Are cannabis dispensaries covered entities under HIPAA?

No, marijuana dispensaries are not covered entities.

HIPAA and medical marijuana 

At a state level, 38 states have legalized the use of marijuana for medical purposes, each state with its own regulations. 

It remains classified as a Schedule I controlled substance on a federal level, under the Controlled Substances Act (CSA). The classification means that the substance is considered to have a high potential for abuse, making the possession and use illegal federally. 

This makes the classification of marijuana under HIPAA difficult. When used medically on a state level, it meets all the requirements to be defined as protected health information (PHI). 

The classification as a Schedule I drug, however, means that a physician can recommend it in states it is legal but cannot prescribe it. According to the AMA Journal of Ethics, “Currently, it is illegal for physicians (even in states where medicinal marijuana is legal) to prescribe the drug because it is schedule 1 and prescribing it would constitute aiding and abetting the acquisition of marijuana, which could result in revocation of DEA licensure and even prison time.”

Are cannabis dispensaries covered entities?

The Illinois Department of Financial and Professional Regulation provided the following answer to the question of what a covered entity is, “Any business entity that must by law comply with HIPAA regulations, which include healthcare providers, insurance companies, and clearinghouses. In this context, health care providers include doctors, medical, dental, vision clinics, hospitals, medical cannabis dispensaries, and related health caregivers, including agents who work within medical cannabis dispensaries.” Based on the inclusion of medical dispensaries, it can be assumed that states like Illinois, where medical marijuana is legal, consider dispensaries covered entities. 

To be considered a covered entity a marijuana dispensary would have to be able to submit electronic claims. Since the FDA has not approved the use of whole marijuana as a medical drug (only cannabidiols have been approved), physicians cannot prescribe it and therefore dispensaries cannot make electronic claims. As stated by the Mayo Clinic. “In states where medical marijuana is legal, your healthcare professional can suggest types and doses.” 

All this simply means that a dispensary is not a covered entity. 

FAQs

What is PHI? 

Protected health information includes any health information that can identify an individual and is used, maintained, or disclosed in the course of providing healthcare services.

Do dispensaries need to use HIPAA compliant communication? 

Yes. 

What is the Privacy Rule?

It is a standard that protects medical records and other health information.