In recently published guidance, Illinois’ main cannabis regulator – the Illinois Department of Financial and Professional Regulation – announced that medical and co-located dispensaries in Illinois must protect patient information in accordance with the stringent privacy and security rules set out in the federal HIPAA statute and attendant regulations. In particular, medical and co-located dispensaries will be required to undertake a complete HIPAA security risk assessment by December 1, 2021.
HIPAA requires, among other things, that covered medical providers complete initial and then recurring assessments of risks to their IT infrastructure, and undertake certain physical, administrative, and technical safeguards to safeguard patient information. HIPAA regulations are not one-size-fits-all, but rather call upon providers to take account of their own situations and the information that they hold. This involves understanding the requirements as laid out in the HIPAA regulations and then matching up those requirements with internal IT practices and policies, as well as initiatives such as employee training and disclosures to patients.
Illinois is not alone in requiring medical cannabis providers to undertake steps to protect patient information. Massachusetts, for example, requires that dispensaries train employees on patient privacy and confidentiality, and have records systems that are likewise configured to protect patient privacy. And indeed many cannabis operators look to HIPAA as a gold standard in protecting health information and voluntarily comply with certain of its provisions. Illinois’ guidance, however, is more explicit than are many state cannabis regulations in requiring HIPAA compliance in a certain way and by a certain date
In preparing for HIPAA compliance, it is important for cannabis businesses to consult with professionals who understand HIPAA. Foley Hoag’s healthcare practice has deep experience in counseling clients on compliance with HIPAA and other data privacy issues, including HIPAA risk assessments, and also includes attorneys who are well-acquainted with the cannabis industry and the needs of cannabis clients. If you are interested in additional guidance, please reach out to Jeremy Meisinger and Colin Zick.