was at least one meeting that the CDPHE and the CBI conducted illegally that activists were able to find out about and attend. See video: Activists stop CBI CDPHE Illegal Meeting 6/5/2012 http://www.youtube.com/watch?v=kckC1aqpI5w&feature=youtu.be Since the CCIC-Registry Online Database was a substantial change in policy, these private meetings were in violation of the Colorado Open Meetings Laws. 8) LaGoy Court Order Violated In the case of LaGoy v. Ritter, Case No: 2007 CV 6089, the Denver District Courts Order/settlement of November 15, 2007 provided in relevant part that: (3) The Colorado Department of Public Health and Environment shall provide notice to all state-registered medical marijuana patients, caregivers, and the parties to this action of any meeting to discuss possible policy changes or regulatory changes to the Colorado medical marijuana law when such notice is required by the Colorado Open Meetings Act, C.R.S. 24-6-401 et seq. and/or the Administrative Procedures Act, C.R.S 24-4-101, et seq. Pursuant to this court order, all patients should have been notified about the creation of the CCICRegistry Online Database and given the opportunity to attend hearings and submit public comment. The CDPHE did not provide notice of the any meetings regarding the CCIC-Registry Online Database to any state-registered medical marijuana patients or caregivers, therefore the CDPHE was in violation of this court order when they secretly created the CCIC-Registry Online Database. 9) Patient's Right Against Self-Incrimination Violated Both Colo. Const. Art. II, Section 18 and the US Constitution, Fifth Amendment protect a person's right against self-incrimination. Since the federal government considers medical marijuana illegal under federal law, allowing law enforcement to access the confidential Registry, or requiring a patient to use a Registry that has been proven to be non-confidential, violates the patient's right against selfincrimination. The CDPHE is required to maintain a strictly confidential Registry in order to protect the Fifth Amendment right of patients not to incriminate themselves in federal crimes. See Leary v. United States - 395 U.S. 6 (1969): A U.S. Supreme Court case dealing with the constitutionality of the Marihuana Tax Act of 1937. Timothy Leary, a professor and activist, was arrested for the possession of marijuana in violation of the Marihuana Tax Act. Leary challenged the act on the ground that the act required self-incrimination, which violated the Fifth

CTI/PCRLP MMJ Registry Emergency Rule Petition (08/15/13)

Page 4

Amendment. The unanimous opinion of the court declared the Marihuana Tax Act unconstitutional. 10) HIPAA Violations The federal HIPAA Act protects all "individually identifiable health information" held or transmitted by a covered entity or its business associates. HIPAA Privacy Rules require health care providers not to disclose the "Protected Health Information" of patients. Allowing law enforcement to have direct access to the Registry may be a federal HIPAA violation. C. CBI/CCIC Query Database is Illegal 1) CBI-CCIC Query Database Description The Auditor's report was the first time patients became aware of the existence of the CCIC-Registry database, and the first time in the Registry's history that law enforcement has had direct access to the Registry in any way. The Auditor's Report states that the CDPHE "established a mechanism to provide law enforcement 24hour Registry access in April 2013." (page 64) The Report continues, "Through an agreement with the Colorado Bureau of Investigation (CBI), Public Health implemented an automated interface between the Registry and the Colorado Crime Information Center (CCIC), a statewide computer system that delivers criminal justice information to law enforcement agencies. Using the interface, law enforcement officers can query a patients name, date of birth, and red card serial number to determine if a patients card is valid. If the patient has a record in the Registry, the interface generates a response that includes the patients red card issuance and expiration dates, as well as the number of marijuana plants and ounces of medical marijuana that a physician recommended for the patients medicinal use." 2) CBI-CCIC Queries Give Too Much Confidential Patient Information Later in the report, the Auditor writes, "It is not clear that Public Health has constitutional authority to provide information about patient plant and ounce counts through the Registry-CCIC interface." According to the Constitution, the CDPHE should only be returning either a simple YES/NO response to database queries. As the Auditor shows, any other information is a violation of patient confidentiality. 3) Agreement Between CBI and CDPHE Allows CBI to Keep Private Patient Information The official Agreement between the CDPHE and CBI regarding "Law Enforcement Queries of the Medical Marijuana Registry Information" dated October 2012 (attached) on page 3-4 states: "The CCIC transaction log is an existing feature of the CCIC system. CCIC records every inquiry made through CCIC as well as the provided response. Recording CCID throughput allows CCIC support personnel at CBI to: Assure received data is transferred accurately to users Perform diagnosis of technical problems Validate, when requested by court order in criminal cases, law enforcement acted appropriately based on the information presented to them. The log's record of prior transactions is maintained for at least five years and its access is restricted to CCIC support personnel at CBI only." This agreement allows the CBI to keep all queries to the Registry, including names of patients. There are no safeguards on how the CBI may use this information.

