Do medical marijuana companies need to comply with HIPAA?

Just Released! Get realistic market forecasts, state-by-state insights and benchmarks with the new 2024 MJBiz Factbook member program, now with quarterly updates. Make informed decisions.


Close-up image of a female doctor's hands

(Photo by grinny/stock.adobe.com)

(This is a contributed guest column. To be considered as an MJBizDaily guest columnist, please submit your request here.)

Image of John Fraser
John Fraser (Photo courtesy of Dykema)

It’s no secret that the federal government’s original decision to make marijuana a Schedule 1 controlled substance was motivated by politics instead of science.

While it has taken more than 50 years, the federal government is now on the cusp of rescheduling marijuana to Schedule 3 in acknowledgement of the cannabis plant’s numerous health benefits.

Rescheduling marijuana to Schedule 3, which acknowledges the medical benefits of cannabis, starts to reconnect federal marijuana policy with science.

But while this proposed shift represents progress on federal policy, it also raises new questions at the intersection of health care, data privacy and cybersecurity.

HIPAA and cannabis

The intersection between cannabis retailers and federal laws restricting the release of medical information, such as HIPAA, is complicated.

Image of Matthew Hays
Matthew Hays (Photo courtesy of Dykema)

Put most simply, whether a medical marijuana dispensary is a “covered entity” and subject to the Health Insurance Portability and Accountability Act of 1996 depends on whether the dispensary:

  • Is a “health care provider.”
  • Submits electronic claims to third-party payers.

Arguably, an MMJ dispensary – not a recreational marijuana store – is a health care provider under HIPAA, which defines health care (in part) as “care, services or supplies related to the health of an individual.”

However, unless that dispensary also submits electronic claims for reimbursement, it is not a covered entity subject to HIPAA.

Medical marijuana claims?

Typically, third-party payers, such as medical insurance companies, cover only “medically necessary” goods and services prescribed by a physician.

Image of Gerald Aben
Gerald Aben (Photo courtesy of Dykema)

While medical marijuana programs vary, most establish certain qualifying conditions that render patients eligible to possess and consume MMJ with a physician’s recommendation.

With two exceptions, marijuana is not approved by the U.S. Food and Drug Administration for medical use – meaning physicians cannot prescribe it for their patients.

Without FDA approval or a change in the laws governing health care delivery and reimbursement, dispensaries will remain unable to submit electronic claims.

On the positive side, this means dispensaries will continue to fall outside the definition of a covered entity, meaning they will not need to comply with HIPAA.

Reclassification to Schedule 3 does not change this reality.

Protecting privacy

While cannabis operators likely are not subject to HIPAA, that law is only half of the issue.

Seventeen U.S. states now have privacy laws that apply to the collection, use and disclosure of personal information.

These privacy laws have strict requirements relating to privacy notices, data minimization (i.e., how much data you can collect and how long you can keep it), vendor management and minimum cybersecurity requirements.

Cannabis companies collect a lot of data from their customers, whether mandated by state regulations or as part of customer loyalty programs.

And much of this data is sensitive: names, government IDs, payment-card information, photos, birthdates, addresses, phone numbers and signatures all are collected and maintained for years.

Reclassifying marijuana as Schedule 3 won’t relieve state-mandated recordkeeping and reporting requirements, and increased research into the medical benefits of marijuana also increases the risk that regulators will view the personal information collected by cannabis companies as health information.

2024 MJBiz Factbook – now available!  

Exclusive industry data and analysis to help you make informed business decisions and avoid costly missteps. All the facts, none of the hype. 

Featured inside: 

  • Financial forecasts + capital investment trends 
  • 200+ pages and 49 charts highlighting key data figures and sales trends 
  • State-by-state guide to regulations, taxes & market opportunities
  • Monthly and quarterly updates, with new data & insights
  • And more!

Health care privacy

The Federal Trade Commission and several states recently identified a regulatory gap between HIPAA and non-HIPAA entities that process health-related information.

In addition to the surge in state-level comprehensive privacy laws, three markets have passed broad personal health information privacy laws that cover non-HIPAA health information in reaction to the U.S. Supreme Court decision regarding abortion.

Washington state’s My Health My Data Act is particularly concerning because it creates a private cause of action for noncompliance.

Marijuana can be used recreationally or medicinally to treat health conditions, and a consumer’s purchase of certain marijuana products might “identif(y) the consumer’s past, present, or future physical or mental health status” – bringing dispensaries under the purview of Washington state’s My Health My Data Act and its compliance requirements.

Similarly, the amount of data that cannabis businesses collect make them targets for hackers.

Health businesses are frequent targets because of the amount and sensitivity of data as well as the increased motivation of victims to pay ransoms.

Seed-to-sale tracking a risk

Risk is particularly acute for cannabis operators that have mandatory seed-to-sale regulatory tracking requirements and retail point-of-sale software, both of which are often cloud-based.

In 2023, 82% of data breaches involved data stored in the cloud, whether public, private or in multiple environments.

In fact, research by the Michigan-based Ponemon Institute identified cloud compromises as the No. 1 cybersecurity threat for health care.

THSuites, which makes point-of-sale and management software used by dispensaries, experienced a vulnerability in 2020 that exposed 85,000 files containing customers’ identifying information, including MMJ patient names, medical ID numbers, cannabis varieties and quantities purchased.

In response to these trends, the FTC has expanded its health information security breach reporting requirements relating to non-HIPAA health information.

Third-party-vendor management is the No. 1 way to minimize cybersecurity threats.

As a result, while rescheduling marijuana to Schedule 3 might not trigger HIPAA compliance, data-privacy regulation already has arrived for the cannabis industry.

The anticipated rescheduling likely will foster economic growth for the marijuana industry, but it also brings increased data-privacy risks.

Cannabis businesses would be well served to take their data-privacy compliance seriously and conduct a review of their policies, vendors and insurance coverage to make sure they are prepared for the road ahead.

John Fraser is the Michigan team leader of Dykema’s cannabis practice and an adjunct professor at Cooley Law School, where he teaches a course on Michigan marijuana and the law. He can be reached at jwfraser@dykema.com

Matthew Hays is a member of Dykema’s data privacy and cybersecurity practice, advising clients in matters relating to data-sensitive projects, agreements, services and investigations. He can be reached at mhays@dykema.com.

Gerald Aben is a member of Dykema’s health care practice, guiding clients as they navigate the heavily regulated health care industry and staying abreast of the constantly shifting legal and regulatory landscape in which they do business. He can be reached at gaben@dykema.com.