skip to Main Content
Medical Marijuana Dispensaries: Take Care of Patient Health Information or Pay The Price

Medical marijuana, like any controlled substance, requires a strong system of identifying patients properly. As the industry matures, the federal government has increasingly been more involved in enforcing ever more stringent laws and regulations on medical marijuana dispensaries.

While it is easy to dismiss this if you’re running your business on a strictly cash-only basis, the future could change and possibly require you to do this. Why not prepare now, so that you can avoid possible problems down the road?

Dispensaries use computerized systems to process and verify patient health information (PHI). This can pose certain risks, including security breaches. These systems are subject to the Health Insurance of Portability and Accountability Act of 1996 (also referred to as HIPAA). Under this law, medical marijuana is treated in a similar way as prescription drugs.

Due to its reputation, the medical marijuana industry is very keen on staying within the parameters of the federal law. Patient verification systems are crucial in this endeavor. They often contain a variety of protected health information (PHI), including patient contact information, medical record numbers, diagnoses, driver’s license, and other personal information.

 Key Factors that signal you are serious about compliance

The most obvious signal that you are compliant is to have a Secure Socket Layer (SSL) certificate on your website. What is an SSL certificate? Sites with SSL certificates will indicate a lock in the address bar and/or be green to signal that the site’s traffic is securely encrypted. If you don’t already have this and want to see an example, visit some of your competitors’ websites and look for their SLL certificate signals to see this first hand.

Only Use a HIPAA-compliant hosting data center

Pay close attention to this crucial point, as keeping patient data on-site or on a typical server location can land you in a lot of deep trouble. For one thing, it is considered a serious crime and more often than not, violators have to pay hefty fines to the tune of tens of thousands of dollars. You’ll want to fully understand the differences between what is considered HIPAA compliant hosting and traditional web hosting. The following checklist will help you find the right HIPAA compliant data center for you. Remember, this is not about shopping for the best company who can work with you for a cheap price. HIPAA compliant hosting companies are more expensive than traditional ones, and for good reason.

HIPAA compliant checklist to use for hosting companies: 

  1. Signed business associate agreement – This is to cover yourself, as well as to experience peace of mind. You want your host to understand and accept the risks of hosting patient health information.
  2. Multiple vulnerability scans of your servers on a monthly basis – Ask for the reports, the  hosting companies will gladly provide them for you.
  3. Mitigating discovered vulnerabilities – HIPAA-compliant hosting companies should provide remediation services to fix the vulnerabilities.
  4. Server hardening – Request copies for your hosting company’s server hardening steps. This will detail the process of how they apply their measures for security to your servers.
  5. Regular off-site backup – Ask if they provide backups and how far away the backups are physically from your hosting company. Ideally, you want them at least 50 miles apart, to factor in the possibility of a local storm or some other unforeseen natural disaster, that could take out both your server and backup.
  6. Keep a six year log retention – After you’re finished using a server, hard drives should not be used again, until they have had several passes of clean swipes. This is to be sure that PHI cannot be read again. Inquire as to what kind of process they use to wipe the hard drives clean and how many passes they make.

Medical marijuana dispensaries are by law required to keep confidential all of the patient health information aggregated during patient transactions. This starts from the very first time a patient provides information to qualify for a medical marijuana card. This, as well as any future patient health information, is covered under HIPAA federal law. It cannot be released to anyone without first obtaining the patient’s written consent or a court ordered subpoena.

Accidents in handling patient information will still result in a HIPAA violation and could result in a fine. This poses a problem, especially when credit cards are used to make medical marijuana purchases from a dispensary. It is not possible to completely restrict the transaction information. This is probably why Mastercard and Visa have been hesitant to allow medical marijuana purchases. In some instances, where the purchases were allowed, high per-transaction fees essentially eliminated any feasibility to accepting credit cards.

Here’s the simple, but crucial, part

The laws and rules concerning medical marijuana are almost exactly the same as the laws for traditional medical prescriptions and treatments. Your patients’ health information is protected under these laws. This doesn’t just include data storage, but also employees and business associates that handle PHI. It is necessary for you to get a signed business associate agreement from any associates that may be handling sensitive PHI.


Michelle Drolet

Michelle Drolet

Michelle Drolet is founder of Towerwall, a woman-owned cybersecurity and cannabis compliance services provider in Framingham, Mass., with clients such as CannaCare, Smith & Wesson, Covenant Healthcare and many mid-size organizations. She can be reached at [email protected].



This Post Has 0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent Stories

Does Medical Licensing Make Sense in Recreational Jurisdictions?

By Griffen Thorne, Attorney at Harris Bricken Cannabis licensing has a pretty standard trajectory by this point in time. States tend to start out with medical programs and later adopt recreational programs. What usually happens is that the recreational cannabis market swallows up the medical market. The majority of medical operators will seek out and…

Marijuana in the workplace: New York employers can’t test most workers, state says

The New York State Department of Labor has released new guidance regarding legalized recreational marijuana use and the workplace. According to that new guidance, employers must cite “articulable symptoms of impairment” in almost any effort to take action against an employee due to marijuana use. That means an employer must provide “objectively observable” evidence that…

Vermont Gears Up for a $225 Million Marijuana Market

Vermont’s Cannabis Control Board estimates that spending on recreational marijuana in Vermont could reach $225 million annually by 2025, which would translate to nearly $46 million in new state taxes. The figures are just some of the news from a highly anticipated report the board released last Friday. The 64-page document lays the groundwork for…

Costa Rica legalizes production of medicinal cannabis and hemp

The initiative, promoted by independent legislator Zoila Rosa Volio, received the affirmative vote of 33 legislators, while 13 voted against it, after extensive discussion and the opposition of several legislators, mainly from the Restauración Nacional, Nueva República, Integración Nacional (PIN), and independent Shirley Díaz. The plan focuses on authorizing the production of cannabis plants, both…

More Categories

Back To Top
×Close search