HIPAA Medical Marijuana Compliance

HIPAA Medical Marijuana

There is a common misconception that since medical marijuana is not federally legal, and HIPAA is a federal law, that HIPAA does not apply to medical marijuana dispensaries. This, however, is untrue; HIPAA does in fact apply to the medical marijuana industry. To clear up misconceptions, HIPAA medical marijuana is discussed below.

HIPAA Medical Marijuana: Protected Health Information

Not all dispensaries are required to be HIPAA compliant. So how do you figure out whether or not your dispensary falls under HIPAA’s jurisdiction? Does your dispensary handle protected health information? If so, you need to be HIPAA compliant. But what is protected health information (PHI)?

The Department of Health and Human Services (HHS), the regulatory body of HIPAA, defines PHI as, individually identifiable health information that “relate to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.”

The HHS further classifies PHI into 18 identifiers:

  1. Patient names  
  2. Geographical elements (such as a street address, city, county, or zip code)
  3. Dates related to the health or identity of individuals (including birthdates, date of admission, date of discharge, date of death, or exact age of a patient older than 89)
  4. Telephone numbers
  5. Fax numbers
  6. Email addresses
  7. Social Security numbers
  8. Medical record numbers
  9. Health insurance beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers
  13. Device attributes or serial numbers
  14. Digital identifiers, such as website URLs 
  15. IP addresses
  16. Biometric elements, including finger, retinal, and voiceprints
  17. Full face photographic images 
  18. Other identifying numbers or codes 

Depending on the state that your dispensary operates in, you may not be required to store PHI. However, if you operate in a way in which a traditional pharmacy does (filling prescriptions), you likely store patient information, and are required to comply with the standards set forth by HIPAA.

HIPAA Medical Marijuana: How to Achieve HIPAA Compliance

So as a dispensary that handles PHI, how can you achieve HIPAA compliance? Achieving HIPAA compliance comes down to proving your good faith efforts towards ensuring the confidentiality, integrity, and availability of PHI. This is done by implementing an effective compliance program, documenting your efforts, and reviewing certain aspects of HIPAA compliance annually.

To implement an effective compliance program, you must address the following components.

Self-audits

HIPAA requires you to implement administrative, physical, and technical safeguards to secure PHI. By conducting self-audits you identify areas in which your HIPAA safeguards are lacking. For HIPAA medical marijuana compliance, you must conduct six self-audits annually.

Gap Identification and Remediation

Once you have completed your self-audits, gaps in your HIPAA safeguards are identified. To ensure your HIPAA compliance, your organization must create remediation plans to close the gaps.

Policies and Procedures

Policies and procedures create a framework for how your medical marijuana dispensary will comply with HIPAA standards. Policies and procedures must address the HIPAA Privacy, Security, and Breach Notification Rules. Your organization’s policies and procedures must be customized to apply directly to how your dispensary operates. Your policies and procedures must be reviewed annually, and updated, to account for any changes within your organization.

Employee Training

Employees that have access to, or the potential to access, the medical records that you store must be trained annually. Annual training should include HIPAA basics, your organization’s policies and procedures, cybersecurity best practices, and the proper use of social media in a healthcare environment. To be HIPAA compliant, employee training must be documented to prove that each employee received the required training in a timely manner. If you should make changes to your policies and procedures before an employee is scheduled to receive their annual training, the employee must be retrained as soon as possible.

Business Associate Management

Business associate management is a key component of achieving and maintaining your HIPAA compliance. To ensure that your business associates (entities that receive, transmit, create, store, or maintain PHI on your behalf) are adequately securing PHI, you must send them a vendor questionnaire. The vendor questionnaire must be completed before you share PHI with them. This questionnaire is similar to your self-audits in that they measure your business associate’s safeguards against HIPAA standards. 

In addition to the questionnaire, you must have signed business associate agreements (BAAs) with all of your business associates. BAAs must also be signed before it is permitted to share PHI with your business associates. A BAA is a legal document that dictates the safeguards that your business associate is required to have in place, and mandates that they are responsible for maintaining their HIPAA compliance.

Incident Response

Should you experience a breach you are required to report it. You should have clear guidelines for reporting an incident that your employees are aware of. This way, should an employee suspect a breach, they can report it to the right entity in a timeframe that is HIPAA compliant. Breaches must be reported to HHS’ Office for Civil Rights (OCR), affected patients, and for large breaches, the media.

Modernize Your Compliance

Say goodbye to spreadsheets and hello to automated software!

Global CTAs Image