HIPAA and Medical Patients

Not all dispensaries are required to be HIPAA compliant in the United States. So how do you figure out whether or not your dispensary falls under HIPAA’s jurisdiction? With the use of medical cannabis growing, it has remained a consistent question of whether or not dispensaries and other businesses in the cannabis industry are required to meet HIPAA compliance requirements.

The Health Insurance Portability and Accountability Act (HIPAA) was passed to set standards and requirements for the privacy and security of patients’ Protected Health Information (PHI). PHI is any health data that is created, shared, received, or stored by a covered cannabis dispensary that’s HIPAA regulated.

Since medical cannabis dispensaries require a medical doctor’s recommendation in order for patients to receive cannabis, that would classify them as a HIPAA-Covered Entity (CE). This is under the “HIPAA umbrella”, requiring them to fully comply with how you encrypt and protect your patient’s important health data – depending on where your dispensary operates, you may not be required to store PHI.

You’ll learn how a cannabis dispensary is a CE that provides treatment, payment, or direct operations in healthcare for patients that you serve. These CEs apply to any 3rd-party, which are vendors that perform a service for the covered entities that require them to store, access, or transmit PHI. Under these privacy laws, their 3rd-party business associates must comply with all of HIPAA’s requirements.