Illinois Medical Cannabis Businesses Must Be HIPAA Compliant

Foley Hoag LLP - Cannabis and the Law

Foley Hoag LLP - Cannabis and the Law

In recently published guidance, Illinois’ main cannabis regulator – the Illinois Department of Financial and Professional Regulation – announced that medical and co-located dispensaries in Illinois must protect patient information in accordance with the stringent privacy and security rules set out in the federal HIPAA statute and attendant regulations.  In particular, medical and co-located dispensaries will be required to undertake a complete HIPAA security risk assessment by December 1, 2021.

HIPAA requires, among other things, that covered medical providers complete initial and then recurring assessments of risks to their IT infrastructure, and undertake certain physical, administrative, and technical safeguards to safeguard patient information.  HIPAA regulations are not one-size-fits-all, but rather call upon providers to take account of their own situations and the information that they hold.  This involves understanding the requirements as laid out in the HIPAA regulations and then matching up those requirements with internal IT practices and policies, as well as initiatives such as employee training and disclosures to patients.

Illinois is not alone in requiring medical cannabis providers to undertake steps to protect patient information.  Massachusetts, for example, requires that dispensaries train employees on patient privacy and confidentiality, and have records systems that are likewise configured to protect patient privacy.  And indeed many cannabis operators look to HIPAA as a gold standard in protecting health information and voluntarily comply with certain of its provisions.  Illinois’ guidance, however, is more explicit than are many state cannabis regulations in requiring HIPAA compliance in a certain way and by a certain date

In preparing for HIPAA compliance, it is important for cannabis businesses to consult with professionals who understand HIPAA.  Foley Hoag’s healthcare practice has deep experience in counseling clients on compliance with HIPAA and other data privacy issues, including HIPAA risk assessments, and also includes attorneys who are well-acquainted with the cannabis industry and the needs of cannabis clients.  

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Foley Hoag LLP - Cannabis and the Law | Attorney Advertising

Written by:

Foley Hoag LLP - Cannabis and the Law

Foley Hoag LLP - Cannabis and the Law on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.