How HIPAA Applies to Medical Cannabis Patients & Nurses

by | Apr 21, 2019 | Law & Policy

Many nurses have been asking about how medical cannabis is playing into the protected fields of HIPAA (Health Insurance Portability and Accountability Act of 1996) which is United States legislation that provides data privacy and security provisions for safeguarding medical information.  Here’s an article that will assist you in your profession to ensure your state medical marijuana/recreational programs and dispensaries are in alignment with protecting patient’s medical information.

How HIPAA Applies to Medical Cannabis Patients & Nurses          

Because of its reputation, the medical cannabis industry is diligent about keeping within the confines of federal law and in so doing, relies heavily on these patient verification systems. These systems usually contain protected health information (PHI) such as medical record numbers, patient contact information (including addresses), diagnosis codes, and other personal information used for verification (such as driver’s license numbers).

At a glance, a few factors will give away if a business is serious about their compliance. For one, their website will have a Secure Socket Layer (SSL) certificate. This means that your address bar will show a lock and/or be green to indicate that website traffic is encrypted. In addition, the provider will need to host their data in a HIPAA Compliant data center. Having the data on-site or in a typical server location is a flagrant violation of HIPAA. If you are concerned, you should be aware that violating HIPAA security regulations is a serious crime and often includes fines for the violator. Understand the differences between standard web hosting vs. HIPAA compliant hosting to ensure that you have the correct type of provider.

Medical Dispensaries fall under the auspices of HIPAA and are required to keep confidential all of the PHI that is collected during a customer transaction. The information that is given to qualify for a medical marijuana card in the first place is also covered under HIPAA and can’t be released without the patient’s written consent or a court subpoena. To do so, even accidentally, would be a violation of HIPAA and most likely would result in a fine. However, if a credit card is used when purchasing marijuana from a dispensary, completely restricting this transaction information is not possible. It is also worthwhile noting that Visa and MasterCard have recently stopped allowing medicinal marijuana purchases or have used high per-transaction rates to make accepting credit cards not feasible.

When it comes to HIPAA compliance, the rules for medicinal marijuana are strikingly similar to the rules for any other medical substance or service. Patient information is protected under HIPAA regulations in terms of both data storage and employee inquiries. Businesses and their associates that handle PHI are compelled to abide by these regulations and are subject to fines and legal action, even if the PHI data pertains to medicinal marijuana. Learn more about HIPAA web hosting requirements.

Medical Marijuana: A Primer on Ethics, Evidence, and Politics Nayna Philipsen, JD, RN, Robin D. Butler, MBA, RA, Christie Simon-Waterman, MSN, FNP-C, and Jylla Artis, MSN, FNP-C


Controversy in the United States about the decriminalization of cannabis to allow health care providers to recommend it for therapeutic use (medical marijuana) has been based on varying policies and beliefs about cannabis rather than on scientific evidence. Issues include the duty to provide care, conflicting reports of the therapeutic advantages and risks of cannabis, inconsistent laws, and even the struggle to remove barriers to the scope of practice for Advanced Practice Registered Nurses. This article reviews the ethics, evidence, and the politics of this complex debate.

Keywords: advanced practice registered nurse scope of practice, advocacy, barriers to advanced practice registered nurse practice, cannabis, compassionate care, criminalization, decriminalization, gateway drugs, marijuana, medical marijuana, palliative care, paternalism, patient autonomy, therapeutic cannabis, HIPAA.


Related to patient autonomy is a patient’s right to privacy (i.e. to control his or her own body and his or her own personal information). The ancient Hippocratic Oath included the statement that “Whatever I see or hear in the lives of my patients, whether in connection with my professional practice or not, which ought not to be spoken of outside, I will keep secret, as considering all such things to be private.”  When personal health information is likely to result in social stigma or negative consequences, such as when psychiatric, drug, or alcohol treatment information is released or when the patient is a celebrity, the duty to protect patient privacy is heightened. This special circumstance has long been an issue and is recognized under the Health Insurance Portability and Accountability Act (HIPAA) of 1996 (PL 104- 191; 42 U.S.C. xx1320d et seq.). The use of therapeutic cannabis is likely to be in this category, as long as its use remains illegal or continues to be viewed negatively by society. Even if medical use is a defense, association with a drug that many consider illicit could impact a person’s ability to be employed or create other social handicaps.

Therefore, caregivers, including APRNs, need to be prepared to extend these additional protections of privacy for a patient who is using medical marijuana. Where the possession of therapeutic cannabis is illegal, patients have an additional concern about criminal penalties and may well be concerned about the protection of their information from release to organizations and individuals. HIPAA does exempt certain entities from the confidentiality requirement and grants them access to patient information without patient consent for the greater good of society. Law enforcement is not generally an exception. Examples of exceptions include public health reporting requirements and regulators like the US Department of Health and Human Services, which needs access in order to enforce HIPAA. APRNs can reassure their patients that most entities are not entitled to the patient’s health records without the patient’s consent, including the US Drug Enforcement Administration (DEA).  HIPAA (the Privacy Rule, at 45 C.F.R. xx160 and 164) specifically limits access to identifiable health information, whether it is medication listings, discharge, or progress reports, including those cases in which DEA officers request information to show the patient’s criminal intent. All health entities and caregivers are held accountable by HIPAA to protect patient privacy and generally are not required to expose the patient’s past or present medical history, including prescriptions or drug use, to authority outside of that health entity.

References: The Journal for Nurse Practitioners – JNP 6

Medical Marijuana: A Primer on Ethics, Evidence, and Politics Nayna Philipsen, JD, RN, Robin D. Butler, MBA, RA, Christie Simon-Waterman, MSN, FNP-C, and Jylla Artis, MSN, FNP-C

by | Apr 21, 2019 | Law & Policy

Take a Course

Advance your endocannabinoid system and cannabis nurse entrepreneurship expertise with accredited, comprehensive education.

Attend the Conference

Connect & network with other cannabis nurses while learning from some of the best medical cannabis educators and experts.

Ryan's Law Action Center

Guidance, training and must have details for nurses & health care professionals on California Senate Bill 311 aka “Ryan’s Law”

More on this topic

Related Articles

The Demise of Medical Cannabis in Oregon

The Demise of Medical Cannabis in Oregon

In 1998, Oregon was the second state in the US to legalize access to medical cannabis, when it launched our Oregon Medical Marijuana Program (OMMP).  Despite our progressive beginnings, Oregon’s current protocols are failing to meet cannabis patient’s needs, and many...