Within the medical marijuana community, there seems to be more misconceptions about the Health Insurance Portability and Accountability Act (“HIPAA”) than any other healthcare or marijuana law. I was recently talking to a representative from a major medical marijuana industry technology supplier whose software tracks sales and patient information for dispensaries. I asked him whether his company was HIPAA compliant. His response was simply that HIPAA doesn’t apply because medical marijuana is federally illegal and therefore federal laws don’t apply. Needless to say, this is not accurate. It’s like saying that medical marijuana companies don’t have to pay federal taxes because it is federally illegal. And what it demonstrates is a significant lack of knowledge among many in the industry have when it comes to HIPAA.
To be fair, the question of whether medical marijuana dispensaries are subject to HIPAA and therefore liable for breaching it is not exactly clear cut. The representative’s rationale was clearly wrong, medical marijuana being federally illegal does not exempt medical marijuana companies from HIPAA. However, his conclusion that HIPAA does not apply may hold true for certain dispensaries.
Does HIPAA Apply to My Dispensary?
While HIPAA law can be confusing at times, it does not always have to be. The best way to answer the question of whether HIPAA applies to a given situation is to in turn answer two questions:
Is the information “protected health information”, or “PHI”?
Is the entity storing or transmitting the information a “covered entity”?
By answering these two questions, we can determine whether and when HIPAA applies to medical marijuana dispensaries in the United States.
To answer the first question, we must look to the definition of “PHI” in the HIPAA regulations, specifically Section 1171 of Part C of Subtitle F of Public Law 104-191. PHI is health information that is personally identifiable. Health information is “any information, whether oral or recorded in any form or medium, that is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and relates to the past, present, or future physical or mental health or condition of any individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.”
For health information to be considered to be personally identifiable, and therefore “PHI” under HIPAA, then it must be (1) personally identifiable or could be used to identify the person, (2) created by a covered entity, and (3) “relate to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.”
With this definition is mind, what information collected or stored by a dispensary would be considered protected health information, or PHI? Similar to prescriptions at a pharmacy, patients ordering and purchase information would likely meet this definition of PHI. Such purchase or ordering information may have your name or contact information, making it personally identifiable. It would also have your treatment information—i.e. the amount of medical marijuana you purchased. Not all dispensaries are required to or do store this information, but for those who do, they should know that this information is almost certainly PHI. In addition, many dispensaries that are more serious about tailoring treatment to patient’s conditions will maintain patient information that would also meet the definition of PHI under HIPAA.
Accordingly, whether a dispensary is storing or maintaining PHI is a heavily fact dependent inquiry. While some dispensaries operate on a cash basis and do not retain individual records, and therefore do not maintain any PHI, other dispensaries do maintain PHI, and some are even required to do so by their respective states, such as Arizona.
That brings us to the second step of our analysis: assuming a dispensary stores PHI, is a medical marijuana dispensary considered to be a covered entity? Here, there are no easy answers, and much will be left for later interpretation, meaning HHS could defensibly take either side of this issue. Putting this ambiguity aside, let’s look to what constitutes a “covered entity” under HIPAA. There are three types of covered entities, but for our purposes, the relevant category is—a healthcare “provider” who transmits electronic health information with respect to a covered transaction.
Unpacking this definition, a healthcare “provider” is simply an entity that provides “care, services, or supplies related to the health of an individual.” HHS appears takes the position that a medical marijuana dispensary may be a healthcare provider because a medical “prescription” is necessary to obtain “treatment”. While some states’ laws are crafted to avoid using the word “prescription” to describe the process for a patient to obtain medical marijuana, HHS is able to look beyond the words used by the statute and how things work in practice. Simply avoiding the use of the word prescription is not enough to avoid this classification by HHS.
HIPAA however only applies to a provider who transmits electronic health information with respect to a covered transaction, which is essentially a transaction related to healthcare treatment or payment (this is a bit of a simplification). Here, we cannot group all dispensaries together into this analysis as much will depend on the actual operations of the dispensary. Some cash-only dispensaries without state reporting requirements that will not under any circumstance electronically transmit data and therefore not need to worry about HIPAA. Other dispensaries may be required by state law to transmit this health information, meaning they must comply with HIPAA, or they may unknowingly employ point of sale software that transmits and stores protected health information in the cloud, completely unaware that this could make them subject to HIPAA. Still others may store this information on a computer hard drive or CD, also unaware that physically moving the hard drive or CD out of the facility would constitute “electronic transmission” under the HIPAA rules.
While the applicability of HIPAA to medical marijuana dispensaries is not 100% certain, what is clear for dispensaries is that this issue needs to be on their radar. While many other articles on this topic have expressed skepticism as to the application of HIPAA to medical marijuana dispensaries, I am not so skeptical. HHS has a habit of reading or interpreting laws to give themselves broad powers, as opposed to interpretations limiting the scope of their enforcement. To think that HHS will take a constrained view of their authority because the analysis of whether HIPAA is applicable to not 100% clear-cut is, in my opinion, a bit naïve.
HIPAA Applies to My Dispensary, What Do I Need to Do?
So, what can a dispensary do to make sure that it is protected from penalties, which can reach up to $50,000.00 per HIPAA violation? First, a dispensary owner should be mindful of whether they are collecting protected health information and how that information is stored. A dispensary owner could store the data onsite, and therefore avoid “transmitting” it. If the dispensary already must transmit patient information due to state law requirements, then the dispensary should employ HIPAA compliant hosting to protect itself against a breach.
Second, a dispensary owner should familiarize themselves with the HIPAA Security and Privacy Rules or should employ a healthcare attorney knowledgeable on HIPAA issues with experience in the Medical Marijuana Industry.
Finally, dispensary owners should take reasonable steps to secure any patient information they possess, even if they believe that HIPAA does not apply to them. Employing common-sense data protection strategies could dramatically decrease your changes of having a data breach. Even if HIPAA wouldn’t be applicable, a data breach could lead to action by the FTC or applicable state regulatory agency. In a world where electronic data seems to be becoming less and less secure, and HIPAA penalties are bigger and bigger, it’s better to be safe than sorry.
Mr. Roberts is the founder and managing member of Scott F. Roberts Law, PLC, a Detroit-based business law firm that works extensively in the Michigan Marijuana industry. Mr. Roberts is a member of the Business Law and Marijuana Law sections of the Michigan Bar. His firm helps businesses comply with municipal, local and state regulations, and assists with formations and contract matters.