Do medical marijuana companies need to comply with HIPAA?

As the U.S. government considers reclassifying cannabis from a Schedule I to a Schedule III substance, the conversation around patient privacy and data protection in the cannabis industry is more relevant than ever.

Understanding HIPAA’s requirements and their relevance to medical marijuana

HIPAA was established in 1996 to protect patient health information and prevent unauthorized sharing of sensitive data. The law applies to what it calls covered entities, which include healthcare providers, health plans, and healthcare clearinghouses that manage electronic health information. For medical marijuana dispensaries, the question is whether they meet HIPAA’s definition of a covered entity.

To qualify as a covered entity under HIPAA, two main factors are considered:

• Definition of a healthcare provider: According to HIPAA, healthcare providers offer medical care, services, or supplies related to health. Many dispensaries provide marijuana for medicinal use, which could potentially fit this definition.
• Electronic claims submission: Covered entities also typically engage in electronic transactions for claims submissions. Most dispensaries, however, don’t submit electronic claims to third-party payers because cannabis is not federally recognized as a medical treatment.

Given these factors, while dispensaries may offer health-related products, they generally don’t qualify as covered entities under HIPAA, meaning they’re not required to follow its strict data protection rules.

Read more: What is a covered entity? 

What could change with cannabis rescheduling?

The possible reclassification of cannabis to Schedule III would mark a shift in federal recognition of its medicinal benefits, which could lead to broader acceptance within the medical field. However, this change wouldn’t necessarily impose HIPAA compliance on dispensaries. Without electronic claims submission, dispensaries would still operate outside HIPAA’s jurisdiction.

How state privacy laws impact dispensaries

Even if federal laws don’t mandate HIPAA compliance, state laws often come into play. Many states have enacted privacy laws that regulate how personal data can be collected and used, especially by companies dealing with sensitive information. These laws may require cannabis businesses to adopt strict policies around:

• Collecting only the necessary data.
• Establishing guidelines on how long data is retained.
• Ensuring that third-party vendors follow data protection standards.

Medical marijuana companies frequently collect personal information, including names, government IDs, payment details, and sometimes health histories. This data makes them prime targets for cybercriminals, reinforcing the need for strong privacy practices even without HIPAA compliance.

Read also: The HIPAA Privacy Rule's preemption of state law 

The cybersecurity risks for medical marijuana businesses

The sensitive nature of data handled by cannabis companies puts them in a position similar to healthcare organizations, which are frequent targets of cyberattacks. Many cannabis companies store data in the cloud, where data breaches are increasingly common. The high stakes of securing this information make cybersecurity a top priority, even without federal regulations like HIPAA. To minimize risks, companies should focus on:

• Conducting security audits to find potential vulnerabilities.
• Training employees on best practices for data security.
• Vetting third-party vendors to ensure they follow stringent security protocols.

Related: Why healthcare is a major target for cyberattacks 

Managing third-party vendor risks

Cannabis companies often rely on vendors for various services, from point-of-sale systems to inventory management. While these partnerships can boost efficiency, they also introduce additional data security risks. To protect sensitive information, cannabis companies should thoroughly vet their vendors’ data security practices, create clear agreements outlining data protection responsibilities, and routinely check vendor compliance with privacy regulations.

Preparing for the future of compliance in the cannabis industry

The regulations for medical marijuana are constantly changing, and companies in this sector need to stay adaptable to new compliance demands. To tackle future challenges, companies can benefit from:

• Staying up to date with legislative changes at the federal and state levels.
• Developing compliance programs to address privacy and data security proactively.
• Consulting with legal professionals who specialize in cannabis and data privacy law.

In the news

According to The Hill, while presidential candidates' cannabis stances capture attention, real legislative power over cannabis laws resides with Congress, not the Oval Office. Presidents may back rescheduling or legalization, but lasting protections for medical cannabis patients rely on Congressional action. Amendments like Rohrabacher-Farr have shielded patients from federal interference, yet many still face issues in housing, employment, and healthcare.

FAQs

How can medical marijuana companies protect patient data if HIPAA doesn’t apply?

Medical marijuana companies can adopt best practices from HIPAA, such as encrypting data, controlling access, and using secure communication channels, to protect sensitive information even if HIPAA doesn’t directly apply.

Do employees at medical marijuana dispensaries need specific training for data privacy?

Yes, while HIPAA may not apply, employee training on data privacy is beneficial to ensure that sensitive information is handled securely. Many states require businesses handling personal information to provide training on privacy and security protocols.

Are there penalties for medical marijuana companies if they don’t follow data protection laws?

Yes, state and federal laws may impose penalties for mishandling personal information, even if HIPAA doesn’t apply. Penalties can vary widely depending on the state and the nature of the data breach.

How should a medical marijuana company respond to a data breach?

In the event of a data breach, a company should follow state-specific breach notification laws, which may include notifying affected individuals and, in some cases, regulatory bodies.

Learn more: HIPAA Compliant Email: The Definitive Guide