Legalized medical cannabis, check. Patient verification system, check. HIPAA compliance...check?
The importance of HIPAA compliance in traditional healthcare settings is nothing new, but where does HIPAA fit into alternative medicine? With natural and holistic health practices like cannabis use seeing more interest from patients than ever before, companies and doctors endorsing them must learn how to navigate patient privacy concerns—often while simultaneously battling endless red tape. For cannatech company Veriheal, a rapidly growing platform that facilitates medical cannabis consultations and education, leaving the intricacies of data security to VanRein Compliance makes a normally troublesome process a seamless one.
The Health Insurance Portability and Accountability Act of 1996, or HIPAA, was enacted by Congress due to the creation of the internet and associated risks that came with electronically storing medical patient records. Enforced by the U.S. Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR), HIPAA compliance includes a long list of preventative measures meant to keep sensitive medical data out of the wrong hands. With today’s healthcare taking innovative forms, more and more entities are finding themselves in a position that requires some kind of adherence to HIPAA expectations.
As a heavily regulated industry with lots of moving parts, the emerging field of medical cannabis is rife with gray areas that can seem daunting to address. Some hold the misconception that professionals in the field can simply brush federal HIPAA requirements to the side since medical marijuana is not federally legal; however, any entity that handles protected health information (PHI) must comply with HIPAA. According to a study published in the medical journal Medical Cannabis and Cannabinoids in June 2021, there were an estimated 3.6 million medical marijuana patients in the U.S. in the summer of 2020—that’s 3.6 million patients’ worth of PHI to handle and secure.
Since 2018, Veriheal has partnered with VanRein Compliance to protect the data of hundreds of thousands of patients who use its platform. Though not a medical clinic, Veriheal is considered a business associate under HIPAA guidelines due to the company’s provision of resources and tools to doctors and patients—one of which is cloud storage for medical records. To ensure Veriheal remains HIPAA-compliant, VanRein performs the required HIPAA risk assessments, provides automated training for all staff, and creates and maintains all associated policies and procedures.
Additionally, Veriheal’s patients and doctors live across many states, each of which has its own system governing access to and distribution of medical cannabis. To maneuver between the various federal and state restrictions, cannabis businesses like Veriheal often opt to use virtual patient verification systems. Some states also require medical dispensaries to retain PHI in order to serve patients. With the VanRein Partnership, Veriheal is able to maintain accordance with each state’s laws regarding patient privacy as well as navigate the ever-changing regulations and changes that could impact the business.
Today’s medical patients don’t just want good healthcare; they want secure, confidential healthcare. And although the stigma surrounding cannabis is waning as a result of increasing research and scholarship on the plant, it continues to be crucial to protect medical cannabis patients not only from criminal activity but also from negative societal attention. HIPAA compliance can get complex, but it’s essential for the protection of all patients—no matter their preferred medicine.