Wednesday, July 26, 2017

Health Insurance Portability and Accountability Act of 1996, Privacy and Medical Cannabis Dispensaries

Is your medical cannabis dispensary covered by HIPAA? Cannabis News Journal conducted a phone interview with U.S. Department of Health & Human Services on Tuesday, July 25th 2017 to find out.

HIPAA, Health Insurance Portability and Accountability Act of 1996, is United States legislation that provides data privacy and security provisions for safeguarding medical information. The Health Insurance Portability and Accountability Act, sets the standard for protecting sensitive patient data. Any company that deals with protected health information (PHI) must ensure that all the required physical, network, and process security measures are in place and followed. The HIPAA Privacy Rule establishes national standards to protect individuals' medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain healthcare transactions electronically. Since HIPAA was enacted, the U.S. Department of Health and Human Services has issued regulations describing in detail what a “covered entity” must do to protect PHI.

There are several important definitions to understand in order to determine whether your medical cannabis dispensary is subject to HIPAA. HIPAA regulations define a covered entity to include a “health care provider who transmits any health information in electronic form in connection with a covered transaction.”
A Covered Entity is considered one of the following according to the HHS:
A Healthcare Provider includes providers such as: Doctors, Clinics, Psychologists, Dentists, Chiropractors, Nursing Homes, and Pharmacies...but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard.
A Healthcare Plan includes: Health insurance companies, HMOs, Company health plans, Government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans health care programs.

A Health Care Clearinghouse includes entities, like cannabis staffing agencies in medical cannabis states, that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.

A “health care provider” is any person or organization that furnishes or is paid for “care, services, or supplies related to the health of an individual.” Therefore, since medical cannabis dispensaries provide medical cannabis for the treatment of debilitating health conditions, they are certainly “health care providers” as that term is defined according to HIPAA.

As health care providers, medical cannabis dispensaries are subject to HIPAA if they transmit any health information in electronic form in connection with a covered transaction. HIPAA regulations define “health information” as any information that “relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.” Based on that definition, most all medical cannabis dispensaries have HIPAA health information. In fact, depending on the medical cannabis regulations in each state, dispensaries may be required to maintain health information data and provide that information to state regulators. And when most patients go into a medical cannabis dispensary, one of the first questions staff often ask is about the individual's health condition, what it is, or which provider they use.

Even if they meet the previous definitions, the HHS official pointed out that, medical cannabis dispensaries are typically not subject to HIPAA unless they electronically transmit health information in connection with “covered transactions” specified in the HIPAA regulations.

Under those regulations, “covered transactions” include: requests to obtain payment from a health insurance plan and the exchange of information in connection with such a request; inquiries to a health insurance plan to determine whether an individual is eligible for coverage under that plan and to determine benefits associated with that plan, as well as the health plan’s response to such inquiries; requests to obtain authorization to refer a person to another health care provider; the electronic transmission of payment for health care services from a health insurance plan to a health care provider or the provider’s financial institution, as well as the transmission of  information concerning that payment.

The HIPAA transactions and code set standards are rules to standardize the electronic exchange of patient-identifiable, health-related information. They are based on electronic data interchange (EDI) standards, which allow the electronic exchange of information from computer to computer without human involvement.

At this time, most insurers do not cover medical cannabis, so dispensaries are not likely to be electronically transmitting health information in connection with transactions that would subject them to HIPAA. However, if a dispensary does send or receive information electronically in connection to receiving payment from a health insurer, or to determine the eligibility of a patient for health insurance, seed to sale software use like BioTrack THC, the use of the Baker text service & platform for dispensaries or with a State Department of Health, it is likely to be covered by HIPAA.

Dispensaries covered by HIPAA may not disclose Personal Health Information unless that disclosure is either authorized by the patient or authorized by HIPAA regulations. The regulations authorize limited use of such information in connection with providing treatment and obtaining payment for services. In addition, HIPAA Security Standards require businesses covered by HIPAA to develop and implement stringent safeguards for PHI.

HIPAA’s privacy requirements are enforced by the Department of Health and Human Services Office of Civil Rights, which has the power to impose penalties for violations of HIPAA’s privacy protections. Those penalties can range from $100 to $50,000 per violation.

Even if you’re a medical cannabis dispensary owner and your dispensary is not currently covered by HIPAA, you may want to consider bringing it into compliance for several reasons. First, as the industry matures and insurers begin covering medical cannabis, you’ll have to engage in HIPAA-covered transactions with your patients’ insurers, so it makes sense to prepare for that now. Second, your patients care about the privacy of their records and expect your dispensary to maintain the privacy of those records. Finally, the medical cannabis industry benefits when businesses demonstrate that they “play by the rules,” and complying with HIPAA is one way to do that.

“Play by the rules” concept has been a challenge for way too new businesses providing services in the New Mexico Medical Cannabis Program and all theses businesses are doing is side skirting rules for profits all the while - making the entire program look bad by disrespecting the spirit of the Lynn & Erin Compassionate Use Act, 2007.