Customers are often asked whether HIPAA is applicable to the cannabis industry. As with anything else in healthcare, the answer can be complicated. HIPAA was promulgated in 1996 to help protect patients’ health care information. Although HIPAA is extensible, to some extent state laws are more restrictive or protective, and state laws will control in these situations. 45 CFR§160.201 Wait.sequence. But the first question is whether HIPAA is applicable to the cannabis industry.

Do marijuana dispensaries cover entities?

For information protected by HIPAA, there are several aspects that need to be analyzed. In the final analysis, HIPAA will apply when the “protected entity” has “protected health information”. As with any other statutory system, the first thing to analyze is the definition. “Covered entities” include health plans (for example, third-party payers), healthcare information clearing houses (for example, third-party systems that interpret claims data between healthcare provider systems and third-party payers), and healthcare provider. 45 CFR§160.103. So, is the pharmacy a “healthcare provider”? For adult use or recreational pharmacies, the answer is no. However, for medical marijuana dispensaries, an in-depth understanding of HIPAA regulations is essential.

The definition of a medical care provider includes: (1) a service provider as defined in the “Social Security Law”; (2) a medical or health care provider as defined in the “Social Security Law”; and (3) in normal Any other person or organization that provides, bills, or pays for it in the course of business. ID. Under this definition, hospitals, physicians, medical clinics, and many other types of medical service providers are clearly underwriting entities.

However, pharmacies are not part of the entities specified in the Statute. Does this mean that medical marijuana dispensaries are not healthcare providers? no. To help clarify the definition of a healthcare provider, it is also important to understand the definition of “healthcare”. As stated in the HIPAA regulations, “medical care refers to care, services or supplies related to personal health”. ID. The regulations then provide specific examples of healthcare (not intended to cover all aspects). In general, healthcare includes:

(1) Prevention, diagnosis, treatment, rehabilitation, maintenance or palliative care as well as consultation, service, evaluation or procedures for the physical or mental condition or functional condition of an individual or that affects its structure or function; and

(2) Sell or distribute medicines, devices, equipment or other items in accordance with prescriptions. ID.

Under any of the above clauses, a medical marijuana dispensary can be considered a health care provider. Depending on the state you live in, medical marijuana may be “prescribed” for “treatment” or “palliative” care. See, for example, ARS 36-2801(11) (In Arizona, “medical use” refers to the acquisition, possession, cultivation, manufacture, manufacture, use, management, delivery, transfer, or transportation of cannabis or equipment related to the treatment or mitigation of cannabis management The debilitating medical condition of a registered qualified patient or the symptoms related to the patient’s debilitating medical condition.”). In addition, when a “prescription” is required to obtain medical marijuana, the second part of the above definition can of course be used (for example, “ Sell ??or distribute marijuana”).[n]”(In accordance with the prescription items.”).

A strong argument can be made that medical marijuana dispensaries are covered entities under HIPAA. The final decision will depend on the specific circumstances, and state laws play an indispensable role in assessing these issues.

Protected health information

The second part of the analysis is whether the medical marijuana dispensary has “protected health information.” As with the above analysis, definition is the starting point.

HIPAA defines “protected health information” as individually identifiable health information: namely: (1) information transmitted through electronic media; (2) maintained through electronic media; (3) transmitted or maintained in any other form or medium . ID. Therefore, before analyzing the applicability of protected health information to cannabis, the definition of “personally identifiable health information” is crucial. Personally identifiable health information includes –

Demographic information collected from individuals, and: (1) Created or received by a healthcare provider, medical plan, employer, or healthcare information clearinghouse; (2) In relation to the individual’s past, present or future physical or mental health or The situation is related; the provision of health care to the individual; or the past, present, or future payment of the provision of health care to the individual; (i) to identify the individual; (ii) there are reasonable grounds to believe that the information can be used to identify the individual. ID.

Of course, medical marijuana dispensaries can well maintain protected health information. For example, if the information maintained by the pharmacy includes the patient’s name, social security number and/or any other identification information, as well as the patient’s diagnosis and purchase information, it is not so easy to understand the scope of HIPAA.

What if the pharmacy is an insured entity?

Although the above content is mainly an academic activity, it is more practical to formulate protective measures that meet the requirements of HIPAA. The Office of Civil Rights (OCR) in the U.S. Department of Health and Human Services is the regulatory agency for HIPAA. OCR has the right to assess fines for HIPAA violations, which may be very important. In addition, violations of HIPAA may cause infected patients to file lawsuits based on various legal theories, including privacy violations and other infringement claims.

To avoid HIPAA violations, some basic actions include implementing comprehensive policies and procedures, and regularly educating pharmacy employees. In addition, if HIPAA is violated, the pharmacy owner wisely purchases cyber liability insurance. In future posts, we will detail more requirements under HIPAA.

HIPAA is a complex regulation. As mentioned above, there is also an interaction with state laws, which makes the analysis more complicated. It is wise for owners of medical marijuana dispensaries to seek an attorney as to whether HIPAA is applicable and, if applicable, how to comply with HIPAA (and possibly state privacy laws).