Protecting your Privacy: HIPAA and Medical Cannabis

Because cannabis is a Schedule I illegal substance according to the US Controlled Substances Act (CSA), some people hold the mistaken belief that medical cannabis services are completely excluded from protection under HIPAA privacy laws. While HIPAA doesn’t explicitly mention medical cannabis, the general principles and protections granted by HIPAA apply to all types of personal health information.

Below, read our full guide to medical marijuana patient privacy rights and HIPAA compliance.

What is HIPAA? 

The Health Insurance Portability and Accountability Act (HIPAA) is a set of federal regulations that are meant to protect the privacy and security of patients’ personal health information. Signed into law in 1996 by the US Department of Health and Human Services (HHS), HIPAA applies to all healthcare providers, from hospitals to mental healthcare practices. Overall, the aim of the regulation is to ensure that patient information must be secure and only accessible by authorized personnel.

HIPAA is meant to:

• Legally protect all confidential health data given by a patient.
• Provides patients the right to transfer or continue healthcare coverage without risking employment status.
• Upholds industry standards for electronic healthcare data management for billing and other purposes. 
• Reduce instances of healthcare fraud.

Under HIPAA, unauthorized persons are prevented from accessing your personal medical information without your consent. This prevents potential harms of privacy breaches, which include medical or financial identity theft, embarrassment, employment bias, and discrimination, as well as other problems for the patient’s finances or reputation.

Does HIPAA Apply To Medical Marijuana Patients?

Yes, medical marijuana patient privacy is protected under HIPAA. Medical marijuana healthcare providers, administrators, and other relevant entities involved in handling a cannabis patient’s personal information must comply with HIPAA regulations. Overall, under HIPAA, the information provided to receive a medicinal marijuana card is treated essentially the same as other prescriptions or healthcare treatments.

The information provided to qualify for a card in the first place is covered as protected health information (PHI) under HIPAA. As such, it can’t be released without the patient’s written consent or a court subpoena. The process usually involves a provider obtaining protected information such as medical record numbers, patient contact information (including addresses), diagnosis codes, and other personal information used to verify identity (such as driver’s license numbers). Businesses that handle PHI are compelled to conform to the proper regulations, and breaching patient confidentiality under HIPAA can subject that medical business to fines and legal action, even if the PHI data pertains to medicinal marijuana.

When it comes to HIPAA compliance, rules about medicinal marijuana are typically similar to the rules for any other medical practice or service. Some states also protect medical marijuana patient privacy with state-specific provisions regarding patient privacy in the cannabis industry.

States where medical marijuana information is protected by state breach notification statutes are:

• Arizona
• Arkansas
• California
• Colorado
• Delaware
• Florida
• Montana
• Nevada
• New Hampshire
• North Dakota
• Oregon
• Rhode Island

Is Medical Marijuana Patient Privacy Protected During Telehealth Appointments? 

Some cannabis healthcare services, such as Veriheal, offer consultations with medical marijuana-certifying doctors using telehealth. This process may raise additional questions about whether your data is safe after speaking to a healthcare provider using telemedicine.

Telehealth refers to the use of electronic information and telecommunications technologies for long-distance clinical health care, patient and professional health-related education, and public health and health administration. Telehealth services can be performed via text message, videoconference, the internet, streaming media, or wireless communications, among other formats. Although these communications to not involve physical information about a patient or physical contact, all telehealth platforms are still subject to HIPAA compliance, as they are part of the transmission of confidential patient health information. 

The main guidelines for providing privacy-secure telehealth services is that the patient and provider be connected privately so their messages are only received by and read by the intended parties. Such platforms include FaceTime, Zoom, WhatsApp video calls, or Skype. These services typically use end-to-end encryption, which allows only a single patient and the provider with whom the patient is communicating to see what is transmitted. Such platforms also support privacy-protected individual user accounts, logins, and passcodes to help limit access and verify participants.  

Security-protected technology platforms can help prevent breaches of the patient’s PHI, which includes documents like their medical records, information discussed during an appointment, and any documents or images shared during a telehealth appointment. If you are using telehealth for your medical marijuana provider visits, ensure that your provider is using a secure platform that protects your information. Otherwise without the appropriate privacy and security protections, such as those required by the HIPAA Rules, you are at risk for unauthorized persons obtaining this information. 

Are Dispensaries Subject to HIPAA?

Some people mistakenly believe that the law necessarily extends to dispensaries that serve patients being treated with medical cannabis.

Cannabis medical patients supply personally identifying information relating to healthcare services to use a dispensary. Thus, it would seem reasonable to conclude that medical marijuana businesses, particularly dispensaries, would be considered “healthcare providers” under HIPAA.

However, it’s not so simple in the case of medical cannabis.

The applicability of HIPAA to medical marijuana businesses and dispensaries is not completely clear. The HHS, which is the agency that enforces HIPAA, could take the position that a medical marijuana dispensary may be a healthcare provider because the drug requires a medical prescription as a treatment for some health condition. Although the majority of state medical cannabis laws avoid using the word “prescription” to describe a patient recommendation to obtain medical marijuana, the HHS has still considered medical marijuana recommendations to be prescriptions, meaning the related transactions count as healthcare, which extends the organization’s oversight to medical data obtained for marijuana transactions, even at dispensaries.

However, unless there are clear state standards for the management of medical marijuana patients’ personal data, legal uncertainty surrounds the extent to which medical cannabis dispensaries are required to comply with HIPAA. Thus, it is not a guarantee that a seller, even if they are purveyors of legal medical cannabis, will have the most rigorous protections for medicinal marijuana patient data. It is good to check in with your purveyor if privacy concerns you. 

Concluding Thoughts

With the stigma associated with cannabis use, it is common for people to have concerns about what privacy protections are in place regarding their medical marijuana cardholder status. The laws protecting patient privacy under HIPAA, fortunately, extend to apply to the medical information shared as a medical cannabis patient.

Although there are still some controversies over whether cannabis businesses should be subject to these federal laws, particularly dispensaries, sharing your personal health information with a well-reputed provider who takes your private information seriously is the best way to proceed with peace of mind. This means that it is good practice to just be curious about your medical card provider and make sure to ask plenty of questions about your privacy and security concerns to get a sense of how your patient’s privacy will be respected. 

Frequently Asked Questions

Are medical marijuana cards protected by HIPAA?

Yes, as sensitive personal medical information is involved in getting a medical marijuana card, information you share with clinicians and providers pertaining to your medical marijuana card is protected by the privacy standards maintained under HIPAA.

Is my medical marijuana patient information safe over telehealth?

Veriheal’s telehealth platform is completely HIPAA-compliant to ensure and protect a private, secure connection between the provider and patient. This information, even with a telemedicine appointment, is kept safe from potential unauthorized persons who may try to access this information.

Is Zoom HIPAA compliant?

Zoom has a special plan for telehealth providers that is certified HIPAA compliant. 

Does HIPAA apply to dispensaries?

Since there is still legal uncertainty surrounding the extent to which medical cannabis dispensaries are required to comply with HIPAA, it is not a guarantee that cannabis dispensaries, even if they are purveyors of legal medical cannabis, will have rigorous protections for medicinal marijuana patient data.