As more and more states beginning to legalize recreational cannabis, medical marijuana seems to have carved out a solid niche across most of the country. Medical marijuana falls somewhere in the middle between “medically accepted treatment facility” and “supplier of controlled substances.” For producers, suppliers, and dispensaries, this leaves one big unanswered question: Are they responsible for following the Health Insurance Portability and Accountability Act (HIPAA)?
Essentially, HIPAA sets policies, procedures, and guidelines to maintain patient security and privacy over protected health information (PHI). In 1996 when HIPAA was passed, it was the first significant privacy law, and it put civil and criminal penalties in place for violations of patient information. But since medical marijuana businesses aren’t technically healthcare providers, are they subject HIPAA requirements? And because the federal government hasn’t legalized marijuana in any capacity, does HIPAA apply at all?
The short answer is probably. Even though cannabis is considered a controlled substance under federal regulations, the government still taxes medical marijuana dispensaries - meaning the government (at least partially) accepts and endorses medical marijuana dispensary activities. And because medical marijuana is a healthcare-related need, vendors and dispensaries need to enforce HIPAA. However, not ALL medically necessary activities and drugs are covered by HIPAA. In order to know if marijuana dispensaries comply with HIPAA, dispensaries need to understand the law and truly know whether or not their patients are covered.
HIPAA applies under three conditions.
Medical marijuana dispensaries always meet the first requirement since patients need prescriptions to get medical cannabis. The second requirement must be determined on a case-by-case basis since not all dispensaries collect personal information. Any dispensary that collects data from health insurance, medical records, and identifiable details like names, addresses, etc. is included in this stipulation. For the third requirement, any dispensary that records and stores PHI (likely from medical marijuana cards and doctor records) is required to follow HIPAA laws. It doesn’t matter if the information is stored in the cloud or an on-site database; if personal information is stored, it will trigger HIPAA.
For medical marijuana dispensaries that fall under HIPAA, remaining fully compliant can be a challenge. According to HIPAA regulations, all qualifying information and transactions must be fully encrypted, and records must be handled with complete care to maintain confidentiality. The blockchain allows for an easy and reliable way to stay HIPAA compliant without risking privacy breaches or system hacks. On the blockchain, medical marijuana dispensaries would be able to add patient details, record all transactions, and maintain patient history in an immutable, encrypted ledger. It’s the perfect solution for the industry.
As a big bonus, medical marijuana dispensaries that can prove that they are entirely HIPAA compliant will have an advantage over their competitors. Patients will have peace of mind that their information is safe and encrypted, and insurance companies will be more likely to work with dispensaries that they can confirm are fully compliant.
Want to learn about the CERES blockchain and how we can help you remain HIPAA compliant? Contact us at firstname.lastname@example.org.