In 1996 Congress enacted the Health Insurance Portability and Accountability Act, HIPAA to improve the efficiency of the United States health care system. The law gave the Department of Health and Human Services (HHS)the administrative power to adopt national standards for electronic health care including the implementation of safeguards to protect the same.

The law has three main legal and compliance components to safeguard the private health information (PHI) of all patients interacting with covered entities, which is the technical name for organizations that are subject to HIPAA.

The three parts of the law that covered entities must comply with are the Privacy Rule, the Security Rule, and the Breach Notification Rule.

The HIPAA Privacy Rule created national standards for the protection of PHI by 3 types of covered entities:

  1. Health insurance plans
  2. Health care clearinghouses
  3. Health care providers who perform health care transactions electronically

The Privacy Rule applies to PHI in oral, electronic and hard copy media formats and requires

Any organization that is subject to it to appoint an individual to act as Privacy Officer. The Privacy Officer is responsible for creating and implementing policies to comply with the Privacy Rule and safeguard PHI in a way that protects its Confidentiality, Integrity and Availability.

These policies must address the following:

  1. The creation of a HIPAA privacy notice
  2. Patient Authorization to disclose PHI
  3. Patient access to PHI
  4. Employee Training

The HIPAA Security Rule requires covered entities to implement administrative, , technical, and physical safeguards for the protection of reasonably anticipated threats to the confidentiality, integrity and availability of electronic PHI when it’s being stored or transmitted.

Organizations subject to the HIPAA Security Rule must implement the following policies and/or measures in furtherance of complying with the Rule:

  1. Risk Analysis in the form of periodic risk assessments to uncover potential threats and vulnerabilities in a covered entity’s network is the key to adherence to the HIPAA Security Rule
  2. Workforce training to assure internal compliance with the policies created.

It is worth mentioning that the Security Rule does not apply to PHI transmitted via oral or paper means( phone calls or faxes).


The HIPAA Breach Notification Rule requires any Covered Entity that discovers a data breach of a patient’s PHI to report the breach to HHS and in some instances, the media.


Business Associates are non-regulated entities that provide support services to Covered Entities entailing the use or disclosure of PHI between the two parties. For example vendors, consultants, and in most cases attorneys can all fall under this classification.

In 2009 Congress enacted the Health Information Technology for Economic and Clinical Health Act (HITECH) as part of the American Recovery and Investment Act of 2009 (AARA), widely referred to as the stimulus bill. HITECH amended certain provisions of the Privacy and Security Rule , imposed higher civil penalties for violation of both and imposed possible criminal penalties for wrongful dis closure of PHI by employees of a Covered Entity. The most significant amendment was that the law required Business Associates to comply with the HIPAA Security Rule, and imposed the additional requirement that a Covered Entity and Business Associate reduce the new compliance requirement to a written agreement, now widely referred to as a Business Associate Agreement.

The Privacy, Security, and Breach Notification Rules apply exclusively to Covered Entities and Business Associates. It is therefore necessary to examine whether your dispensary or cannabis retail operation can be considered a Covered Entity or Business Associate under HIPAA. The HIPAA definition of Covered Entity is any entity that is a (1) health plan, clearing house, or health care provider that electronically transmits any information in connection with transactions that HHS has adopted standards for.


It is worth examining whether your dispensary can be classified as a Covered Entity. If your dispensary or retail operation is located in a state that legalized medical cannabis, you can definitely be classified as a health care provider. The recent classification of cannabis dispensaries as essential services in many states during the pandemic is ample evidence to support this theory . Although most states that legalized fit this category, require a patient to obtain a government issued identification card issued by a qualified physician registered with the state’s health department confirming the patient requires treatment for a number of specific ailments in the state’s law, your establishment may have to confirm eligibility with a physician or the state’s health department via electronic means. Your verification of the patient’s eligibility itself may be classified as a HIPPA related transaction especially if it’s done via e-mail, e-fax, or any other electronic means. Even if your dispensary or retail operation is in a state that allows recreational, or adult use, I recommend having your consumers sign a waiver or disclaimer saying that they are not purchasing your product for medicinal

There is no private right of action regarding non-compliance of HIPA. This means that an individual patient cannot sue your dispensary for a HIPPA violation. However, the Office of Civil Rights(“OCR”), a department within HHS has every right to issue fines ranging from $100 to $5,000 per violation or record, and a maximum fine of $1.5million per year. The OCR determines the fine amount by the level of negligence. A maximum fine can easily put your dispensary out of business.

Don’t worry there are some protective measures you can take to mitigate the damage. Among the are the following:

  • Perform periodic(annually if not quarterly) risk assessments of your network to detect any threats or vulnerabilities in the same.
  • Assign a single point of contact and accountability for Privacy matters
  • Execute business associate agreements with all vendors, attorneys, accountants an consultants that may need access to PHI to provide a particular service to your dispensary.
  • Create privacy and security policies for your retail operation and include them in your Standard Operating Procedures (“SOPs”).
  • Create an incident management plan and disaster recovery plan to respond to any possible data breach
  • Implement end to end encryption.
  • Implementation of mandatory training on your policies for all employees

I know you’re probably thinking all I wanted to do is sell weed. I didn’t sign up for this crap. However, it’s always better to be safe than sorry .I have not personally heard of any actions by HHS against cannabis retail operators for HIPAA violations, but I think it’s a matter of time before they start acting within their apparent authority to do so, given the federal government’s aggressive attitude towards cannabis since the Nixon administration’s well documented inclusion of the plant as a Schedule 1 drug in the Controlled Substances Act made cannabis federally illegal and declared it among the most dangerous drugs in the country, equating it to heroin in that regard.

By Patrick Marc ,Founder and CEO of High Grade Solutions LLC