HIPAA Medical Marijuana Compliance

HIPAA Medical Marijuana

There is a common misconception that since medical marijuana is not federally legal, and HIPAA is a federal law, that HIPAA does not apply to medical marijuana dispensaries. This, however, is untrue; HIPAA does in fact apply to the medical marijuana industry. To clear up misconceptions, HIPAA medical marijuana is discussed below.

HIPAA Medical Marijuana: Protected Health Information

Not all dispensaries are required to be HIPAA compliant. So how do you figure out whether or not your dispensary falls under HIPAA’s jurisdiction? Does your dispensary handle protected health information? If so, you need to be HIPAA compliant. But what is protected health information (PHI)?

The Department of Health and Human Services (HHS), the regulatory body of HIPAA, defines PHI as, individually identifiable health information that “relate to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.”

The HHS further classifies PHI into 18 identifiers:

  1. Patient names  
  2. Geographical elements (such as a street address, city, county, or zip code)
  3. Dates related to the health or identity of individuals (including birthdates, date of admission, date of discharge, date of death, or exact age of a patient older than 89)
  4. Telephone numbers
  5. Fax numbers
  6. Email addresses
  7. Social Security numbers
  8. Medical record numbers
  9. Health insurance beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers
  13. Device attributes or serial numbers
  14. Digital identifiers, such as website URLs 
  15. IP addresses
  16. Biometric elements, including finger, retinal, and voiceprints
  17. Full face photographic images 
  18. Other identifying numbers or codes 

Depending on the state that your dispensary operates in, you may not be required to store PHI. However, if you operate in a way in which a traditional pharmacy does (filling prescriptions), you likely store patient information, and are required to comply with the standards set forth by HIPAA.

Let’s Simplify Compliance

Don’t let HIPAA violations send your revenues “Up In Smoke.” We can help you navigate HIPAA.

Learn More!
HIPAA Seal of Compliance

HIPAA Medical Marijuana: How to Achieve HIPAA Compliance

So as a dispensary that handles PHI, how can you achieve HIPAA compliance? Achieving HIPAA compliance comes down to proving your good faith efforts towards ensuring the confidentiality, integrity, and availability of PHI. This is done by implementing an effective compliance program, documenting your efforts, and reviewing certain aspects of HIPAA compliance annually.

To implement an effective compliance program, you must address the following components.


HIPAA requires you to implement administrative, physical, and technical safeguards to secure PHI. By conducting self-audits you identify areas in which your HIPAA safeguards are lacking. For HIPAA medical marijuana compliance, you must conduct six self-audits annually.

Gap Identification and Remediation

Once you have completed your self-audits, gaps in your HIPAA safeguards are identified. To ensure your HIPAA compliance, your organization must create remediation plans to close the gaps.

Policies and Procedures

Policies and procedures create a framework for how your medical marijuana dispensary will comply with HIPAA standards. Policies and procedures must address the HIPAA Privacy, Security, and Breach Notification Rules. Your organization’s policies and procedures must be customized to apply directly to how your dispensary operates. Your policies and procedures must be reviewed annually, and updated, to account for any changes within your organization.

Employee Training

Employees that have access to, or the potential to access, the medical records that you store must be trained annually. Annual training should include HIPAA basics, your organization’s policies and procedures, cybersecurity best practices, and the proper use of social media in a healthcare environment. To be HIPAA compliant, employee training must be documented to prove that each employee received the