eHealthMedical RecordsUncategorized

How HIPAA Applies to Medical Marijuana Businesses and Patients

Kristel Staci
Kristel Staci
6 Min Read

Without a doubt, health information is private and should be kept secure — but what counts as health information?

Contents

As the U.S. Department of Health and Human Services outlines, protected health information includes any data regarding “an individual’s past, present or future physical or mental health, the provision of health care to the individual or the past, present or future payment for the provision of health care to the individual.” Additionally, HIPAA covers any information that identifies the individual in any way. This helps to ensure that no one but health care providers and predetermined family members can gain access to sensitive information.

HIPAA is quite strict in what it deems necessary of protection and how health care businesses can safely manage their patients’ data. Yet, there remains some confusion with regards to medical marijuana. Can medical marijuana patients be sure their health information is secure in dispensaries and beyond?

The Source of Marijuana-related HIPAA Confusion

To anyone unfamiliar with HIPAA’s rules and regulations, this issue might seem straightforward: Medical marijuana dispensaries handle patients the same way pharmacies do, and since pharmacies are subject to HIPAA, it seems obvious that medical dispensaries would need to enact the same protections for the sake of patients’ privacy.

More Read

Health Persona
How Life Sciences Are Finally Understanding Patients
A Critical Use of Social Media in Medicine is for Learning
Mobile Health Around the Globe: SMART Health India Uses mHealth to Fight Chronic Disease
Top 11 Trends for 2012 in Healthcare Data
A Message To Our Bloggers

Unfortunately, the truth is that though dispensaries and pharmacies ostensibly provide similar services — they provide guidance and treatments to people suffering from serious medical conditions — they aren’t always treated the same under the law. There are three qualifications a business needs to have for HIPAA coverage:

1.       The business needs to be a health care provider

2.       The business needs to have protected health information

3.       The business is storing or transmitting protected health information

In most states, none of these qualifications clearly apply to dispensaries. For example, though medical marijuana patients need to visit a doctor and receive a qualifying diagnosis to gain access to medical marijuana dispensaries in Colorado, that diagnosis and the resulting recommendation aren’t technically “prescriptions” for marijuana, as outlined by the Colorado medical marijuana law. Thus, medical dispensaries aren’t functioning the same way as pharmacies in that they are not filling orders from doctors for specific drugs, and they might not count as health care providers in a state’s legal code.

What’s more, “protected health information” is not synonymous with any health information. For health information to qualify for HIPAA protection, it must fit HIPAA’s definition — which is admittedly broad. Most medical marijuana dispensaries in Colorado and beyond collect some information on their customers, but whether this information is personally identifiable, pertaining to health or health care or transmitted in any way really depends on the individual dispensary. Some dispensaries record the marijuana card of every patient who makes a purchase, as well as their underlying condition for the purposes of tailoring product recommendations. This behavior almost certainly meets the conditions of “protected health information.” However, other dispensaries might only collect an email address or might require customers to pay with cash; in these cases, the dispensary does not interact with protected health information and thus isn’t subject to HIPAA’s rules.

Finally, the bulk of the confusion surrounding HIPAA’s application to medical marijuana dispensaries comes from the persistent problem of marijuana’s place as a Schedule I drug under federal law. HIPAA is a federal act, and it is enforced by the Federal Government — but if the Federal Government believes that selling marijuana is inherently illegal, why should it extend coverage to medical marijuana businesses and their patients? For now, the answer seems to be a big “I don’t know.”

Keeping Medical Marijuana Users Safe

As much as we might want to believe that everyone in the cannabis industry is doing their best to keep their customers safe and their information secure, the truth is that businesses often cut corners and make mistakes. All marijuana users, but especially medical marijuana users who must surrender sensitive information about themselves and their health conditions, deserve a certain level of protection, and the government should be able to provide that protection.

Medical marijuana patients should learn the law in their state and ask questions of their dispensaries if they are unsure how their health information is being handled. Cannabis business owners should take appropriate precautions to secure their systems against attacks that could expose sensitive health data, and state governments should expand regulations to define dispensaries as health care providers akin to pharmacies. Finally, the Federal Government needs to take steps to accept marijuana as not only a non-dangerous substance but as an exceedingly valuable medical treatment. Until that happens, there is no guarantee that HIPAA will apply to medical marijuana.

Share This Article

Stay Connected

Latest News

CRM Software for healthcare
A Beginner’s Guide to Medical CRM Software for Clinics, Medspas, and Telehealth
Global Healthcare Technology
The Evolving Role of Nurse Educators in Strengthening Clinical Workforce Readiness
Career Nursing
back health
The Quiet Strain: How Digital Habits Are Reshaping Back Health
Infographics
in-home care service
How to Choose the Best In-Home Care Service for Seniors with Limited Mobility
Senior Care Wellness

You Might also Like