With medical marijuana legal in a growing number of states, many businesses in the cannabis industry, particularly dispensaries, continue to wrestle with the question of whether they are subject to the Health Insurance and Portability and Accountability Act’s (HIPAA) Privacy and Security Rule requirements.
The bad news is that the answer is: It depends.
The good news is that you can easily learn more about where your business stands.
The confusion whether medical cannabis businesses are covered under HIPAA appears to stem from two sources.
First, most people assume that the mere mention of someone’s medical condition or health information is protected, regardless of who is disclosing it. That is simply not the case. Not all medical information is protected under HIPAA; only specific “protected health information” (PHI) is protected. The definition of PHI, however, is not so clear, and there is a lot to unpack in defining the term.
The second part of the confusion comes from a