Medical marijuana, like any controlled substance, requires a strong system of identifying patients properly. As the industry matures, the federal government has increasingly been more involved in enforcing ever more stringent laws and regulations on medical marijuana dispensaries.
While it is easy to dismiss this if you’re running your business on a strictly cash-only basis, the future could change and possibly require you to do this. Why not prepare now, so that you can avoid possible problems down the road?
Dispensaries use computerized systems to process and verify patient health information (PHI). This can pose certain risks, including security breaches. These systems are subject to the Health Insurance of Portability and Accountability Act of 1996 (also referred to as HIPAA). Under this law, medical marijuana is treated in a similar way as prescription drugs.
Due to its reputation, the medical marijuana industry is very keen on staying within the parameters of the federal law. Patient verification systems are crucial in this endeavor. They often contain a variety of protected health information (PHI), including patient contact information, medical record numbers, diagnoses, driver’s license, and other personal information.
Key Factors that signal you are serious about compliance
The most obvious signal that you are compliant is to have a Secure Socket Layer (SSL) certificate on your website. What is an SSL certificate? Sites with SSL certificates will indicate a lock in the address bar and/or be green to signal that the site’s traffic is securely encrypted. If you don’t already have this and want to see an example, visit some of your competitors’ websites and look for their SLL certificate signals to see this first hand.
Only Use a HIPAA-compliant hosting data center
Pay close attention to this crucial point, as keeping patient data on-site or on a typical server location can land you in a lot of deep trouble. For one thing, it is considered a serious crime and more often than not, violators have to pay hefty fines to the tune of tens of thousands of dollars. You’ll want to fully understand the differences between what is considered HIPAA compliant hosting and traditional web hosting. The following checklist will help you find the right HIPAA compliant data center for you. Remember, this is not about shopping for the best company who can work with you for a cheap price. HIPAA compliant hosting companies are more expensive than traditional ones, and for good reason.
HIPAA compliant checklist to use for hosting companies:
Medical marijuana dispensaries are by law required to keep confidential all of the patient health information aggregated during patient transactions. This starts from the very first time a patient provides information to qualify for a medical marijuana card. This, as well as any future patient health information, is covered under HIPAA federal law. It cannot be released to anyone without first obtaining the patient’s written consent or a court ordered subpoena.
Accidents in handling patient information will still result in a HIPAA violation and could result in a fine. This poses a problem, especially when credit cards are used to make medical marijuana purchases from a dispensary. It is not possible to completely restrict the transaction information. This is probably why Mastercard and Visa have been hesitant to allow medical marijuana purchases. In some instances, where the purchases were allowed, high per-transaction fees essentially eliminated any feasibility to accepting credit cards.
Here’s the simple, but crucial, part
The laws and rules concerning medical marijuana are almost exactly the same as the laws for traditional medical prescriptions and treatments. Your patients’ health information is protected under these laws. This doesn’t just include data storage, but also employees and business associates that handle PHI. It is necessary for you to get a signed business associate agreement from any associates that may be handling sensitive PHI.
Michelle Drolet is founder of Towerwall, a woman-owned cybersecurity and cannabis compliance services provider in Framingham, Mass., with clients such as CannaCare, Smith & Wesson, Covenant Healthcare and many mid-size organizations. She can be reached at [email protected].
Your email address will not be published. Required fields are marked *
Name *
Email *
Website
Save my name, email, and website in this browser for the next time I comment.
Comment *
Notify me of follow-up comments by email.
Notify me of new posts by email.
Δ
A push to establish a legal marijuana market in Virginia is officially dead after Republican Gov. Glenn Youngkin vetoed legislation on Thursday. Virginia has allowed adults over 21 to possess and cultivate…
By Hilary Bricken, Attorney at Husch Blackwell Dealing with creditors is never a fun experience. However, some creditors are more severe than others, especially in the cannabis industry. One of…
The long wait on whether Floridians will get a chance to vote to legalize recreational cannabis for adults 21 and older is almost over, as the Florida Supreme Court is…
Missouri’s health department on Wednesday stripped two coveted marijuana micro-licenses tied to an out-of-state company that had been accused of predatory practices and had listed the licenses for resale. The…