With medical marijuana legal in a growing number of states, many businesses in the cannabis industry, particularly dispensaries, continue to wrestle with the question of whether they are subject to the Health Insurance and Portability and Accountability Act’s (HIPAA) Privacy and Security Rule requirements.
The bad news is that the answer is: It depends.
The good news is that you can easily learn more about where your business stands.
The confusion whether medical cannabis businesses are covered under HIPAA appears to stem from two sources.
First, most people assume that the mere mention of someone’s medical condition or health information is protected, regardless of who is disclosing it. That is simply not the case. Not all medical information is protected under HIPAA; only specific “protected health information” (PHI) is protected. The definition of PHI, however, is not so clear, and there is a lot to unpack in defining the term.
The second part of the confusion comes from a common misunderstanding that because HIPAA is a federal law and cannabis is still classified federally as a Schedule-I controlled substance that federal law does not apply. To put that misunderstanding to rest, one need go no further than the fact that the Internal Revenue Service taxes medical and recreational cannabis sales, so cannabis being a Schedule-I controlled substance has no bearing on the applicability of federal law, including HIPAA.
Is Your Business Covered by HIPAA?
While the legalization of marijuana is fairly new, HIPAA has been around since 1996, and its same standard rules and conditions apply to the expanding legalization of medical marijuana.
The analysis of whether a medical cannabis business is subject to HIPAA comes down to three central questions:
(1) Is the business a “healthcare provider”?
(2) Does the business have “PHI”?
(3) Is the business storing or transmitting PHI with respect to a “covered transaction”?
Step 1: Is the Business a Covered Healthcare Provider?
The U.S. Department of Health and Human Services