By Gil Vidals, , HIPAA Blog, Resources

Like any controlled substance, medical marijuana requires a robust system of patient verification to make certain that patients who are receiving prescriptions are identified properly.

Medical dispensaries use computerized patient verification systems in the pursuit of this goal. But what many people do not know is that a patient verification system is also subject to the Health Insurance of Portability and Accountability Act of 1996 (otherwise known as HIPAA) regulations. In fact, under HIPAA, Medicinal Marijuana is treated almost exactly the same as any other prescription or treatment.

Because of its reputation, the medical cannabis industry is diligent about keeping within the confines of federal law, and in so doing, relies heavily on these patient verification systems. These systems usually contain protected health information (PHI) such as medical record numbers, patient contact information (including addresses), diagnosis codes, and other personal information used for verification (such as driver’s license numbers).

At a glance, a few factors will give away if a business is serious about its compliance. For one, their website will have a Secure Socket Layer (SSL) certificate. This means that your address bar will show a lock and/or be green to indicate that website traffic is encrypted.

In addition, the provider will need to host their data in a HIPAA compliant data center. Having the data on-site or in a typical server location is a flagrant violation of HIPAA. If you are concerned, you should be aware that violating HIPAA security regulations is a serious crime and often includes fines for the violator. Understand the differences between standard web hosting vs. HIPAA compliant hosting to ensure that you have the correct type of provider.

Medical Dispensaries fall under the auspices of HIPAA and are required to keep confidential all of the PHI that is collected during a customer transaction.

The information that is provided to qualify for a card in the first place is also covered under HIPAA and can’t be released without the patient’s written consent or a court subpoena. To do so, even accidentally, would be a violation of HIPAA and most likely would result in a fine. However, if a credit card is used when purchasing marijuana from a dispensary, completely restricting this transaction information is not possible. It is also worthwhile noting that Visa and Mastercard have recently stopped allowing medicinal marijuana purchases.

When it comes to HIPAA compliance, the rules for medicinal marijuana are strikingly similar to the rules for any other medical substance or service. Patient information is protected under HIPAA regulations in terms of both data storage and employee inquiries.

Businesses and their associates that handle PHI are compelled to abide by these regulations and are subject to fines and legal action, even if the PHI data pertains to medicinal marijuana. Learn more about HIPAA web hosting requirements.

Avatar photo

Gil Vidals is the president and CTO of HIPAA Vault. He is a passionate, subject matter expert on HIPAA compliance and the healthcare cloud, and co-host of the HIPAA Vault podcast. Since 1997, Gil’s mission has been to provide uncompromising and affordable HIPAA compliant hosting solutions to commercial and government clients, helping protect their sensitive health information from data breaches and security vulnerabilities. HIPAA Vault has been recognized as an Inc. 5000 company and a Clutch Top B2B company. He can be reached here on Linkedin.