CTI/PCRLP MMJ Registry Emergency Rule Petition (08/15/13)

Page 5

4) Parallel Construction: Patient Data Can Be Used by Law Enforcement to Target Them Reuters reported on 8/5/13 (attached) that the federal Drug Enforcement Administration had been regularly allowing "parallel construction" of investigations based on unlawfully-obtained secret tips that they provide to local law enforcement. With the CDPHE allowing the CBI to keep patient query records for 5 years, there is no guarantee against or safeguard preventing law enforcement from using confidential Registry information to begin investigations into people, and then use "parallel construction" to cover-up the original source of information. http://www.reuters.com/article/2013/08/05/us-dea-sod-idUSBRE97409R20130805 Similarly, an article in Westword on Jun. 15 2012 quotes CDPHE/CBI internal communications that indicate they intended to use the CCIC-Registry Online Database to do searches that were intended not only to verify "ownership and lawfulness" of medical marijuana, but also to "identify individuals to whom transferring a firearm would violate [Federal law]." Westword reports that CDPHE documents stated: "This purpose will be used by the CBI Instacheck unit to determine whether an individual may possess a firearm under federal law. It will also be used by law enforcement for similar activities." http://blogs.westword.com/latestword/2012/06/medical_marijuana_patients_criminal_database_flagged. php D. CDPHE HAS NO CONTROL OVER REGISTRY DATA During the short time period that the Auditor's Report considered, over 100 people at any given time have had access to the Registry, with little or no oversight. 1) COHELP: On page 62 and 63 of the Auditor's report, the Auditor discusses how the CDPHE MMJ Registry uses an outside contractor to provide information to the public about the Registry. The COHELP hotline (Colorado Health Emergency Line for Public Information) is the state's main BIO-TERRORISM and health information hotline, but 95% of its calls concern the Medical Marijuana Registry. The COHELP hotline is run by Denver Health and Hospital Authority, a private contractor, and the hotline is overseen by the Office of Emergency Preparedness and Response, not the MMJ Registry. Because of this, the Auditor concludes, "The medical marijuana program does not have control of the work performance of COHELP staff." (p. 63) 2) No Confidentiality Agreements The Auditor stated that CDPHE was unable to provide signed confidentiality statements of 30% of the people that they checked in their random sample. A Colorado Open Records Request, from Kathleen Chippi of the Patient and Caregiver Rights Litigation Project, sought information on confidentiality agreements that the CDPHE had on file for people who had access to the Registry. The CORA Request showed that the CDPHE was missing a substantial number of confidentiality agreements. 3) Access by Multiple Outside Entities In the response to Chippi's CORA request, the CDPHE directed Chippi to contact the following outside entities if she wished to find any of the missing confidentiality agreements: Express Employment Professionals Colorado Department of Personnel and Administration Rocky Mountain Poison and Drug Center Governor's Office of Information Technology (OIT) This is more proof of the Auditor's concerns that the CDPHE did not have direct control over the people and entities that had access to the Registry.

