There is a fair amount of uncertainty and confusion with respect to medical marijuana and compliance with the U.S. Department of Health and Human Services Insurance Portability and Accountability Act of 1996 (“HIPAA”). This includes whether HIPAA law is applicable to the new Missouri medical marijuana program.
Stepping back for a moment, HIPAA was established as a network of statutes and regulations designed to protect the health information of individual citizens. It is intended to ensure patient’s privacy in seeking quality health care while allowing for private information to be used to promote the public interest. A core component of HIPAA is safeguarding patient’s Protected Health information (PHI), which is defined as any individually identifiable information, that is transmitted by electronic media, maintained in electronic media; or transmitted or maintained in any other form or medium.
Under the new medical marijuana regulations for Missouri, the Department of Health and Senior Services (DHSS) requires Qualified Patients and Primary Caregivers to provide their names, birthdates, Social Security numbers, copies of drivers’ licenses, email addresses and many other potential identifiers. The DHSS also dictates that all Missouri dispensary operators implement a seed to sale tracking system that interfaces with the DHSS’s statewide track and trace system, such that a dispensary operator can enter and access information in the state’s system. Furthermore, Missouri dispensary operators will be required to provide the DHSS with access to all information stored in their system’s database.
Missouri dispensary operators must maintain the confidentiality of all Qualified Patient and Primary Caregiver data and records accessed or stored in their system, so that all persons or entities other than the DHSS may only access the information in the system that they are authorized to access by law.
It seems likely that Missouri dispensary operators will be subject to HIPAA oversight. This is due to the fact that they are tasked with knowing the purported effects of the products they will be providing to Qualified Patients and Primary Caregivers. Therefore, it would be reasonable to conclude that product and purported effect information will be used to help treat a variety of ailments, conditions and complaints suffered by cardholders. Storing this information will likely designate it as PHI and the DHSS’s statewide track and trace system will cause this and other identifiers to be transmitted and maintained by electronic media.
Receiving this information from a doctor via a Physician Certification will likely designate the Missouri dispensary operator as a Health Care Provider as described by HIPAA. Those who supply cannabis products pursuant to a Physician Certification will also be acting as Health Care Providers in the scope of HIPAA rules. The DHSS has anticipated this position by requiring that Missouri dispensary operators maintain strict confidentiality with respect to patient information.
Any Missouri dispensary operator who unlawfully discloses information relating to the underlying medical condition of a Qualified Patient, products used to treat the patient, or information related to payments will likely be in violation of HIPAA. Also, it is likely that unlawful disclosures of personal identifiers (names, birthdates, Social Security numbers, etc.) will give rise to a HIPAA violation.
With this being the case, it will be important for Missouri dispensary operators to familiarize themselves with some of the basic components of HIPAA:
Privacy Rule: establishes the standards to protect PHI
Security Rule: establishes the safeguards to implement to ensure the integrity and confidentiality of the PHI transmitted between entities and patients
Breach Notification Rule: provides the guidelines to be followed in the event of a possible data breach
Compliance with the Notification Rule: provides a mitigating tool to combat accusations of breach and self-report if a breach is suspected
Penalties for HIPAA violations range from $100 to $1.5 million and some violations can carry a penalty of up to 10 years in jail. Failure to comply with DHSS’s seed to sale tracking requirements may result in a revocation of the Missouri dispensary operator’s license.
While it is still a bit unclear if Missouri dispensary operators will be subject to HIPAA controls, information available to date, along with general best practices, speak for strict compliance, which would likely result in the advancement of the safety, integrity and health of the medical marijuana program in Missouri.