Medical Marijuana and HIPAA Compliance

With the medical marijuana industry regularly growing and expanding to new states and cities, it has remained a consistent question of whether or not dispensaries and other businesses in the cannabis industry are required to meet the HIPAA compliance requirements. It also seems that there are a fair amount of misconceptions about HIPAA in this industry. Don’t worry, we’ll answer all of your questions about HIPAA and Cannabis, just read on!

What is the HIPAA about? 

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was passed to set standards and requirements for the privacy and security of patient’s protected health information or PHI. PHI is any health data that is created, shared, received, or stored by any covered entity or business associate as defined by HIPAA. A covered entity (CE) is an organization or business that provides treatment, payment, or direct operations in healthcare. These CE's also work with business associates, which are vendors that perform a service for the covered entities that require them to store, access, or transmit PHI. Under the law, both covered entities and their business associates must comply with all parts of HIPAA.

Since the law deals with the safe handling of personally identifiable health information, any organization that handles this information in any way must comply with all aspects of HIPAA. This act allowed the Department of Health and Human Services (HHS) to set the standards and enact penalties for noncompliance to all the rules of HIPAA. The bottom line of this rule is that all healthcare organizations must ensure and encrypt the protected health information that they have, whether that is physical or electronic.

Does HIPAA apply to Medical Cannabis? 

Over the years, there have been some misconceptions about medical marijuana companies not needing to comply with HIPAA because their business is federally illegal but allowed by their state, therefore they believe that this federal law does not apply to them. However, since medical marijuana dispensaries require a medical prescription in order to provide the product, that would classify them as a HIPAA-covered entity as we defined above. This status puts them right under the HIPAA umbrella, requiring them to fully comply with the federal law as they encrypt and protect their patient’s important health data.  

When it comes to HIPAA compliance, the requirements for medical marijuana businesses are just like that of any other medical service that processes protected health information. Patient information is protected under HIPAA for any covered entity or business associate regardless of their specific practice within the healthcare industry. But what does that look like in this industry?

HIPAA Compliance within the Cannabis industry

Since businesses in the medical cannabis industry have to operate carefully within the restrictions of federal and state laws, they typically use patient verification systems. These systems, which usually exist virtually, contain forms of PHI like contact information, medical record numbers, health diagnosis, or other information. These verification systems allow dispensaries to ensure that an individual does have a necessary prescription before providing their treatment. Some states require dispensaries to maintain PHI in this way, while others allow cash dispensaries that do not retain information. If a dispensary is a cash-only operation, meaning that they do not store, process, or create PHI in any way, then they do not have the same obligations to comply with HIPAA.

Outside of the cash dispensaries, any dispensaries or businesses that do keep track of this protected health kind of information about a patient are required to comply with all of the HIPAA rules. This can apply to medical cannabis dispensaries, CBD or CBD product providers, and more. If you are unsure if your company in the cannabis industry would fall under HIPAA requirements, take Accountable’s short and free HIPAA risk analysis questionnaire to see where your risks are of being noncompliant.

So.. HIPAA does apply to you, now what? 

Just like many other kinds of healthcare providers and organizations, medical cannabis dispensaries and businesses need to be aware that breaches of private information can happen if PHI is not carefully and properly safeguarded. A dispensary should think about how protected health information is being collected, stored, and shared within their organization. HIPAA violations can occur due to a wide range of mistakes such as the lack of protection when sharing information, storing data off-site without encryption, and improper handling by employees.

It is important that you learn all of the requirements of HIPAA’s Security and Privacy Rules and begin to take steps to comply with those. In all the ways that you are storing or sharing PHI data, you should be careful to only use HIPAA-compliant technologies. Any vendor or entity that you will share PHI with in any capacity, must enter into a business associate agreement with you so that both parties claim liability to their part of the HIPAA requirements. Since medical marijuana rules vary by state and covered entity status might vary based on your type of dispensary, make sure to do some research and ask the right questions so that you know where you need to stand on HIPAA compliance.

We know that HIPAA is complex and overwhelming. That is why Accountable exists to make compliance simple by creating a step-by-step approach to HIPAA training. The software enables you to keep up with your employee’s HIPAA training, implement needed policies and procedures, track your business associate agreements, and more. Don’t believe us? You can try our HIPAA compliance software solution right now for free.