Final week the firm moderated a discussion of banking and lending in the cannabis business. The occasion was effectively attended and most importantly supplied sensible insights regarding the financing of cannabis organizations (medicinal and recreational) and detailed evaluation of just how regulated and scrutinized operations are when it comes to business enterprise financing or day-to-day monetary transactions. The bottom line appeared to be that in order to receive financing or to evolve from a money business enterprise, an organization desires to be squeaky clean.
1 query that arises consistently is no matter whether medicinal cannabis firms are topic to HIPAA, the federal Overall health Insurance coverage Portability and Accountability Act of 1996, which is the main set of laws and regulations applicable to the privacy and safety of patient info. It tends to make sense intuitively that if a dispensary fulfills a prescription or request for a CBD item then the info connected with the patient, the order, and payment should really all be thought of “protected overall health information” or “PHI” below HIPAA.
Does HIPAA Apply to Medicinal Cannabis?
Normally, a medicinal cannabis dispensary or associated business enterprise would not be topic to HIPAA. On the other hand, circling back to the discussion of banking and lending, any organization in the medicinal cannabis field should really recognize that “squeaky clean” normally entails stepping up to the requirements that will be applied by other people, even if the law or regulation may possibly not technically apply.
The privacy, safety, and other guidelines applicable to HIPAA organizations (referred to as covered entities and business enterprise associates in the HIPAA vernacular) apply to 3 categories of healthcare participant: a overall health payor/insurer, a information clearinghouse, and a healthcare provider. But, the healthcare provider category is only topic to HIPAA’s strictures if that healthcare provider (physician, hospital, pharmacy, dispensary, effectively clinic) also conducts particular electronic transactions that are invariably connected with third celebration payment for what ever healthcare has been provider. So, when you go to your regional pharmacy to gather a prescription, the pharmacy will commonly ping your overall health insurer to confirm coverage and then will electronically send the transaction information to your insurer so that the pharmacy is paid. All that is usually covered by HIPAA. Look at, even though, if you go to a clinic that supplies no cost examinations. The clinic would be thought of a healthcare provider but would probably not be topic to HIPAA solely since the clinic does not participate in the electronic transactions that HIPAA identifies.
Below the present federal law, a medicinal cannabis dispensary fits neither of the examples above but absolutely supplies healthcare in return for payment. The distinction – regardless of no matter whether we assume it a sensible one particular from a policy point of view – is that the dispensary is not charging the patient’s insurance coverage. The dispensary can undertake other electronic transactions, such as maybe debit cards for payment, but these do not make the dispensary topic to HIPAA.
And for so extended as cannabis and its variations stay taboo at the federal level (even even though the US Meals and Drug Administration has authorized particular CBD applications), overall health insurers will be reticent to offer coverage below group or person overall health plans. (To their credit, insurers such as Cigna nonetheless recognize that cannabis solutions have medicinal rewards, and offer higher level guidance on such to their members, but there are handful of if any insurers covering cannabis.) Progress right here continues at the state level exactly where New York, for instance, has produced clear that overall health insurers licensed in the state should not stay clear of health-related cannabis coverage.
Typical of Care
Even if the HIPAA privacy, safety, and other regulations do not apply to medicinal cannabis firms, these organizations would be effectively served by understanding these guidelines and applying them efficiently. Why, if it is not needed? For the reason that firms in this sector need to have to be squeaky clean to get investment, to get banking solutions, and to be capable to demonstrate – when information is lost – what you had been undertaking to avoid that from occurring.
In legal terms, the concept of a ‘standard of care’ is invariably assessed in hindsight with a skeptical assessment of what you should really have carried out to anticipate or safeguard against what ever series of unfortunate events unfolded. Even even though the HIPAA Safety Rule may possibly not clearly apply, courts have referred to that regulation in other contexts as the typical against which a business enterprise should really have managed its info systems and sensitive information. Likewise, in this sector, even even though the HIPAA Safety Rule is not mandatory, it supplies a robust set of administrative, technical, and physical measures that any overall health sector business enterprise should really apply to safeguard patient/client info.