Introduction

HIPAA is a prime example of regulatory complexity and applicable to medical cannabis businesses, including business associates of prescribers and dispensers. The Office for Civil Rights in the Federal Department of Health and Human Services, enforces the:

1. HIPAA Privacy Rule, which protects the privacy of individually identifiable health information;
2. HIPAA Security Rule, which sets national standards for the security of electronic protected health information;
3. HIPAA Breach Notification Rule, which requires covered entities and business associates to provide notification following a breach of unsecured protected health information; and
4. Confidentiality provisions of the Patient Safety Rule, which protect identifiable information being used to analyze patient safety events and improve patient safety.

How HIPPA May Apply to Cannabis Related Businesses

The term “Business Associates” is emphasized because it exemplifies the wide ranging application of a Federal law. It is easy to understand that an individual’s privacy relates to “Protected Health Information” (PHI) which basically involves doctors, their offices and staff; medical groups; hospitals, surgery centers and clinics; and pharmacies (Covered Entities). But the 2013 regulations specifically extended the application of the law to entities, such as cannabis related businesses, that do business with both Covered Entities and their immediate Business Associates, including:

1. All subcontractors of business associates that create, receive, maintain or transmit protected health information (PHI) on behalf of business associates and each subcontractor, as a business associate under the new definition, will be directly liable for its own compliance with the provisions of the privacy and security rules applicable to business associates.
2. Any organization that provides a covered entity with data transmission services involving PHI and that requires access on a routine basis to such PHI will be considered a business associate, including but not limited to health information organizations and e-prescribing gateways.
3. Document and Data Storage Organizations that “maintain” PHI, such as document and/or data storage companies, regardless of whether the entity actually accesses the PHI maintained for a covered entity.
4. Personal Health Record Vendors that provide and manage personal health records on behalf of covered entities are business associates (may include growers or extractors if the product is for a specific individual).
5. A bank or financial institution lending to the health care industry may become a business associate. If they access accounts receivable documentation that contains PHI, such as in connection with the provision of loan or capital financing to a health care provider.

Violations

The real import of discussing HIPPA here is that violators have been fined from a few thousand dollars to over a $1,000,000 dollars. These fines are significant and real. If a cannabis business is classified as a Business Associate of a Covered Entity, it can expect to be asked to sign Hold Harmless or other documents. The effect of this is to make the cannabis business liable to reimburse a Covered Entity in the event it is the cause of a violation with a resulting fine to the Covered Party. This would greatly expand your company’s exposure to financial liabilities.

Conclusion

This is an example of how a cannabis business may be affected by government regulations in a subject area seemingly unrelated to the cannabis business itself. Because of the potential magnitude of the financial impact on your business, it is important to check with your business attorney to see what regulations may apply to a business activity.