The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that forbids disclosure of protected health information (PHI), and requires entities to take specific steps to ensure security of PHI. Since HIPAA was enacted, the U.S. Department of Health and Human Services has issued regulations describing in detail what a “covered entity” must do to protect PHI.
There are several important definitions to understand in order to determine whether your dispensary is subject to HIPAA.
HIPAA regulations define a covered entity to include a “health care provider who transmits any health information in electronic form in connection with a [covered] transaction.”
A “health care provider” is any person or organization that furnishes or is paid for “care, services, or supplies related to the health of an individual.” Since dispensaries provide medical marijuana in order to treat illnesses, they are almost certainly “health care providers” as that term is defined according to HIPAA.
As health care providers, dispensaries may be subject to HIPAA if they transmit any health information in electronic form in connection with a covered transaction. HIPAA regulations define “health information” as any information that “relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.” Based on that definition, most dispensaries have HIPAA health information. In fact, depending on the medical marijuana regulations in each state, dispensaries may be required to maintain health information data and provide that information to state regulators.
Even if they meet the previous definitions, medical marijuana dispensaries are typically not subject to HIPAA unless they electronically transmit health information in connection with “covered transactions” specified in the HIPAA regulations.
Under those regulations, “covered transactions” include: requests to obtain payment from a health insurance plan and the exchange of information in connection with such a request; inquiries to a health insurance plan to determine whether an individual is eligible for coverage under that plan and to determine benefits associated with that plan, as well as the health plan’s response to such inquiries; requests to obtain authorization to refer a person to another health care provider; the electronic transmission of payment for health care services from a health insurance plan to a health care provider or the provider’s financial institution, as well as the transmission of information concerning that payment.
At this time, most insurers do not cover medical marijuana, so dispensaries are not likely to be electronically transmitting health information in connection with transactions that would subject them to HIPAA. However, if a dispensary does send or receive information electronically in connection to receiving payment from a health insurer, or to determine the eligibility of a patient for health insurance, it is likely to be covered by HIPAA.
Dispensaries covered by HIPAA may not disclose PHI unless that disclosure is either authorized by the patient or authorized by HIPAA regulations. The regulations authorize limited use of such information in connection with providing treatment and obtaining payment for services. In addition, HIPAA Security Standards require businesses covered by HIPAA to develop and implement stringent safeguards for PHI.
HIPAA’s privacy requirements are enforced by the Department of Health and Human Services Office of Civil Rights, which has the power to impose penalties for violations of HIPAA’s privacy protections. Those penalties can range from $100 to $50,000 per violation.
Even if your dispensary is not currently covered by HIPAA, you may want to consider gradually bringing it into compliance for several reasons. First, as the industry matures and insurers begin covering medical marijuana, you’ll have to engage in HIPAA-covered transactions with your patients’ insurers, so it makes sense to prepare for that now. Second, your patients care about the privacy of their records and expect your dispensary to maintain the privacy of those records. Finally, the cannabis industry benefits when businesses demonstrate that they “play by the rules,” and complying with HIPAA is one way to do that.
Hanan B. Kolko, a member of Meyer, Suozzi, English & Klein, P.C., is co-chair of the firm’s Cannabis Practice Group. He is also a member of the National Cannabis Bar Association and its Amicus Committee, and has presented continuing legal education programs on cannabis-related topics, including the ethics of representing cannabis clients, employment issues in the cannabis industry, cannabis businesses and access to bankruptcy courts, and how the interplay between federal and state laws impacts the cannabis industry.