Massachusetts’ first and (thus far) only dispensary accidentally shared patients’ e-mail addresses with other patients, potentially violating the Department of Public Health rules on patient confidentiality.
Alternative Therapies Group (ATG) sent an e-mail to 157 people, listing their addresses in the carbon copy, or CC, field rather than the blind carbon copy, or BCC, field, meaning everybody receiving the e-mail could see others’ addresses, according to an exclusive report by the Boston Globe.
The situation underscores how important it is for new cannabis companies to have full systems and processes in place from the outset of the business.
The original e-mail was sent to confirm appointments for Thursday and to tell patients what to expect when they arrive. ATG sent e-mails after realizing the mistake, saying it understands “the sensitivity of personal information and deeply” regrets the error, the newspaper reported.
DPH regulations say patient information is “confidential and shall not be disclosed without the written consent of the individual to whom the information applies,” according to the Globe.
Whether ATG broke any federal Health Insurance Portability and Accountability Act (HIPAA) rules, which govern patient privacy, is debatable.
One lawyer interviewed by the newspaper said HIPAA regulations likely wouldn’t extend to dispensaries because they don’t handle insurance claims or bill electronically. Another lawyer, however, said the e-mail addresses would in fact qualify as protected information.