Medical Marijuana Dispensaries: Take Care of Patient Health Information or Pay The Price

leadership team img1

By Michelle Drolet

Founder & CEO

Ms. Drolet is responsible for all aspects of business for Towerwall. She has more than 24 years of,

Read More

Medical marijuana, like any controlled substance, requires a strong system of identifying patients properly. As the industry matures, the federal government has increasingly been more involved in enforcing ever more stringent laws and regulations on medical marijuana dispensaries.
While it is easy to dismiss this if you’re running your business on a strictly cash-only basis, the future could change and possibly require you to do this. Why not prepare now, so that you can avoid possible problems down the road?
Dispensaries use computerized systems to process and verify patient health information (PHI). This can pose certain risks, including security breaches. These systems are subject to the Health Insurance of Portability and Accountability Act of 1996 (also referred to as HIPAA). Under this law, medical marijuana is treated in a similar way as prescription drugs.
Due to its reputation, the medical marijuana industry is very keen on staying within the parameters of the federal law. Patient verification systems are crucial in this endeavor. They often contain a variety of protected health information (PHI), including patient contact information, medical record numbers, diagnoses, driver’s license, and other personal information.

Key Factors that signal you are serious about compliance

The most obvious signal that you are compliant is to have a Secure Socket Layer (SSL) certificate on your website. What is an SSL certificate? Sites with SSL certificates will indicate a lock in the address bar and/or be green to signal that the site’s traffic is securely encrypted. If you don’t already have this and want to see an example, visit some of your competitors’ websites and look for their SLL certificate signals to see this first hand.

Only Use a HIPAA-compliant hosting data center

Pay close attention to this crucial point, as keeping patient data on-site or on a typical server location can land you in a lot of deep trouble. For one thing, it is considered a serious crime and more often than not, violators have to pay hefty fines to the tune of tens of thousands of dollars. You’ll want to fully understand the differences between what is considered HIPAA compliant hosting and traditional web hosting. The following checklist will help you find the right HIPAA compliant data center for you. Remember, this is not about shopping for the best company who can work with you for a cheap price. HIPAA compliant hosting companies are more expensive than traditional ones, and for good reason.

HIPAA compliant checklist to use for hosting companies:

1. Signed business associate agreement
This is to cover yourself, as well as to experience peace of mind. You want your host to understand and accept the risks of hosting patient health information.

2. Multiple vulnerability scans of your servers on a monthly basis
Ask for the reports, the  hosting companies will gladly provide them for you.

3. Mitigating discovered vulnerabilities
HIPAA-compliant hosting companies should provide remediation services to fix the vulnerabilities.

4. Server hardening
Request copies for your hosting company’s server hardening steps. This will detail the process of how they apply their measures for security to your servers.

5. Regular off-site backup
Ask if they provide backups and how far away the backups are physically from your hosting company. Ideally, you want them at least 50 miles apart, to factor in the possibility of a local storm or some other unforeseen natural disaster, that could take out both your server and backup.

6. Keep a six year log retention
After you’re finished using a server, hard drives should not be used again, until they have had several passes of clean swipes. This is to be sure that PHI cannot be read again. Inquire as to what kind of process they use to wipe the hard drives clean and how many passes they make.

Medical marijuana dispensaries are by law required to keep confidential all of the patient health information aggregated during patient transactions. This starts from the very first time a patient provides information to qualify for a medical marijuana card. This, as well as any future patient health information, is covered under HIPAA federal law. It cannot be released to anyone without first obtaining the patient’s written consent or a court ordered subpoena.
Accidents in handling patient information will still result in a HIPAA violation and could result in a fine. This poses a problem, especially when credit cards are used to make medical marijuana purchases from a dispensary. It is not possible to completely restrict the transaction information. This is probably why Mastercard and Visa have been hesitant to allow medical marijuana purchases. In some instances, where the purchases were allowed, high per-transaction fees essentially eliminated any feasibility to accepting credit cards.

Here’s the simple, but crucial, part

The laws and rules concerning medical marijuana are almost exactly the same as the laws for traditional medical prescriptions and treatments. Your patients’ health information is protected under these laws. This doesn’t just include data storage, but also employees and business associates that handle PHI. It is necessary for you to get a signed business associate agreement from any associates that may be handling sensitive PHI.

This article was originally posted on Cannabis Business Executive >