none

HIPAA: Medical Marijuana

by | May 24, 2017 | Law & Policy

Many nurses have been asking about how medical cannabis is playing into the protected fields of HIPAA (Health Insurance Portability and Accountability Act of 1996) which is United States legislation that provides data privacy and security provisions for safeguarding medical information. Here’s an article that will assist you in your profession to assure your state medical marijuana/recreational programs and dispensaries are in alignment with protecting patient’s medical information.

Because of its reputation, the Medical Cannabis Industry is diligent about keeping within the confines of the federal law and in so doing, relies heavily on these patient verification systems. These systems usually contain protected health information (PHI) such as medical record numbers, patient contact information (including addresses), diagnosis codes, and other personal information used for verification (such as driver’s license numbers).

At a glance, a few factors will give away if a business is serious about their compliance. For one, their website will have a Secure Socket Layer (SSL) certificate. This means that your address bar will show a lock and be green to indicate that website traffic is encrypted. Also, the provider will need to host their data in a HIPAA Compliant data center. Having the data on-site or in a typical server location is a flagrant violation of HIPAA. If you are concerned, you should be aware that violating HIPAA security regulations is a serious crime and often includes fines for the violator. Understand the differences between standard web hosting vs. HIPAA compliant hosting to ensure that you have the correct type of provider.

Medical Dispensaries fall under the auspices of HIPAA and are required to keep confidential all of the PHI that is collected during a customer transaction. The information that is given to qualifying for a medical marijuana card in the first place is also covered under HIPAA and cannot be released without the patient’s written consent or a court subpoena. To do so, even accidentally, would be a violation of HIPAA and most likely would result in a fine. However, if a credit card is used when purchasing marijuana from a dispensary, completely restricting this transaction information is not possible. It is also worthwhile noting that Visa and MasterCard have recently stopped allowing medicinal marijuana purchases or have used high per-transaction rates to make accepting credit cards not feasible.

When it comes to HIPAA compliance, the rules for medicinal marijuana are strikingly similar to the rules for any other medical substance or service. Patient information is protected under HIPAA regulations regarding both data storage and employee inquiries. Businesses and their associates that handle PHI are compelled to abide by these regulations and are subject to fines and legal action, even if the PHI data pertains to medicinal marijuana.
Medical Marijuana: A Primer on Ethics, Evidence, and Politics Nayna Philipsen, JD, RN, Robin D. Butler, MBA, RA, Christie Simon-Waterman, MSN, FNP-C, and Jylla Artis, MSN, FNP-C

ABSTRACT

Controversy in the United States about the decriminalization of cannabis to allow health care providers to Because of its reputation, the Medical Cannabis Industry is diligent about keeping within the confines of the federal law and in so doing, relies heavily on these patient verification systems. These systems usually contain protected health information (PHI) such as medical record numbers, patient contact information (including addresses), diagnosis codes, and other personal information used for verification (such as driver’s license numbers).

At a glance, a few factors will give away if a business is serious about their compliance. For one, their website will have a Secure Socket Layer (SSL) certificate. This means that your address bar will show a lock and/or be green to indicate that website traffic is encrypted. Also, the provider will need to host their data in a HIPAA Compliant data center. Having the data on-site or in a typical server location is a flagrant violation of HIPAA. If you are concerned, you should be aware that violating HIPAA security regulations is a serious crime and often includes fines for the violator. Understand the differences between standard web hosting vs. HIPAA compliant hosting to ensure that you have the correct type of provider.

Medical Dispensaries fall under the auspices of HIPAA and are required to keep confidential all of the PHI that is collected during a customer transaction. The information that is given to qualifying for a medical marijuana card in the first place is also covered under HIPAA and cannot be released without the patient’s written consent or a court subpoena. To do so, even accidentally, would be a violation of HIPAA and most likely would result in a fine. However, if a credit card is used when purchasing marijuana from a dispensary, completely restricting this transaction information is not possible. It is also worthwhile noting that Visa and MasterCard have recently stopped allowing medicinal marijuana purchases or have used high per-transaction rates to make accepting credit cards not feasible.

