HIPPA AND CANNABIS

CROWD POW WOW PROUD WANTS EMPLOYERS TO FEEL COMFORTABLE WITH THE CANNABIS
PROGRAM.

WE INVITE YOUR EMPLOYER TO A SIT DOWN ABOUT THE CANNABIS PROGRAM.

WE WILL PROVIDE EDUCATED INFORMATION AS WELL AS THE POSITIVE AFFECT CANNABIS IS HAVING IN
OUR COMMUNITIES.

TO SET UP A VISIT PLEASE EMAIL US

POWWOWPROUD@GMAIL.COM FOR SCHEDULING

SABRINA SMITH PRESIDENT AND CEO

(570) 852-9068

DR. DAVID GORDON MD

(570) 763-8282

184 JACKSON ST EDWARDSVILLE PA 18704

HIPAA & MEDICAL CANNABIS

by Sue De Gregorio-Rosen | Apr 21, 2019 | Law & Policy

Many nurses have been asking about how medical cannabis is playing into the protected fields of HIPAA
(Health Insurance Portability and Accountability Act of 1996) which is United States legislation that
provides data privacy and security provisions for safeguarding medical information. Here’s an article
that will assist you in your profession to ensure your state medical marijuana/recreational programs and
dispensaries are in alignment with protecting patient’s medical information.

How HIPAA Applies to Medical Cannabis Patients & Nurses

Because of its reputation, the medical cannabis industry is diligent about keeping within the confines of
federal law and in so doing, relies heavily on these patient verification systems. These systems usually
contain protected health information (PHI) such as medical record numbers, patient contact information
(including addresses), diagnosis codes, and other personal information used for verification (such as
driver’s license numbers).

At a glance, a few factors will give away if a business is serious about their compliance. For one, their
website will have a Secure Socket Layer (SSL) certificate. This means that your address bar will show a
lock and/or be green to indicate that website traffic is encrypted. In addition, the provider will need to
host their data in a HIPAA Compliant data center. Having the data on-site or in a typical server location is
a flagrant violation of HIPAA. If you are concerned, you should be aware that violating HIPAA security
regulations is a serious crime and often includes fines for the violator. Understand the differences
between standard web hosting vs. HIPAA compliant hosting to ensure that you have the correct type of
provider.

Medical Dispensaries fall under the auspices of HIPAA and are required to keep confidential all of the
PHI that is collected during a customer transaction. The information that is given to qualify for a medical
marijuana card in the first place is also covered under HIPAA and can’t be released without the patient’s
written consent or a court subpoena. To do so, even accidentally, would be a violation of HIPAA and
most likely would result in a fine. However, if a credit card is used when purchasing marijuana from a
dispensary, completely restricting this transaction information is not possible. It is also worthwhile
noting that Visa and MasterCard have recently stopped allowing medicinal marijuana purchases or have
used high per-transaction rates to make accepting credit cards not feasible.

When it comes to HIPAA compliance, the rules for medicinal marijuana are strikingly similar to the rules
for any other medical substance or service. Patient information is protected under HIPAA regulations in
terms of both data storage and employee inquiries. Businesses and their associates that handle PHI are
compelled to abide by these regulations and are subject to fines and legal action, even if the PHI data
pertains to medicinal marijuana. Learn more about HIPAA web hosting requirements.

Medical Marijuana: A Primer on Ethics, Evidence, and Politics Nayna Philipsen, JD, RN, Robin D. Butler,
MBA, RA, Christie Simon-Waterman, MSN, FNP-C, and Jylla Artis, MSN, FNP-C

ABSTRACT
Controversy in the United States about the decriminalization of cannabis to allow health care providers
to recommend it for therapeutic use (medical marijuana) has been based on varying policies and beliefs
about cannabis rather than on scientific evidence. Issues include the duty to provide care, conflicting
reports of the therapeutic advantages and risks of cannabis, inconsistent laws, and even the struggle to
remove barriers to the scope of practice for Advanced Practice Registered Nurses. This article reviews
the ethics, evidence, and the politics of this complex debate.

Keywords: advanced practice registered nurse scope of practice, advocacy, barriers to advanced
practice registered nurse practice, cannabis, compassionate care, criminalization, decriminalization,
gateway drugs, marijuana, medical marijuana, palliative care, paternalism, patient autonomy,
therapeutic cannabis, HIPAA.

MEDICAL MARIJUANA AND PRIVACY

Related to patient autonomy is a patient’s right to privacy (i.e. to control his or her own body and his or
her own personal information). The ancient Hippocratic Oath included the statement that “Whatever I
see or hear in the lives of my patients, whether in connection with my professional practice or not, which
ought not to be spoken of outside, I will keep secret, as considering all such things to be private.” When
personal health information is likely to result in social stigma or negative consequences, such as when
psychiatric, drug, or alcohol treatment information is released or when the patient is a celebrity, the
duty to protect patient privacy is heightened. This special circumstance has long been an issue and is
recognized under the Health Insurance Portability and Accountability Act (HIPAA) of 1996 (PL 104- 191;
42 U.S.C. xx1320d et seq.). The use of therapeutic cannabis is likely to be in this category, as long as its
use remains illegal or continues to be viewed negatively by society. Even if medical use is a defense,
association with a drug that many consider illicit could impact a person’s ability to be employed or
create other social handicaps.

Therefore, caregivers, including APRNs, need to be prepared to extend these additional protections of
privacy for a patient who is using medical marijuana. Where the possession of therapeutic cannabis is
illegal, patients have an additional concern about criminal penalties and may well be concerned about
the protection of their information from release to organizations and individuals. HIPAA does exempt
certain entities from the confidentiality requirement and grants them access to patient information
without patient consent for the greater good of society. Law enforcement is not generally an exception.
Examples of exceptions include public health reporting requirements and regulators like the US
Department of Health and Human Services, which needs access in order to enforce HIPAA. APRNs can
reassure their patients that most entities are not entitled to the patient’s health records without the
patient’s consent, including the US Drug Enforcement Administration (DEA). HIPAA (the Privacy Rule, at
45 C.F.R. xx160 and 164) specifically limits access to identifiable health information, whether it is
medication listings, discharge, or progress reports, including those cases in which DEA officers request
information to show the patient’s criminal intent. All health entities and caregivers are held accountable
by HIPAA to protect patient privacy and generally are not required to expose the patient’s past or
present medical history, including prescriptions or drug use, to authority outside of that health entity.