The legal regime for cannabis is a highly fractured one in the U.S.
As of today, we’re approaching the legalized use of either recreational or medicinal marijuana in 30 states with eight states and the District of Columbia nearing full recreational use. Five states in the country continue to ban any use of cannabis, including for medical purposes.
This discrepancy between state cannabis legal regimes creates anxiety for both users and suppliers of cannabis. Medical marijuana can be particularly problematic, given that for some people it can literally mean the difference between controllable pain and excruciating pain. But what of the privacy and rights of those who use medical marijuana? And what is the role of marijuana dispensaries? Enter HIPAA, the Health Insurance Portability and Accountability Act.
Also referred to as the Kennedy–Kassebaum Act, HIPAA came into law in August, 1996. Title II of HIPAA defines policies, procedures and guidelines for maintaining the privacy and security of what is known as protected health information (or PHI) and establishes civil and criminal penalties for breaches of these privacy and security rules. Title II also instructs the U.S. Department of Health and Human Services about how to establish national standards for processing and monitoring electronic healthcare transactions.
The bottom line is that healthcare organizations must ensure secure electronic access to health data that is compliant with privacy rules.
If one is to consider medical marijuana as a Schedule 1 controlled substance (illegal at the federal level) then it should require a robust system of patient verification, often by electronic means. This data could typically include sensitive health information such as a patient’s contact information, medical records, diagnosis and other personal information. That is why medical marijuana should theoretically be subject to HIPAA compliance. HIPAA would ensure that data could never be released without either the patient’s written consent or by court subpoena. Additionally, this need for HIPAA compliance would also be the case for a person applying to qualify for a medical marijuana card.
Dispensaries need to remember that breaches of privacy occur all too easily. Web-driven email services like Gmail and Yahoo, and text messaging services such as Facebook and WhatsApp, are not encrypted for sensitive data. Cloud storage providers such as iCloud or OneDrive are also not HIPAA-compliant. In fact, many contemporary apps, data centers, and email systems are not regarded as secure and can be easily hacked by malicious third parties. That also includes any SMS service – for example, one used with patients as part of a loyalty and promotions program.
Patients should take comfort that their privacy is de facto protected, largely thanks to HIPAA.
Joe Elford, an attorney for the advocacy group Americans for Safe Access, has said that, technically, a doctor’s recommendation for medical marijuana is very private, making it nearly impossible for even law enforcement to obtain private patient records.
But it is marijuana medical dispensaries that remain jittery about their responsibilities, as cautioned by Joshua G. Urquhart, who represented the Colorado Medical Marijuana Registry while at the state attorney general’s office. He notes how most dispensaries are forced to work on a strictly cash bases. Urquhart believes that not all providers are “covered entities” under HIPAA, with the critical issue being whether the dispensary transmits “covered transactions” electronically. An inevitable limbo for dispensaries has become the norm.
It is very important to note that HIPAA does not include a right to private civil action, i.e., to file a lawsuit, as a result of a HIPAA-related violation. However, this is changing. For example, in the landmark 2014 case of Byrne v. Avery Center for Obstetrics and Gynecology the Supreme Court of Connecticut held that HIPAA should not preclude a person from seeking common law relief (i.e., by means of a lawsuit) against a medical center (which could include a HIPAA-registered marijuana dispensary) or other entity that may have breached a person’s privacy due to negligence.
The emergence of HIPAA-related lawsuits poses significant liability risk for any dispensary that may be subject to HIPAA. As medical marijuana moves inevitably towards ever stronger regulations, dispensaries need to weigh up the pros and cons of adopting HIPAA standards.
One thing is certain: patients’ data will have to remain strictly private and protected at all times, whether or not a marijuana dispensary or doctor is HIPAA-compliant.