By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
Health Works CollectiveHealth Works CollectiveHealth Works Collective
  • Health
    • Mental Health
  • Policy and Law
    • Global Healthcare
    • Medical Ethics
  • Medical Innovations
  • News
  • Wellness
  • Tech
Search
© 2023 HealthWorks Collective. All Rights Reserved.
Reading: How HIPAA Applies to Medical Marijuana Businesses and Patients
Share
Notification Show More
Font ResizerAa
Health Works CollectiveHealth Works Collective
Font ResizerAa
Search
Follow US
  • About
  • Contact
  • Privacy
© 2023 HealthWorks Collective. All Rights Reserved.
Health Works Collective > eHealth > Medical Records > How HIPAA Applies to Medical Marijuana Businesses and Patients
eHealthMedical RecordsUncategorized

How HIPAA Applies to Medical Marijuana Businesses and Patients

Kristel Staci
Kristel Staci
Share
6 Min Read
SHARE

Without a doubt, health information is private and should be kept secure — but what counts as health information?

Contents
  • The Source of Marijuana-related HIPAA Confusion
  • Keeping Medical Marijuana Users Safe

As the U.S. Department of Health and Human Services outlines, protected health information includes any data regarding “an individual’s past, present or future physical or mental health, the provision of health care to the individual or the past, present or future payment for the provision of health care to the individual.” Additionally, HIPAA covers any information that identifies the individual in any way. This helps to ensure that no one but health care providers and predetermined family members can gain access to sensitive information.

HIPAA is quite strict in what it deems necessary of protection and how health care businesses can safely manage their patients’ data. Yet, there remains some confusion with regards to medical marijuana. Can medical marijuana patients be sure their health information is secure in dispensaries and beyond?

The Source of Marijuana-related HIPAA Confusion

To anyone unfamiliar with HIPAA’s rules and regulations, this issue might seem straightforward: Medical marijuana dispensaries handle patients the same way pharmacies do, and since pharmacies are subject to HIPAA, it seems obvious that medical dispensaries would need to enact the same protections for the sake of patients’ privacy.

More Read

Massively Open Online Medicine: Bad Idea or Just Before Its Time?
When Doctors Email: Concerns for Quality, Accuracy in Patient Communication
What Healthcare Marketers Need To Know About Pinterest’s Revised Terms of Service
Is Design Important in Healthcare?
Jewish Home Lifecare Partners with eCaring to Demonstrate Effectiveness of Home Care Management System for Elderly Home Care Patients

Unfortunately, the truth is that though dispensaries and pharmacies ostensibly provide similar services — they provide guidance and treatments to people suffering from serious medical conditions — they aren’t always treated the same under the law. There are three qualifications a business needs to have for HIPAA coverage:

1.       The business needs to be a health care provider

2.       The business needs to have protected health information

3.       The business is storing or transmitting protected health information

In most states, none of these qualifications clearly apply to dispensaries. For example, though medical marijuana patients need to visit a doctor and receive a qualifying diagnosis to gain access to medical marijuana dispensaries in Colorado, that diagnosis and the resulting recommendation aren’t technically “prescriptions” for marijuana, as outlined by the Colorado medical marijuana law. Thus, medical dispensaries aren’t functioning the same way as pharmacies in that they are not filling orders from doctors for specific drugs, and they might not count as health care providers in a state’s legal code.

What’s more, “protected health information” is not synonymous with any health information. For health information to qualify for HIPAA protection, it must fit HIPAA’s definition — which is admittedly broad. Most medical marijuana dispensaries in Colorado and beyond collect some information on their customers, but whether this information is personally identifiable, pertaining to health or health care or transmitted in any way really depends on the individual dispensary. Some dispensaries record the marijuana card of every patient who makes a purchase, as well as their underlying condition for the purposes of tailoring product recommendations. This behavior almost certainly meets the conditions of “protected health information.” However, other dispensaries might only collect an email address or might require customers to pay with cash; in these cases, the dispensary does not interact with protected health information and thus isn’t subject to HIPAA’s rules.

Finally, the bulk of the confusion surrounding HIPAA’s application to medical marijuana dispensaries comes from the persistent problem of marijuana’s place as a Schedule I drug under federal law. HIPAA is a federal act, and it is enforced by the Federal Government — but if the Federal Government believes that selling marijuana is inherently illegal, why should it extend coverage to medical marijuana businesses and their patients? For now, the answer seems to be a big “I don’t know.”

Keeping Medical Marijuana Users Safe

As much as we might want to believe that everyone in the cannabis industry is doing their best to keep their customers safe and their information secure, the truth is that businesses often cut corners and make mistakes. All marijuana users, but especially medical marijuana users who must surrender sensitive information about themselves and their health conditions, deserve a certain level of protection, and the government should be able to provide that protection.

Medical marijuana patients should learn the law in their state and ask questions of their dispensaries if they are unsure how their health information is being handled. Cannabis business owners should take appropriate precautions to secure their systems against attacks that could expose sensitive health data, and state governments should expand regulations to define dispensaries as health care providers akin to pharmacies. Finally, the Federal Government needs to take steps to accept marijuana as not only a non-dangerous substance but as an exceedingly valuable medical treatment. Until that happens, there is no guarantee that HIPAA will apply to medical marijuana.

Share This Article
Facebook Copy Link Print
Share

Stay Connected

1.5kFollowersLike
4.5kFollowersFollow
2.8kFollowersPin
136kSubscribersSubscribe

Latest News

a woman walking on the hallway
6 Easy Healthcare Ways to Sit Less and Move More Every Day
Health
September 9, 2025
Clinical Expertise
Healthcare at a Crossroads: Why Leadership Matters More Than Ever
Global Healthcare
September 9, 2025
travel nurse in north carolina
Balancing Speed and Scope: Choosing the Nursing Degree That Fits Your Goals
Nursing
September 1, 2025
intimacy
How to Keep Intimacy Comfortable as You Age
Relationship and Lifestyle Senior Care
September 1, 2025

You Might also Like

CMS Announces Meaningful Use Final Rules & Stage 3 Implementation

October 22, 2015
eHealthTechnologyWellness

The Benefits Of Apps That Help You Stay Fit

May 25, 2020
pharmacy app
eHealthMobile HealthTechnology

Getting Personal: My Patient Experience

June 15, 2013
twitter feeds for food activists
Social MediaWellness

118 Twitter Feeds Every Food Activist Needs to Follow

August 17, 2013
Subscribe
Subscribe to our newsletter to get our newest articles instantly!
Follow US
© 2008-2025 HealthWorks Collective. All Rights Reserved.
  • About
  • Contact
  • Privacy
Welcome Back!

Sign in to your account

Username or Email Address
Password

Lost your password?