Customers have often asked if HIPAA applies to the cannabis industry. As with anything else in healthcare, the answer can be complex. HIPAA was established in 1996 to protect a patient’s health information. While HIPAA is expansive, state law will take control in these cases, provided that state law is more restrictive or protective. 45 CFR § 160.201 et. seq. The first question, however, is whether HIPAA applies to the cannabis industry.
Are cannabis dispensaries covered facilities?
In order to protect information that should be protected under HIPAA, various aspects must be analyzed. Stripped to the basics, HIPAA applies when a “Covered Unit” has “Protected Health Information”. As with any other legal regime, the definitions are the first starting point for analysis. A “Covered Company” includes a health insurance plan (e.g., a third party payer), a healthcare clearinghouse (e.g., a third party system that interprets claims data between health care provider and third party payer systems), and a health care provider. 45 CFR § 160.103. So is a pharmacy a “health care provider”? For adults or recreational pharmacies, the answer is no. However, for medical marijuana dispensaries, a deeper dive into HIPAA regulations is essential.
A health care provider comprises (1) a service provider within the meaning of the Social Insurance Act, (2) a provider of medical or health services within the meaning of the Social Insurance Act and (3)) any other person or organization that provides health services in the normal course of business, or bills for them will be paid. I would. Under this definition, a hospital, doctor, health clinic and many other types of health care providers are clearly covered entities.
However, a pharmacy is not one of the bodies expressly listed under the law. Does this mean a medical marijuana dispensary is not a healthcare provider? No. To better shed light on the definition of a health care provider, it is also important to understand the definition of “health care”. The HIPAA regulations state, “Health care means care, services, or supplies related to a person’s health.” I would. The regulations then contain specific examples (which are not intended to be comprehensive) for health care. Overall, health care includes:
(1) Preventive, diagnostic, therapeutic, rehabilitative, maintenance or palliative care, as well as advice, service, assessment or procedures relating to the physical or psychological condition or the functional status of a person or the structure or function of the body; and
(2) Selling or dispensing a drug, device, equipment, or other item under a prescription. I would.
In both of the preceding sections, it can be argued that medical marijuana dispensaries are healthcare providers. Depending on which state you live in, medical marijuana can be “prescribed” for “therapeutic” or “palliative” care. See e.g. B. ARS 36-2801 (11) (In Arizona, “medical use” means the acquisition, possession, cultivation, manufacture, use, administration, supply, transfer, or transportation of any marijuana or paraphernalia related to it the administration of marijuana to treat or alleviate the debilitating health of a registered qualified patient or symptoms associated with the debilitating health of the patient. “). In addition, if a “prescription” is required to obtain medical marijuana, the second part of the definition above would certainly apply (e.g. the “sale or dispensing of a[n]”Article according to prescription.”).
A compelling argument can be made that a medical marijuana dispensary falls under the HIPAA. The final decision will be made on a case-by-case basis and state laws play a vital role in evaluating these issues.
Protected health information
The second part of the analysis is whether a medical marijuana dispensary has “proprietary health information”. As with the analysis above, definitions are the starting point.
HIPAA defines “Protected Health Information” as individually identifiable health information: ie (1) transmitted over electronic media; (2) be maintained in electronic media; or (3) transmitted or maintained in any other form or medium. I would. Before analyzing the applicability of proprietary health information in the cannabis context, the definition of “individually identifiable health information” is therefore essential. Individually identifiable health information includes –
Demographic information collected from an individual that is: (1) created or received by a health care provider, health plan, employer, or health care clearing house; and (2) relates to the past, present or future physical or mental health or condition of an individual; the provision of health care services to an individual; or the past, present, or future payment for the provision of health care services to an individual; and (i) that identifies the individual; or (ii) in relation to which there is a reasonable basis to believe that the information can be used to identify the individual. I would.
Certainly, a medical marijuana dispensary could very well maintain well-protected health information. For example, if the pharmacy maintains information that includes the patient’s name, social security number, and / or other identifying information, as well as the patient’s diagnostic and purchase information, it is not difficult to see how HIPAA would be applied.
What does a pharmacy have to do if it is a covered unit?
While the foregoing is primarily an academic exercise, adopting HIPAA-compliant safeguards is much more practical. The Office of Civil Rights (“OCR”), located in the US Department of Health, is the regulator of HIPAA. The OCR has the power to evaluate fines for violations of the HIPAA, which can be very significant. In addition, violating the HIPAA can lead to lawsuits from affected patients under various legal theories, including invasion of privacy and other tort claims.
To avoid violating the HIPAA, some of the basic actions include implementing comprehensive policies and procedures, and regularly training pharmacy staff. In addition, it would be advisable for a pharmacy owner to take out cyber liability insurance in the event of a breach of the HIPAA. In future posts we will go into more detail on the requirements under HIPAA.
HIPAA is a complex law. As mentioned above, there is also an interplay with state law that makes the analysis even more complex. A medical marijuana dispensary owner should seek advice on whether HIPAA applies and, if so, how to reconcile it with HIPAA (and possibly privacy laws).