Is your medical marijuana dispensary required to be HIPAA compliant?

Maybe it is, maybe it isn’t; chances are that you don’t know for sure. There are several important definitions to understand in order to determine whether your medical marijuana dispensary is subject to HIPAA compliance laws. They are given below:

What is a covered entity?
According to HIPAA regulations, a covered entity is a health care provider who transmits or stores any health information in electronic form in connection with a covered transaction. A health care provider is any entity that provides care, services or supplies related to the health of an individual. Medical marijuana is counted among the things provided related to the health of the individual and dispensaries provide that; thus they are recognized as health care providers by HIPAA standards and regulations.

What is Health Information?
Health information was mentioned earlier, and is defined as any information that “relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.” Based on this definition most medical marijuana dispensaries have personal health information and are required to be HIPAA compliant. But do you store it or transmit it electronically? If so – then HIPAA security and privacy laws definitely apply to your medical marijuana dispensary.
Does it apply to you?
If you do not electronically transmit health information in connection with covered transaction, specified in HIPAA regulations, medical dispensaries are not subject to HIPAA Security compliance. If you do store and transmit personal information electronically, you are subject to HIPAA. If you are a covered entity as defined by HIPAA  laws, you can’t disclose PHI unless its either authorized by the patient or authorized by HIPAA regulations. The regulations then authorize a limited use of such information in connection with providing treatment and obtainment of payment.
What do you get if you violate?
The Department of Health and Human Services Office of Civil Rights enforces the privacy requirement of HIPAA. It also has the power to impose penalties for violation, and those penalties can range anywhere between 100$ to 50,000$ per violation.
Why consider HIPAA?
Chances are your dispensary is may not currently be required to be HIPAA compliant, but even then you may want to start thinking about gradually bringing into compliance, because:

  • Insurers will start covering medical marijuana, and then you’ll have to engage in HIPAA covered transactions. Better to start preparing now.
  • Your patients care about the privacy of their records. They expect you and dispensary to maintain this privacy about their personal health information.
  • And finally, its in the best interests of the whole cannabis industry. The cannabis industry benefits when businesses demonstrate that they follow regulations and rules set by authorities. HIPAA compliance happens to be one such thing, and complying by HIPAA is a great way to show that the industry complies. As you will be complying yourself, it will ultimately not only benefit you but countless others in the whole cannabis industry.

This simple explanation about HIPAA and whether or not applies to your medical marijuana dispensary in Florida will have had cleared your confusion and have made things much clearer now.