CTI/PCRLP MMJ Registry Emergency Rule Petition (08/15/13)

Page 6

E. AMENDMENT 64 IS NO SOLUTION The Board of Health may be inclined to deny this Emergency Rules Request on the grounds that Amendment 64, a Constitutional amendment regarding marijuana that passed by voters in 2012, may offer a solution. The Board may want to force patients to use A64 retail marijuana stores to acquire their medicine. However, there are many reasons why A64 retail marijuana stores as defined in Article XVIII, Section 16 of the Colorado Constitution will never be an adequate place for patients protected by Article XVIII, Section 14 (Am. 20) to obtain their medicine. Medical marijuana under Article XVIII, Section 14 (Am. 20) is different from the marijuana in Article XVIII, Section 16 (Am. 64) in the following ways: 1) Medical marijuana patients protected under Article XVIII, Section 14 are: a) Guaranteed confidentiality. b) Allowed an affirmative defense in court that their marijuana was medically necessary. c) Allowed a to cultivate more than 6 plants if the patient determines it is medically necessary d) Allowed a to cultivate more than 2 ounces if the patient determines it is medically necessary 2) Police cannot destroy medical marijuana if it is seized in a criminal investigation and must return the medical marijuana to the patient if the patient is acquitted of criminal offense. 3) Medical marijuana will not be subject to the mandatory taxes required of A64 retail marijuana 4) The Single Convention on Narcotic Drugs of 1961 is an international treaty that the US has adopted. This treaty specifically exempts medical marijuana from international drug control measures, as long as the medical marijuana program is state-controlled. III. OTHER MAJOR FACTUAL AND POLICY ISSUES ENCOUNTERED The CDPHE has a history of treating confidential information in a cavalier manner. In addition to all the problems uncovered in the Auditor's Report, the CDPHE has recently mishandled confidential death certificate information. Channel 7 News: 91 death certificates lost by CDPHE while being sent from one state office to another (May 17, 2013) http://www.thedenverchannel.com/news/local-news/91-death-certificates-lost-while-being-sent-from-onestate-office-to-another IV. JUSTIFICATION FOR EMERGENCY NATURE OF RULES CRS 24-4-103 (6) (a) provides that an "emergency rule may be adopted if the agency finds that immediate adoption of the rule is imperatively necessary to comply with a state or federal law or federal regulation or for the preservation of public health, safety, or welfare..." Over 200,000 patients, former-patients and caregivers have had their confidential data compromised in unknown ways. The many documented leaks of Registry information reported by the Auditor constitute a substantial failure of the CDPHE to protect the confidential Registry as required by the Constitution. It is unclear what information was given to whom and when, or even how many copies of the Registry exist. Because of these massive failures, the Registry must be presumed to be breached in its entirety. Even one breach of the Registry is too many. Patients can no longer trust the CDPHE to maintain the confidential Registry that they paid them to maintain. The current Registry must be disabled, and an entirely new system must be devised to create a new Registry that is truly confidential. The proposed rules will create a system of checks and balances and reporting that will eliminate the illegal direct law enforcement access to the Registry, and ensure the confidentiality of the Registry and the integrity of the employees who have access to this information.

CTI/PCRLP MMJ Registry Emergency Rule Petition (08/15/13)

