You already know how important it is to be HIPAA compliant. A lot of businesses, including registered marijuana dispensaries, get confused about the requirements, when it comes to dealing with protected health information. It can get a little fuzzy, if you’re not privy to the big picture.
The Health Insurance Portability & Accountability Act was created in order to set a standard for safeguarding private patient information. Any entity dealing with this kind of protected health information (PHI) is required to ensure all the mandatory processes, network and physical security protocols have been put in place. Prior to these laws, there was no standard for securing PHI. As the medical, healthcare and other covered entities began to technologically advance, there was a movement away from the paper process. More and more businesses began to use electronic data systems to provide clinically based functions, answer eligibility questions and pay claims.
Keep in mind the major goal of the HIPAA compliance law is to protect the privacy of individuals’ PHI, while allowing covered businesses, including registered marijuana dispensaries, to work with new technologies. These technologies often assist and increase the efficiency and quality of the care provided. With the advance of these technologies comes increased risk of exposing PHI. Without the privacy rule, a patient’s information could very likely, without patient consent, end up being passed on to their employer.
This employer then could use the information to make personal decisions in the workplace. Another scenario could be a lender getting their hands on the patient’s health information and then using that to deny the patient’s application for a credit card, auto loan or home mortgage. In order to avoid this, it is imperative covered businesses do all they can to be HIPAA compliant.
A business associate can be any third party working with patient records and/or claims processing: accountants, attorneys, consultants, and registered marijuana dispensaries. If they service healthcare entities and have access to PHI, they are all included under HIPAA’s definition of business associates.
In summary, what you want to focus on is the big picture. Covered entities are required to protect patient health information. You are allowed to disclose PHI only to business associates whose services you use, granted you obtain satisfactory assurances. Therefore, your priority is to ensure your business associates will comply with HIPAA and safeguard the PHI they are transacting with throughout your relationship. Obtaining satisfactory assurances means getting it in writing, according to HIPAA compliance guidelines.