Skip links

HIPAA and Cannabis


Cannabis crosses over in many regulatory environments and since majority of cannabis markets exist due to its medical benefits, it crosses over into the medical regulatory environment. Particularly, medical cannabis is subject to follow guidelines under HIPAA, which outlines the utter importance of medical data security.

How does this relate to the cannabis industry?

What is HIPAA?

HIPAA or the Health Insurance Portability and Accountability Act (1996) provides regulations on privacy of health information, security of PHI (patient health information) and electronic systems, as well as guidelines and penalties regarding confidentiality in the medical field.

Dispensaries and retail stores that sell to patients and store patient information for business swiftness or state regulatory uploads must be aware of the weight of HIPAA. The US Department Of Health and Human Services develops regulations protecting patients, their privacy, and their security. Being HIPAA compliant means that you comply with three main rules: privacy rule, security rule, and electronic data exchange.

The privacy rule involves simple protection of an individual’s health care data. Applying the privacy rule to your business could mean a variety of things, but the end goal has to include protecting the information.

Going hand in hand with privacy, security controls the confidentiality, storage of, and access related to PHI. Meeting this requirement could mean using a SOC 2 compliant software to manage the data of your business, creating controls to prevent unauthorized access, or using secure servers.

Finally, Electronic Data Exchange (EDI) pertains to data exchanged between providers and payers, or in general transmitting data. Another relevant transfer of data is those that go from the dispensaries to the state for proper tracking and statistics. Technology is both your enemy and your friend, make sure that the system you are using is strong and effective at preventing cyber attacks and successful at ensuring controls are working efficiently.

Anytime you come into contact with patient information or it’s easy for others in your business to access it, then you are subject to these security regulations.


There are some simple suggestions to combatting such an immense regulatory environment: don’t discuss patient information; avoid leaving records accessible to others (open POS systems or backfiles); refrain from printing or storing outside the secure system at all possible.

The best recommendation is to find a system that is SOC 2 compliant or has been audited to ensure exceptional security and safety for the information your business encounters. Always air on the side of caution and take impervious approaches to business processes and controls.

Always consult with professionals about the potential consequences regarding patient health information privacy breaches and plan ahead to prepare for worst case scenarios.






HHS Office of the Secretary,Office for Civil Rights, & Office for Civil Rights. (2013, July 26). Summary of the HIPAA

Security Rule. Retrieved September 26, 2019, from

Leave a comment