Page 7

According to the Auditor's Report, hundreds of people working both for the state government and outside contractors have had access to the entire MMJ Registry. The Auditor's Report shows that there were very few, if any, safeguards on how these people used this information. The Auditor showed the CDPHE didn't even require signed confidentiality agreements or contracts for all the people and entities that accessed private Registry data. Because of the quantity of records exposed and the number of people affected, it is imperative that the Board act immediately to prevent any future breaches of confidential information and to try to mitigate any harm that has already occurred. V. PROPOSED RULE Be it hereby amended that the Rules and Regulations Pertaining to Medical Use of Marijuana (5 CCR 1006-2) Regulation 1, which governs the "establishment and confidentiality of the Registry for the medical use of marijuana", be amended by the inclusion of the following new Section C. to be added to Regulation 1. Section C. Security of the CDPHE Confidential Medical Marijuana Registry (i) The CDPHE shall be responsible for all aspects of maintaining a confidential Registry of medical marijuana patients in accordance with Article XVIII, Section 14 of the Colorado Constitution. (ii) No information contained in the CDPHE Confidential Medical Marijuana Registry shall ever be shared with the Department of Revenue, the Colorado Bureau of Investigation, or any other local, state or federal agencies, or any other entity, except as provided for in this section. (iii) The current CCIC-Registry Online Database shall be immediately and permanently disabled. (iv) All copies of the Registry, both paper and electronic, in the possession of the Colorado Bureau of Investigation, the Department of Revenue, or any other person, department, or entity, shall be destroyed, and their destruction shall be witnessed and documented by the head of each department or entity that was responsible for overseeing their access to the Registry. (v) Everyone on the Registry, including patients, caregivers and physicians shall be immediately notified by mail of the Auditor's Report of June 2012 and sent the reasons for the destruction and re-creation of the Registry at least 60 days before the destruction of the Registry. (vi) A procedure shall be created for patients to request a copy of any of their personal information from the Registry before it is destroyed, including persons or entities that had access to their confidential Registry data at any time in the past. (vii) A new and secure Registry will be created to regain patient confidence in the Registry's privacy. (viii) Patients shall not be charged any fee in order to register with the new Registry. (ix) Access to the new Registry is limited only to CDPHE authorized employees. In order to be considered an "authorized employee", the person must be employed by the CDPHE, must have been a resident of Colorado for the past two years, must not have not have been convicted of a felony in the past 5 years, must have a current Public Official Surety Bond in the amount of $5,000 or more, and must maintain a current set of fingerprints on file with the Colorado Bureau of Investigation. The "authorized employee" shall be designated in writing by the CDPHE director. All authorized employees must sign a confidentiality statement. (x) The CDPHE may maintain only one confidential Registry electronic database. (xi) This electronic Registry database must reside on a single computer located securely inside the Colorado Department of Public Health and Environment. (xii) This computer must not be connected to or accessible through any internal or external computer network. (xiii) One electronic backup of this database shall be stored in an off-site, secret location. (xiv) Patients shall be referred to in the electronic database only by their Registry ID number and never by name. Names and other details necessary to identify individuals shall not be included in the electronic database. The only place that the Registry will link patient names with their Registry ID numbers shall be in the original application documents filed by the patient in order to become a member of the Registry. These original application documents shall never be digitized or duplicated in any way. These hard copy records and any keys linking the Registry ID card and the patient's name shall be kept in a locked cabinet in a locked room. (xv) A database security package shall be implemented on this single computer and the electronic backup to control unauthorized access to the Registry. Attempts to gain access by unauthorized individuals are automatically recorded and reviewed on a regular basis.
CTI/PCRLP MMJ Registry Emergency Rule Petition (08/15/13) Page 8

(xvi)

(xvii)

(xviii)

(xix) (xx) (xxi)

(xxii) (xxiii) (xxiv) (xxv) (xxvi) (xxvii)

(xxviii)

(xxix)

