Are Medical Marijuana Dispensaries Covered Entities Under HIPAA?

I was talking to a colleague recently and she raised an interesting question – are medical marijuana dispensaries covered entities under the Health Insurance Portability and Accountability Act (HIPAA)?  I represented the Colorado Medical Marijuana Registry while at the AG’s office, so my colleagues usually come to me with medical marijuana questions.

My first follow-up was to ask what personal health information (PHI) the dispensary was holding.  After all, in my experience, most dispensaries function on a strict transaction-by-transaction business model.  A patient-customer comes in, shows his or her medical marijuana registry card and an ID, and makes the purchase in cash.  My colleague reminded me that some dispensaries have opted to go with a “wellness center” approach and offer health care services in addition to medical marijuana, and these expanded service providers sometimes will retain patient records that might fall under the PHI umbrella.

So with that resolved, I started digging a little into the underlying question.  This is actually a difficult question.  Based on second-hand reports, it appears that the Department of Health and Human Services (HHS) takes the position that because a physician “prescription” is required, a dispensary is providing health care services under the HIPAA analysis.  (Note:  This is technically inaccurate, at least in Colorado.  A physician must certify that the patient in question suffers from a chronic or debilitating disease or medical condition, but the applicable statutes and regulations avoid using the term “prescription.”)

But that isn’t the end of the inquiry.  Not all providers are covered entities under HIPAA.  In fact, as this helpful chart from the Centers for Medicare and Medicaid Services (CMS) demonstrates, the provider in question must transmit “covered transactions” electronically.  A CMS regulation, in turn, defines covered transactions to be “[a] request to obtain payment, and the necessary accompanying information from a health care provider to a health plan, for health care,” or “if there is no direct claim, because the reimbursement contract is based on a mechanism other than charges or reimbursement rates for specific services, the transaction is the transmission of encounter information for the purpose of reporting health care.”

Insurance companies don’t pay for medical marijuana, so the first of those doesn’t apply.  With respect to the second type of covered transaction, another CMS regulation specifies what will and what won’t be encompassed by the definition.  There are a dozen different examples, but it should suffice to say that all of them involve the electronic transmission of health or claims information.  And remember what I said above?  In my experience, medical marijuana dispensaries aren’t in the business of receiving or sending any health information, electronic or otherwise.  They run a storefront and fill requests for medical marijuana on a cash-only basis.  In that paradigm, because no health or claim information is transmitted electronically, the dispensary wouldn’t be a HIPAA-covered entity.

That said, if a “wellness center”-model dispensary stores patient health information and transmits it for some reason, then it’s possible that the dispensary might be a covered entity.  As noted above, HHS certainly thinks so.  But I would guess that such centers are few and far between – and it certainly would behoove individuals considering operating that model of dispensary to think about the ramifications of their decision.