Security Standards for Medicinal Cannabis Businesses

Last week the firm moderated a discussion of banking and lending in the cannabis industry. The event was well attended and most importantly provided practical insights concerning the financing of cannabis businesses (medicinal and recreational) and detailed review of just how regulated and scrutinized operations are when it comes to business financing or daily financial transactions. The bottom line appeared to be that in order to obtain financing or to evolve from a cash business, an organization needs to be squeaky clean.

One question that arises regularly is whether medicinal cannabis firms are subject to HIPAA, the federal Health Insurance Portability and Accountability Act of 1996, which is the primary set of laws and regulations applicable to the privacy and security of patient information. It makes sense intuitively that if a dispensary fulfills a prescription or request for a CBD product then the information associated with the patient, the order, and payment should all be considered “protected health information” or “PHI” under HIPAA.

Does HIPAA Apply to Medicinal Cannabis?

Typically, a medicinal cannabis dispensary or related business would not be subject to HIPAA. However, circling back to the discussion of banking and lending, any organization in the medicinal cannabis field should understand that “squeaky clean” often involves stepping up to the standards that will be applied by others, even if the law or regulation might not technically apply.

The privacy, security, and other rules applicable to HIPAA businesses (called covered entities and business associates in the HIPAA vernacular) apply to three categories of healthcare participant: a health payor/insurer, a data clearinghouse, and a healthcare provider. But, the healthcare provider category is only subject to HIPAA’s strictures if that healthcare provider (doctor, hospital, pharmacy, dispensary, well clinic) also conducts certain electronic transactions that are invariably associated with third party payment for whatever healthcare has been provider. So, when you go to your local pharmacy to collect a prescription, the pharmacy will usually ping your health insurer to verify coverage and then will electronically send the transaction details to your insurer so that the pharmacy is paid. All that is generally covered by HIPAA. Consider, though, if you go to a clinic that provides free examinations. The clinic would be considered a healthcare provider but would likely not be subject to HIPAA solely because the clinic does not participate in the electronic transactions that HIPAA identifies.

Under the current federal law, a medicinal cannabis dispensary fits neither of the examples above but certainly provides healthcare in return for payment. The distinction – regardless of whether we think it a sensible one from a policy perspective – is that the dispensary is not charging the patient’s insurance. The dispensary can undertake other electronic transactions, such as perhaps debit cards for payment, but these do not make the dispensary subject to HIPAA.

And for so long as cannabis and its variations remain taboo at the federal level (even though the US Food and Drug Administration has approved certain CBD applications), health insurers will be reticent to provide coverage under group or individual health plans. (To their credit, insurers such as Cigna still recognize that cannabis products have medicinal benefits, and provide high level guidance on such to their members, but there are few if any insurers covering cannabis.) Progress here continues at the state level where New York, for example, has made clear that health insurers licensed in the state must not avoid medical cannabis coverage.

Standard of Care

Even if the HIPAA privacy, security, and other regulations do not apply to medicinal cannabis firms, those organizations would be well served by understanding those rules and applying them effectively. Why, if it isn’t required? Because firms in this sector need to be squeaky clean to get investment, to get banking services, and to be able to demonstrate – when data is lost – what you were doing to prevent that from occurring.

In legal terms, the idea of a ‘standard of care’ is invariably assessed in hindsight with a skeptical assessment of what you should have done to anticipate or protect against whatever series of unfortunate events unfolded. Even though the HIPAA Security Rule may not clearly apply, courts have referred to that regulation in other contexts as the standard against which a business should have managed its information systems and sensitive data. Likewise, in this sector, even though the HIPAA Security Rule is not mandatory, it provides a robust set of administrative, technical, and physical measures that any health sector business should apply to safeguard patient/customer information.