Clients have often as asked whether HIPAA applies to the cannabis industry. As with anything else in healthcare, the answer can be complex. HIPAA was enacted in 1996 to help protect a patient’s healthcare information. While HIPAA is expansive, to the extent state law is more restrictive or protective, then state law will control in those instances. 45 CFR § 160.201 et. seq. But the first question is whether HIPAA applies to the cannabis industry.
Are Cannabis Dispensaries Covered Entities?
For information to be protected under HIPAA, there are several aspects to analyze. Boiled down to its basics, HIPAA will apply when a “Covered Entity” has “Protected Health Information”. As with any other statutory regime, the first place to start with the analysis are the definitions. A “covered entity” includes a health plan (e.g., a third-party payor), a health care clearinghouse (e.g., a third-party system that interprets claims data between healthcare provider systems and third-party payers), and a health care provider. 45 CFR § 160.103. So, is a dispensary a “health care provider”? For adult use or recreational dispensaries, the answer is no. However, for medical marijuana dispensaries, a deeper dive into the HIPAA regulations is essential.
A health care provider is defined to include, (1) a provider of services, as defined in the Social Security Act, (2) a provider of medical or health care services, again, as defined in the Social Security Act, and (3) any other person or organization who furnishes, bills, or is paid for health care in the normal course of business. Id. Under this definition, clearly a hospital, physician, healthcare clinic and many other types of healthcare providers are covered entities.
But a dispensary is not of the entities specifically enumerated under the statute. Does this mean a medical marijuana dispensary is not a health care provider? No. To help illuminate the definition of a health care provider, it is also important to understand the definition of “health care”. As the HIPAA regulations state, “health care means care, services, or supplies related to the health of an individual.” Id. The regulations then provide specific examples (that are not intended to be all-inclusive) of health care. Overall, health care includes:
(1) Preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body; and
(2) Sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription. Id.
Under either of the foregoing sections, an argument can be made that medical marijuana dispensaries are health care providers. Depending upon which state you live in, medical marijuana may be “prescribed” for “therapeutic” or “palliative” care. See, e.g., A.R.S. 36-2801(11) (In Arizona, “‘Medical use’ means the acquisition, possession, cultivation, manufacture, use, administration, delivery, transfer or transportation of marijuana or paraphernalia relating to the administration of marijuana to treat or alleviate a registered qualifying patient’s debilitating medical condition or symptoms associated with the patient’s debilitating medical condition.”). Moreover, when a “prescription” is required to attain medical marijuana, then certainly the second part of the above definition would apply (e.g., the “sale or dispensing of a[n]” “item in accordance with a prescription.”).
A cogent argument can be made that a medical marijuana dispensary is a covered entity under HIPAA. The ultimate determination is made on a case-by-case basis and state laws play an integral role in assessing these issues.
Protected Health Information
The second part of the analysis is whether a medical marijuana dispensary possesses “protected health information”. As with the above analysis, definitions are the starting point.
HIPAA defines “protected health information” to mean individually identifiable health information: that is: (1) transmitted by electronic media; (2) maintained in electronic media; or (3) transmitted or maintained in any other form or medium. Id. Thus, before analyzing the applicability of protected health information in the cannabis context, the definition of “individually identifiable health information” is essential. Individually identifiable health information includes –
Demographic information collected from an individual, and: (1) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) that identifies the individual; or (ii) with respect to which there is a reasonable basis to believe the information can be used to identify the individual. Id.
Certainly, a medical marijuana dispensary could very well maintain protected health information. For example, if the dispensary maintains information that includes the patient’s name, social security number and/or any other identifying information, as well as the patient’s diagnosis and purchase information, then it is not a stretch to see how HIPAA would apply.
What Does a Dispensary Need to Do if it is a Covered Entity?
While the foregoing is primarily an academic exercise, instituting HIPAA compliant protections is much more practical. The Office of Civil Rights (“OCR”), which is housed in the U.S. Department of Health and Human Services, is the regulatory authority under HIPAA. The OCR has the power to assess monetary penalties for HIPAA breaches, which can be quite significant. Moreover, a breach under HIPAA can lead to lawsuits by the affected patients under various legal theories, including invasion of privacy and other tort claims.
To avoid HIPAA breaches, some of the basic actions include implementing comprehensive policies and procedures and educating the dispensary’s staff on a regular basis. Moreover, a dispensary owner would be wise to procure cyber-liability insurance in the event of HIPAA breach. In future posts, we will detail more of the requirements under HIPAA.
HIPAA is a complex statute. As noted above, there is also an interplay with state law which makes the analysis even more complex. A medical marijuana dispensary owner would be wise to seek counsel on whether HIPAA applies, and if so, how to come into compliance with HIPAA (and possibly state privacy laws as well).