Without a doubt, health information is private and should be kept secure — but what counts as health information?
As the U.S. Department of Health and Human Services outlines, protected health information includes any data regarding “an individual’s past, present or future physical or mental health, the provision of health care to the individual or the past, present or future payment for the provision of health care to the individual.” Additionally, HIPAA covers any information that identifies the individual in any way. This helps to ensure that no one but health care providers and predetermined family members can gain access to sensitive information.
HIPAA is quite strict in what it deems necessary of protection and how health care businesses can safely manage their patients’ data. Yet, there remains some confusion with regards to medical marijuana. Can medical marijuana patients be sure their health information is secure in dispensaries and beyond?
The Source of Marijuana-related HIPAA Confusion
To anyone unfamiliar with HIPAA’s rules and regulations, this issue might seem straightforward: Medical marijuana dispensaries handle patients the same way pharmacies do, and since pharmacies are subject to HIPAA, it seems obvious that medical dispensaries would need to enact the same protections for the sake of patients’ privacy.
Unfortunately, the truth is that though dispensaries and pharmacies ostensibly provide similar services — they provide guidance and treatments to people suffering from serious medical conditions — they aren’t always treated the same under the law. There are three qualifications a business needs to have for HIPAA coverage:
1. The business needs to be a health care provider
2. The business needs to have protected health information
3. The business is storing or transmitting protected health information
In most states, none of these qualifications clearly apply to dispensaries. For example, though medical marijuana patients need to visit a doctor and receive a qualifying diagnosis to gain access to medical marijuana dispensaries in Colorado, that diagnosis and the resulting recommendation aren’t technically “prescriptions” for marijuana, as outlined by the Colorado medical marijuana law. Thus, medical dispensaries aren’t functioning the same way as pharmacies in that they are not filling orders from doctors for specific drugs, and they might not count as health care providers in a state’s legal code.
What’s more, “protected health information” is not synonymous with any health information. For health information to qualify for HIPAA protection, it must fit HIPAA’s definition — which is admittedly broad. Most medical marijuana dispensaries in Colorado and beyond collect some information on their customers, but whether this information is personally identifiable, pertaining to health or health care or transmitted in any way really depends on the individual dispensary. Some dispensaries record the marijuana card of every patient who makes a purchase, as well as their underlying condition for the purposes of tailoring product recommendations. This behavior almost certainly meets the conditions of “protected health information.” However, other dispensaries might only collect an email address or might require customers to pay with cash; in these cases, the dispensary does not interact with protected health information and thus isn’t subject to HIPAA’s rules.
Finally, the bulk of the confusion surrounding HIPAA’s application to medical marijuana dispensaries comes from the persistent problem of marijuana’s place as a Schedule I drug under federal law. HIPAA is a federal act, and it is enforced by the Federal Government — but if the Federal Government believes that selling marijuana is inherently illegal, why should it extend coverage to medical marijuana businesses and their patients? For now, the answer seems to be a big “I don’t know.”
Keeping Medical Marijuana Users Safe
As much as we might want to believe that everyone in the cannabis industry is doing their best to keep their customers safe and their information secure, the truth is that businesses often cut corners and make mistakes. All marijuana users, but especially medical marijuana users who must surrender sensitive information about themselves and their health conditions, deserve a certain level of protection, and the government should be able to provide that protection.
Medical marijuana patients should learn the law in their state and ask questions of their dispensaries if they are unsure how their health information is being handled. Cannabis business owners should take appropriate precautions to secure their systems against attacks that could expose sensitive health data, and state governments should expand regulations to define dispensaries as health care providers akin to pharmacies. Finally, the Federal Government needs to take steps to accept marijuana as not only a non-dangerous substance but as an exceedingly valuable medical treatment. Until that happens, there is no guarantee that HIPAA will apply to medical marijuana.
