Cannabis businesses often have two revenue streams: medicinal and recreational. Medical marijuana is legal and being prescribed in thirty-six states across the US. Does that mean HIPAA laws apply?
The Health and Human Services Office states that covered entities must follow HIPAA regulations. Covered entities are defined as:
- Health plans – this includes health insurance companies and plans that pay for health care
- Healthcare providers – this includes doctors, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies, and dentists
- Healthcare clearinghouses – entities that process nonstandard health information they receive from an entity into a standard data format
In addition, business associates must comply with HIPAA laws when dealing with information. This is defined as contractors, subcontractors, and other outside people and companies that may access health information, or provide services for a covered entity.
Does that make a cannabis business a covered entity? It depends.
Medical marijuana businesses are still in the formative stages, and with vague laws comes equally ambiguous guidance. While not explicitly listed as a covered entity, there is enough crossover that should signal to any dispensary selling on the medicinal side to plan accordingly. You can further define your role by asking three questions:
1. Could your cannabis business be considered a “healthcare provider?”
Pharmacies are just one of the industries listed under the HHS defined term of “healthcare providers.” Because medical marijuana dispensaries process a “prescription” for “treatment,” it could be said that cannabis businesses who fill these prescriptions should follow HIPAA guidelines.
2. Does your cannabis business handle PHI?
HIPAA laws define personal health information (PHI) as data that can be tied to an individual. It includes one or more of eighteen identifiers, including names, geographical identifiers, dates, phone numbers, and device identifiers. The more tailored the process is for creating a product specifically for a patient, the closer you get to matching the specific guidelines of PHI. This may be a gray area right now, but keep in mind it’s changing all the time.
3. Does your cannabis business store PHI?
With many patients, their prescriptions are recurring transactions. It benefits you and the patient for you to store information to make future transactions easy. HIPAA defines covered transactions as anything that requires:
- A request for payment
- A request for information to a health plan
- A review of health care
- A request for information about the status of a healthcare claim
- Transmission of anything from a health plan
Medical marijuana may not be covered by health insurance … yet. But it’s easy to see a time in the future when that will be possible.
It’s better to be aware of the guidance early in the process, build your structure before it becomes law. Learn the rules now. Build your platform to ensure you keep all aspects of your cannabis business safe and secure.
It’ll help you be better prepared for the future.
For IT Strategy, Security and Compliance, or Help Desk Services, reach out to us at Cannabis Technology Partners 360-450-4759.
