HIPAA Medical Marijuana Compliance
There is a common misconception that since medical marijuana is not federally legal, and HIPAA is a federal law, that HIPAA does not apply to medical marijuana dispensaries. This, however, is untrue; HIPAA does in fact apply to the medical marijuana industry. To clear up misconceptions, HIPAA medical marijuana is discussed below.
HIPAA Medical Marijuana: Protected Health Information
Not all dispensaries are required to be HIPAA compliant. So how do you figure out whether or not your dispensary falls under HIPAA’s jurisdiction? Does your dispensary handle protected health information? If so, you need to be HIPAA compliant. But what is protected health information (PHI)?
The Department of Health and Human Services (HHS), the regulatory body of HIPAA, defines PHI as, individually identifiable health information that “relate to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.”
The HHS further classifies PHI into 18 identifiers:
- Patient names
- Geographical elements (such as a street address, city, county, or zip code)
- Dates related to the health or identity of individuals (including birthdates, date of admission, date of discharge, date of death, or exact age of a patient older than 89)
- Telephone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health insurance beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers
- Device attributes or serial numbers
- Digital identifiers, such as website URLs
- IP addresses
- Biometric elements, including finger, retinal, and voiceprints
- Full face photographic images
- Other identifying numbers or codes
Depending on the state that your dispensary operates in, you may not be required to store PHI. However, if you operate in a way in which a traditional pharmacy does (filling prescriptions), you likely store patient information, and are required to comply with the standards set forth by HIPAA.
HIPAA Medical Marijuana: How to Achieve HIPAA Compliance
So as a dispensary that handles PHI, how can you achieve HIPAA compliance? Achieving HIPAA compliance comes down to proving your good faith efforts towards ensuring the confidentiality, integrity, and availability of PHI. This is done by implementing an effective compliance program, documenting your efforts, and reviewing certain aspects of HIPAA compliance annually.
To implement an effective compliance program, you must address the following components.
Self-audits
HIPAA requires you to implement administrative, physical, and technical safeguards to secure PHI. By conducting self-audits you identify areas in which your HIPAA safeguards are lacking. For HIPAA medical marijuana compliance, you must conduct six self-audits annually.
Gap Identification and Remediation
Once you have completed your self-audits, gaps in your HIPAA safeguards are identified. To ensure your HIPAA compliance, your organization must create remediation plans to close the gaps.
Policies and Procedures
Policies and procedures create a framework for how your medical marijuana dispensary will comply with HIPAA standards. Policies and procedures must address the HIPAA Privacy, Security, and Breach Notification Rules. Your organization’s policies and procedures must be customized to apply directly to how your dispensary operates. Your policies and procedures must be reviewed annually, and updated, to account for any changes within your organization.
Employee Training
Employees that have access to, or the potential to access, the medical records that you store must be trained annually. Annual training should include HIPAA basics, your organization’s policies and procedures, cybersecurity best practices, and the proper use of social media in a healthcare environment. To be HIPAA compliant, employee training must be documented to prove that each employee received the required training in a timely manner. If you should make changes to your policies and procedures before an employee is scheduled to receive their annual training, the employee must be retrained as soon as possible.
Business Associate Management
Business associate management is a key component of achieving and maintaining your HIPAA compliance. To ensure that your business associates (entities that receive, transmit, create, store, or maintain PHI on your behalf) are adequately securing PHI, you must send them a vendor questionnaire. The vendor questionnaire must be completed before you share PHI with them. This questionnaire is similar to your self-audits in that they measure your business associate’s safeguards against HIPAA standards.
In addition to the questionnaire, you must have signed business associate agreements (BAAs) with all of your business associates. BAAs must also be signed before it is permitted to share PHI with your business associates. A BAA is a legal document that dictates the safeguards that your business associate is required to have in place, and mandates that they are responsible for maintaining their HIPAA compliance.
Incident Response
Should you experience a breach you are required to report it. You should have clear guidelines for reporting an incident that your employees are aware of. This way, should an employee suspect a breach, they can report it to the right entity in a timeframe that is HIPAA compliant. Breaches must be reported to HHS’ Office for Civil Rights (OCR), affected patients, and for large breaches, the media.