Keep It Secret, Keep It Safe: What Medical Dispensaries Need to Know about HIPAA

If you own or operate a dispensary that serves the medical cannabis community, you’re familiar with the Health Insurance Portability and Accountability Act of 1996, better known as “HIPAA”. A sweeping and ground-breaking law when it was first enacted, it provides the first national standards for protecting Americans’ medical privacy. When you go into a doctor’s office and specify whether or not your care provider can share your personal information, that’s because of HIPAA.


But what if you’re just entering the medical cannabis realm, the specific tenets of the law might seem confusing. Today, we’re going to break this complex piece of legislation down into easily digestible nuggets of information. By the end, you should know exactly what’s needed in terms of your data privacy and documentation so that you’re always in compliance with the law.

What Medical Dispensaries Need to Know about HIPAA: The Backstory

When HIPAA was enacted, the internet was still relatively new. But it was clear to lawmakers that with the possibility of instantaneous sharing of medical files and other personal information, some protections were going to need to be enacted. As such, HIPAA can be defined as a system that:

  • Ensures the confidentiality, integrity, and availability of all electronic protected health information (PHI)
  • Detects and safeguards against anticipated threats to information security
  • Protects against anticipated impermissible uses or disclosures
  • Certifies compliance by healthcare providers and any associated staff

The way PHI is defined by HIPAA is fairly broad: Any health data that is created, shared, received or stored by any healthcare entity or associated business.

Some medical dispensaries have operated under the mistaken assumption that because cannabis remains illegal under federal law, they aren’t bound by HIPAA. This isn’t true; because medical dispensaries by definition are providing healthcare, all patient information needs to be kept in compliance with HIPAA. Failure to do so can invite some fairly hefty fines from the Department of Health and Human Services.

The good news is that HIPAA compliance isn’t particularly complex or onerous. In fact, many of the steps needed—like protecting your customers’ data—are things you should be doing as a matter of course. Let’s walk through the necessary procedures and precautions.

What Medical Dispensaries Need to Know about HIPAA: Basic Protocols

Like any federal law, the actual text of HIPAA is long and written in legislative-speak, which for many of us is difficult to decipher. But in daily use, a number of key points up come up in regards to medical cannabis dispensaries, including:

  • HIPAA Notice: Any dispensary that handles PHI must post a HIPAA notice that provides a clear, user-friendly explanation of customers’ rights regarding their personal health information and the privacy practices of the dispensary. This should take the form of a physical sign in the dispensary, but also be shared via any other communication channels—like email or SMS—the customer opts in to.
  • Does this mean every single text message includes a HIPAA disclaimer? No. But if you handle any PHI, make sure your customers can see the notice the first time they opt in.
  • Checking Your Check-In Security: Make sure the computer terminal you use to check in patients, verify their medical prescription or recommendation, and catalog their purchases is secure. You should be running premium antivirus software on this (and all) computers, and run regular checks on your network to mitigate the chance of a data breach.
  • Institute HIPAA Training: Any member of your staff who has access to customers’ PHI needs to be trained in basic HIPAA protocols. Again, this shouldn’t be overly difficult; teach staff to maintain best practices such as closing out of browser windows immediately after customer interactions are complete so that no one encounters customer data they shouldn’t have access to.
  • Can you mention medical conditions in your blogs and newsletters? Absolutely! You can even highlight patient stories (a great way to create compelling content!). Just don’t share any information that personally identifies customers unless that has given you permission to do so. And even then, using an alias is a good idea.
  • Segmentation Security: We talk a lot about segmenting your customer data so that you can better target and refine your marketing outreach. But while your local state database may give you information regarding a specific patient’s medical condition or symptoms, you shouldn’t use this as a criterion for segmentation. For one thing, it creates another avenue for data to leak out; for another, it probably runs afoul of HIPAA statutes, which dictate that in most cases, patients supply written authorization for their information to be used in any marketing capacity.

Instead, we suggest that you ask patients to self-identify why they’re interested in using cannabis—for instance for anxiety, nausea, sleep, or pain relief—and segment them that way. That way, you’re not potentially disclosing any medical information through your segmentation efforts.

As you see, day-to-day HIPAA compliance isn’t particularly challenging. But when you’re first setting up your POS, CRM, and other data platforms, it’s important that you find solutions that are fully compliant with HIPAA and other data privacy laws.