November 16, 2021

Illinois Medical Cannabis Businesses Must Be HIPAA Compliant

+ Follow Contact

Send

Embed

Foley Hoag LLP - Cannabis and the Law

In recently published guidance, Illinois’ main cannabis regulator – the Illinois Department of Financial and Professional Regulation – announced that medical and co-located dispensaries in Illinois must protect patient information in accordance with the stringent privacy and security rules set out in the federal HIPAA statute and attendant regulations. In particular, medical and co-located dispensaries will be required to undertake a complete HIPAA security risk assessment by December 1, 2021.

HIPAA requires, among other things, that covered medical providers complete initial and then recurring assessments of risks to their IT infrastructure, and undertake certain physical, administrative, and technical safeguards to safeguard patient information. HIPAA regulations are not one-size-fits-all, but rather call upon providers to take account of their own situations and the information that they hold. This involves understanding the requirements as laid out in the HIPAA regulations and then matching up those requirements with internal IT practices and policies, as well as initiatives such as employee training and disclosures to patients.

Illinois is not alone in requiring medical cannabis providers to undertake steps to protect patient information. Massachusetts, for example, requires that dispensaries train employees on patient privacy and confidentiality, and have records systems that are likewise configured to protect patient privacy. And indeed many cannabis operators look to HIPAA as a gold standard in protecting health information and voluntarily comply with certain of its provisions. Illinois’ guidance, however, is more explicit than are many state cannabis regulations in requiring HIPAA compliance in a certain way and by a certain date

In preparing for HIPAA compliance, it is important for cannabis businesses to consult with professionals who understand HIPAA. Foley Hoag’s healthcare practice has deep experience in counseling clients on compliance with HIPAA and other data privacy issues, including HIPAA risk assessments, and also includes attorneys who are well-acquainted with the cannabis industry and the needs of cannabis clients.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

Written by:

Foley Hoag LLP - Cannabis and the Law

Contact + Follow

Jeremy Meisinger

+ Follow

less

Published In:

Cannabis Products

+ Follow

Cannabis-Related Businesses (CRBs)

+ Follow

Confidential Information

+ Follow

Health Care Providers

+ Follow

Health Insurance Portability and Accountability Act (HIPAA)

+ Follow

Healthcare

+ Follow

Marijuana Related Businesses

+ Follow

Medical Marijuana

+ Follow

Patient Privacy Rights

+ Follow

Personal Information

+ Follow

State and Local Government

+ Follow

Privacy

+ Follow

less

Foley Hoag LLP - Cannabis and the Law on:

Illinois Medical Cannabis Businesses Must Be HIPAA Compliant

Related Posts

Latest Posts

Written by:

Published In:

Foley Hoag LLP - Cannabis and the Law on:

"My best business intelligence, in one easy email…"