When it comes to HIPAA compliance, the rules for medicinal marijuana are strikingly similar to the rules for any other medical substance or service. Patient information is protected under HIPAA regulations regarding both data storage and employee inquiries. Businesses and their associates that handle PHI are compelled to abide by these regulations and are subject to fines and legal action, even if the PHI data pertains to medicinal marijuana.

Medical Marijuana: A Primer on Ethics, Evidence, and Politics Nayna Philipsen, JD, RN, Robin D. Butler, MBA, RA, Christie Simon-Waterman, MSN, FNP-C, and Jylla Artis, MSN, FNP-C

MEDICAL MARIJUANA AND PRIVACY

Related to patient autonomy is a patient’s right to privacy (i.e., to control his or her own body and his or her personal information). The ancient Hippocratic Oath included the statement that “Whatever I see or hear in the lives of my patients, whether in connection with my professional practice or not, which ought not to be spoken of outside, I will keep secret, as considering all such things to be private.” When personal health information is likely to result in social stigma or negative consequences, such as when psychiatric, drug, or alcohol treatment information is released or when the patient is a celebrity, the duty to protect patient privacy is heightened.

This special circumstance has long been an issue and is recognized under the Health Insurance Portability and Accountability Act (HIPAA) of 1996 (PL 104- 191; 42 U.S.C. xx1320d et seq.). The use of therapeutic cannabis is likely to be in this category, as long as its use remains illegal or continues to be viewed negatively by society. Even if medical use is a defense, association with a drug that many consider illicit could impact a person’s ability to be employed or create other social handicaps. Therefore, caregivers, including APRNs, need to be prepared to extend these additional protections of privacy for a patient who is using medical marijuana.

Where the possession of therapeutic cannabis is illegal, patients have an additional concern about criminal penalties and may well be concerned about the protection of their information from release to organizations and individuals. HIPAA does exempt certain entities from the confidentiality requirement and grants them access to patient information without patient consent for the greater good of society. Law enforcement is not an exception.

Examples of exceptions include public health reporting requirements and regulators like the US Department of Health and Human Services, which needs access to enforce HIPAA. APRNs can reassure their patients that most entities are not entitled to the patient’s health records without the patient’s consent, including the US Drug Enforcement Administration (DEA). HIPAA (the Privacy Rule, at 45 C.F.R. xx160 and 164) specifically limits access to identifiable health information, whether it is medication listings, discharge, or progress reports, including those cases in which DEA officers request information to show the patient’s criminal intent. All health entities and caregivers are held accountable by HIPAA to protect patient privacy and are not required to expose the patient’s past or present medical history, including prescriptions or drug use, to an authority outside of that health entity.

References:

www.npjournal.org The Journal for Nurse Practitioners – JNP 6 http://lib.ajaums.ac.ir/booklist/Nurse%20Practitione478.pdf
Medical Marijuana: A Primer on Ethics, Evidence, and Politics Nayna Philipsen, JD, RN, Robin D. Butler, MBA, RA, Christie Simon-Waterman, MSN, FNP-C, and Jylla Artis, MSN, FNP-C
http://www.npjournal.org/article/
S1555-4155(14)00375-4/abstract
https://www.hhs.gov/hipaa/
https://www.nlm.nih.gov/hmd/greek/greek_oath.html
https://www.vmracks.com/resources/hipaa-compliant-hosting-insights/hipaa-compliant-hosting-vs-standard-web-hosting/
https://www.vmracks.com/resources/hipaa-compliant-hosting-insights/medical-marijuana-industry-regulated-by-hipaa/?option=com_content&view=article&id=58:tru e-hipaa-compliance&catid=11:services& Itemid=73

Take a Course

Advance your endocannabinoid system and cannabis nurse entrepreneurship expertise with accredited, comprehensive education.

Attend the Conference

Connect & network with other cannabis nurses while learning from some of the best medical cannabis educators and experts.

Ryan's Law Action Center

Guidance, training and must have details for nurses & health care professionals on California Senate Bill 311 aka “Ryan’s Law”

More on this topic

Related Articles

The Demise of Medical Cannabis in Oregon

The Demise of Medical Cannabis in Oregon

In 1998, Oregon was the second state in the US to legalize access to medical cannabis, when it launched our Oregon Medical Marijuana Program (OMMP).  Despite our progressive beginnings, Oregon’s current protocols are failing to meet cannabis patient’s needs, and many...