Physical Safeguards: Access to the CDPHE Confidential Registry computer room and offsite backup location shall be controlled by a cardkey system. These rooms shall be under constant video surveillance. Camera coverage must enable recording of the employee(s) facial features with sufficient clarity to determine identity. Surveillance tapes shall be kept for a minimum of 30 days. The rooms shall be protected by an automatic sprinkler system and numerous automatic sensors (e.g., water, heat, smoke, etc.). Portable fire extinguishers shall be located throughout the computer room. The computer room and offsite backup location shall be guarded by one security guard person at all times. Procedural Safeguards: Protection for computerized records includes programmed verification of valid user identification code and password prior to logging on to the system, mandatory password changes, limited log-ins, virus protection, and user rights/file attribute restrictions. Password protection imposes user name and password log-in requirements to prevent unauthorized access. Any person who breaches the confidentiality of the Registry shall be referred to the Attorney General for prosecution under 18-18-406.3, which makes it a crime for a government official to violate the confidentiality of the Registry: 18-18-406.3. (5) Any person including, but not limited to, any officer, employee, or agent of the department, or any officer, employee, or agent of any state or local law enforcement agency, who releases or makes public any confidential record or any confidential information contained in any such record that is provided to or by the marijuana registry of the department without the written authorization of the marijuana registry patient commits a class 1 misdemeanor. Pursuant to Article XVIII, Section 14 of the Colorado Constitution, caregiver registration is not required. Therefore, caregiver data shall not be stored in the Registry. Pursuant to Article XVIII, Section 14 of the Colorado Constitution, physician registration is not required. Therefore, physician data shall not be stored in the Registry. Pursuant to Article XVIII, Section 14 patient registration with the CDPHE is voluntary. It is required to receive exemption from criminal laws. However, only a previous diagnosis of a debilitating medical condition is required for a patient to raise an affirmative defense at trial. Therefore, participation in the confidential Registry is optional for the patient. By Oct. 1, 2013, the CDPHE must appoint an electronic security expert who will be responsible for protecting the confidentiality of the Registry from a breach of any kind. All Registry information shall be confidential and shall not be revealed in any report or any other matter prepared, released or published Law enforcement inquiries will be by telephone or fax only. Law enforcement must have the Registry ID card in order to request a search of the Registry. Law enforcement inquiries will be responded to promptly 24 hours a day / 7 days a week by an authorized CDPHE employee. The CDPHE shall create an Incident Report any time the electronic database or original application documents are inquired about, accessed or breached in any way. This shall include all law enforcement inquiries or inquiries from any other entity, including state, local or federal government agencies. a. The Incident Report shall include, at minimum: i. What information was requested ii. Who requested the information iii. When and how the information was requested iv. Under what authority the information was requested v. What information was provided to the requesting entity Patient shall be notified every time law enforcement or any other entity requests information about them contained in the Confidential Registry. The CDPHE shall mail a letter in a discreet envelope to the patient's last known address within 30 days of the Registry inquiry. The CDPHE shall provide a quarterly Registry Security Status Report containing a detailed audit of the current security of the Confidential Medical Marijuana Registry. The Report shall include detailed specifications for the current security of both physical and electronic Registry documents. The report shall also include a listing of which, if any, entities outside of the CDPHE have accessed or copied the Registry since its inception in 2001 and the purpose of that access. This shall include

CTI/PCRLP MMJ Registry Emergency Rule Petition (08/15/13)

Page 9

any breaches of the Registry, even if by unknown sources. Reports will include all Incident Reports collected by the CDPHE. (xxx) The first Registry Security Status Report shall be submitted to the Board of Health by Nov. 1, 2013. Thereafter, Reports will be due one week before every Board of Health meeting. (xxxi) The CDPHE shall ensure that all CDPHE employees authorized to access the Registry CDPHE have completed a Security Training similar to the one outlined in former MMJ Registry Director Bob O'Doherty's "CDPHE Security Training Outline - version 1 9/22/04" (attached). We respectfully ask the Board of Health to consider these emergency rules on behalf of Colorado's patients, who have a Constitutional right to confidential access to medical marijuana. If the Board denies this emergency petition, we request that the Board explain its denial at its next meeting or, preferably, to set a formal rulemaking hearing for the Board's next meeting on August 21, 2013, allowing ample time for patient comment. Sincerely,

Laura Kriho, Director Cannabis Therapy Institute

Kathleen Chippi Patient and Caregiver Rights Litigation Project Attachments: 1) Office of the State Auditor's Report on the CDPHE's role in the Medical Marijuana program, dated June 2013 2) Reuters News Story, U.S. directs agents to cover up program used to investigate Americans, August 5, 2013 3) Official Agreement between the CDPHE and CBI regarding "Law Enforcement Queries of the Medical Marijuana Registry Information" dated October 2012 4) CDPHE Response to Chippi's CORA Request, August 6, 2013 5) CDPHE Security Training Outline, by MMJ Registry Director Bob O'Doherty's, version 1 9/22/04 CERTIFICATION This emergency petition was sent via email on 8/15/13 to the following people: To: Colorado Board of Health Email: cdphe.bohrequests@state.co.us Cc: Jamie Thornton, Board of Health Program Assistant Email: jamie.thornton@state.co.us Laura J. Davis, Board of Health President Ball Aerospace & Technologies 9675 W. 108th Circle Westminster, CO 80021 E-mail: ldavis@ball.com Medical Marijuana Registry Email: medical.marijuana@state.co.us

Karin McGowan, Interim Executive Director, CDPHE Email: karin.mcgowan@state.co.us, cdphe.information@state.co.us

CTI/PCRLP MMJ Registry Emergency Rule Petition (08/15/13)

Page 10