As of Dec. 1, 2021, cannabis dispensaries and technology vendors operating in the state of Illinois must protect health information with the same stringent security and privacy standards required of medical providers under the federal Health Insurance Portability and Accountability Act (HIPAA).
These regulations, applied by the Illinois Department of Financial and Professional Regulation (IDFPR), include fines of up to $10,000 per violation.
While Illinois is the first state to place these strict data security and privacy rules on dispensaries that provide medical-use cannabis, it is likely not the last.
As the cannabis industry continues to grow and evolve, so does the attention from legislators and regulators.
As more state legislatures and regulatory agencies address concerns surrounding the health information cannabis companies access and retain, we anticipate increased data security and privacy requirements placed on canna-businesses that collect, process, and store client personal information, including health information.
While we wait for further regulations from other states, cannabis dispensaries and vendors located nationwide should begin taking a critical look at their data security and privacy protocols and start working toward compliance with HIPAA standards.
What are the HIPAA requirements included under Illinois’ Compassionate Use of Medical Cannabis Program Act?
HIPAA, a federal statute enacted in 1996, requires covered entities and many of their vendors (called business associates), to protect patient data, such as diagnosis and treatment information, which is known as protected health information (PHI).
HIPAA applies to health plans, healthcare clearinghouses, and healthcare providers that submit standard electronic transactions.
Since cannabis is not currently covered by health insurance, cannabis dispensaries arguably do not fall within the definition of a “covered entity” under HIPAA, because they do not submit requests for payments in the form of standard electronic transactions.
However, under Illinois’ Compassionate Use of Medical Cannabis Program Act (A280), dispensaries that provide medical-use cannabis to patients must implement data security and privacy standards like those required under HIPAA.
IDFPR published specific guidance outlining its interpretation of the Act’s requirement for HIPAA-like privacy and security requirements.
Specifically, dispensaries are required to provide customers with a Notice of Privacy Practices and adopt administrative, technical, and physical controls consistent with HIPAA Security Rule standards with special attention given to conducting regular security risk assessments.
It is worth noting for those new to HIPAA, that a Notice of Privacy Practices is not the same as a website privacy policy or other privacy statements.
Importantly, IDFPR guidance also states that these requirements apply to vendors of cannabis dispensaries that receive patient data from dispensaries.
This would include call centers that handle patient calls from medical licensed cannabis dispensaries, vendors that host patient medical data, and vendors that perform data analysis that requires the use of identifiable medical information.
How does HIPAA define administrative, technical, and physical controls, and what constitutes a risk assessment?
Under HIPAA, administrative controls refer to the processes, policies, and procedures used to protect health information against a breach or unauthorized disclosure.
Technical safeguards refer to technology, including firewalls, encryption, and backups. Physical safeguards, like facility access controls, device and media controls, and workstation use procedures, protect the physical facilities that house an organization’s sensitive patient data.
IDFPR focuses on two HIPAA safeguards in its guidance — security risk analysis and encryption of health information at rest and in transit.
Although HIPAA does not prescribe a timeframe for a security risk analysis, the IDFPR guidance states that medical cannabis providers should conduct a security risk analysis annually.
IDFPR also states that not encrypting computers or networks where data is transmitted or stored and not encrypting emails containing patient data would constitute a violation.
Creating and implementing these types of controls and safeguards requires specific knowledge of data security and privacy best practices, making this a daunting ask for some canna-businesses.
Dispensaries and technology vendors that host health information should meet with counsel to discuss how these new requirements can be efficiently incorporated into existing compliance programs.
Could Illinois signal a trend for other states?
Other states may embrace Illinois’ use of HIPAA guidelines as an easy way to adopt data protections for cannabis data.
From a health consumer perspective, HIPAA has been in place for over two decades and is well understood by businesses in the medical field.
Since many dispensaries distribute cannabis primarily for medical purposes, requiring dispensaries to adopt HIPAA standards is an easy, if not clumsy, manner of protecting this data.
Additionally, current cyber threat trends suggest threat actors target health information, especially in fast-growing industries that have not yet been held to sophisticated data protection standards.
Arguably, the states that lean into the HIPAA framework are preparing the industry for eventual federal requirements under HIPAA, a likely outcome once federal rescheduling occurs.
While enforcement of HIPAA in the cannabis industry at the federal level is on an uncertain timeline, sophisticated operators are already preparing as if it does, as we may soon see some states follow the precedent set by Illinois.
It is best practice to implement data security and privacy controls even if HIPAA does not directly apply to your organization at present.
Preparing your canna-business now will ultimately protect you and your customers from financial and reputational harm and allow the business to have a smooth transition into complying with additional regulatory requirements if HIPAA ever does become directly applicable to cannabis dispensaries.
What can cannabis companies do to prepare?
Here are the key questions cannabis dispensaries and vendors should ask themselves as they evaluate readiness for new requirements:
• Should I draft my Notice of Privacy Practices and train staff on its use?
• Should I hire or appoint additional privacy and security personnel?
• Is my training program appropriate and adequate?
• Should I consider additional administrative, technical, or physical controls to prevent unauthorized access?
• Is my annual risk analysis sufficient?
• Should I change my vendor management protocols?
• Does my incident response plan consider relevant notification requirements?
• How should I document these compliance measures?
• Do my employees know what to do when a patient requests records?
Partnering with sophisticated legal and technical counsel that work on these initiatives can help canna-businesses amend their data protection practices to comply with current and future regulations and safeguard their customers sensitive health information.
This article was originally published in the winter 2021 issue of Cannabis & Tech Today. Read the full issue here for free.
