Does HIPAA Apply to Medical Cannabis Dispensaries?
Carlos Asked
I had to sign a HIPPA form when requesting my purchase history at a dispensary. Is my info at the dispensary private due to HIPPA?
Summary
Answer
Hi Carlos. This is a really good question and there is some confusion about this. You’re actually talking about HIPAA (not HIPPA) but don’t worry as that’s a very common mistake! HIPAA stands for the Health Insurance Portability and Accountability Act, a Federal law enacted by the Clinton administration that sets privacy and security rules for health information. I’ve spent countless hours learning about HIPAA because we were required to repeat HIPAA trainings every year during pharmacy school.
Who Does HIPAA Apply to?
The important thing to remember is that HIPAA only applies to what’s called “Covered Entities” and their business associates. Under the law a covered entity can be three things…
- A health care plan (a company that pays the cost of medical care).
- A healthcare provider (a company or person that bills for and is paid for healthcare services).
- A healthcare clearing house (a company that processes data received by or sent to covered entities).
Businesses associates are persons or organizations that have access to protected health info or “PHI” through business relationships with covered entities. For example, a health insurance company pays a third party vendor to store data containing PHI on the cloud. Because the vendor has access to PHI and receives payments from a covered entity they are considered a business associate and HIPAA rules apply. Now before we answer your question let’s learn a little bit more about the HIPAA Privacy and Security rules.
What is the HIPAA Privacy Rule
The HIPAA security rule establishes standards for how to protect your PHI and has special requirements for health information transmitted and stored electronically. HIPAA security rules also require that covered entities enact technical, physical, and administrative safeguards to protect the security of your PHI. So the HIPAA Security rule deals mainly with how your data must be protected.
Does HIPAA Apply to Medical Cannabis Dispensaries?
So back to your question. Cannabis dispensaries clearly are not health plans, healthcare providers, or data clearing houses, but are they business associates with any covered entities? Well medical cannabis dispensaries are sometimes viewed similarly to pharmacies. But pharmacies are subject to HIPAA laws because they receive payments from healthcare plans which are covered entities, so they are business associates. Transactions at pharmacies are also typically covered by insurance, so any PHI transmitted with respect to these transactions is protected by HIPAA.
In NY, medical cannabis is not yet covered by insurance, so dispensaries are not business associates of any health plans and purchases are not covered transactions. Dispensaries may receive PHI from healthcare providers, but they are legally forbidden to engage in business with healthcare providers that recommend medical cannabis for risk of quid pro quo. Therefore, dispensaries are not business associates of any covered entities and HIPAA rules don’t apply to them.
Dispensaries once again fall into a legal grey area. Until there’s a resolution at the Federal level there will likely be no enforcement of HIPAA in the cannabis space for quite sometime. However, this doesn’t mean cannabis companies aren’t turning to HIPAA for guidance when protecting patient info. It’s a common occurrence for dispensaries to act as if HIPAA does apply even though the laws would likely never come into play. That’s likely why you had to fill out that form to get your purchase history.
Thanks for your question and please feel free to reach back out anytime!