With the increasing evidence of the efficacy of medical cannabis, as well as more states moving towards regulating the medical cannabis industry, medical cannabis collectives are facing an ever-increasing scheme of regulatory oversight and compliance measures. One important aspect of government regulation often overlooked by collectives involves the handling, use and storage of a patient’s confidential information. The Health Insurance Portability and Accountability Act (HIPAA) has a laundry list of rules, procedures and penalties regarding the management of a patient’s information. If a collective falls under HIPAA’s jurisdiction, then they need to act quickly to avoid possible fines. But before jumping lockstep to HIPAA regulation, it must first be determined whether HIPPA applies to medical cannabis collectives.
HIPAA is federal legislation that provides data privacy and security provisions for safeguarding medical information. Since HIPAA was enacted in 1996, the U.S. Department of Health and Human Services (HHS) has issued regulations, known, as the “Privacy Rule” describing in detail what a “covered entity” must do to protect a patient’s personal health information. According the HHS website, the Privacy rules “assures that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well-being.”
The Privacy Rule protects all “individually identifiable health information” held or transmitted by a “covered entity” or its business associate, in any form. This information is referred at as “Patient’s Health Information,” or PHI. PHI includes patients’ medical record numbers, contact information and other identifying information. Most collectives have membership intake forms that require patients to provide PHI. Additionally, collectives rely heavily on patient verification systems, which contain PHI such as, patient contact information, and other information used for verification, such as driver’s license numbers.
The next step in our analysis is to see if collectives are considered “covered entities” pursuant to HIPPA. HIPPA defines a covered entity as “a health care provider who transmits any health information in electronic form in connection with a covered transaction.” Under HIPPA, a health care provider is defined as “any person or organization who furnishes, bills, or is paid for health care in the normal course of business.” Since any person or organization that furnishes or is paid provide medical cannabis in order to treat illnesses, it can certainly be argued that they meet the definition of “health care providers” as defined in HIPAA. However, because the medical cannabis industry is still evolving, it is not abundantly clear if a collective would in fact be considered a health care provider under HIPPA, especially since medical cannabis is merely “recommended” and not “prescribed” by physicians.
The last question we must ask in analyzing whether a collective is a HIPPA-covered entity is whether the collective is electronically transmitting health information in connection to “covered transactions.” A “covered transaction” includes: Requests to obtain payment from a health insurance plan and the exchange of information in connection with such a request; inquiries to a health insurance plan to determine whether an individual is eligible for coverage under that plan and to determine benefits associated with that plan, as well as the health plan’s response to such inquiries; requests to obtain authorization to refer a person to another health care provider; the electronic transmission of payment for health care services from a health insurance plan to a health care provider or the provider’s financial institution, as well as the transmission of information concerning that payment. At present, insurance companies don’t cover medical cannabis treatment and therefore there is no covered transaction occurring to confirm a patient’s coverage. This final analysis allows us to come to the conclusion that a collective is likely not a HIPAA-covered entity.
Last and perhaps most importantly, patients want to know that collectives take their privacy seriously. Collectives should do their best to protect their patient’s information in accordance with the HIPPA regulation by setting up protocols and policies, such as websites with Secure Socket Layer (SSL) certificates and hosting data in a HIPAA Compliant data center. Having the data on-site or in a typical server location is a serious violation of HIPAA. Ultimately, implementing HIPPA compliance today, is yet another way we can show the world that we take medical cannabis seriously.