The Importance of HIPAA Compliant Technologies in the MMJ Industry
HIPAA, the Health Insurance Portability and Accountability Act, sets the standard for protecting sensitive patient data. Any company which deals with protected health information (PHI) must ensure that all requirements for physical, networked, and process security measures are in place and being followed rigorously. This includes covered entities (CE), anyone who provides treatment, payment and operations in healthcare, business associates (BA), or anyone who has access to patient information and provides treatment, payment or operations. Subcontractors, or business associates of business associates, must also be HIPAA compliant.
HIPAA compliance in the MMJ dispensary environment should be robustly managed if breaches are to be minimized. HIPAA compliance is monitored by Health & Human Services, and the audit is based on the OCR (Office for Civil Rights) government protocols that are regularly enforced and upgraded by KPMG, which investigates compliance in security and privacy rules.
There are several technologies which are not HIPAA compliant, such as website driven email like free Gmail, Yahoo, Hotmail and text messaging services such as Facebook, WhatsApp and some reward program apps. Use of such services in a HIPAA compliant organization would leave users and the organization open to breaches of legislation and severely risk damage to the reputation of the MMJ business.
Using cloud services and online storage such as iCloud or OneDrive, which are external to the organization’s control, could also represent a potential breach of HIPAA regulations. You must always make sure that any software services you utilize in your business are HIPAA compliant and the company you choose must provide you with a Business Associate Agreement.
Using professional email services and professional apps at work is absolutely essential for HIPAA compliance as many apps and email systems are not regarded as secure and can be accessed easily by third parties leaving users open to liabilities. Use of free email services and non-compliant software, such as regular SMS from a rewards program, can leave loopholes in security and expose vulnerabilities in HIPAA policy.
The use of short code text message services can also be a risk, as they create vulnerabilities and can expose users to unrecognized liabilities. While there are pitfalls with SMS, there are many benefits in terms of cost and time savings that can be reaped from the use of compliant text message services. However, in order to use these, organizations must ensure that they are HIPAA compliant. This means that when sending a text, the sender needs to know if, when and to whom the message has been sent. Any messaging system used must have an inbuilt audit trail system including the ability to archive messages and retrieve all information about them quickly. Consumer based text messaging systems fail in these regards and should be avoided when PHI is involved.
Another important consideration is that data centers must be secure and be risk assessed regularly. All data in transit and in storage needs to be adequately encrypted. The importance of protecting PHI (private health information) is that it is covered by the HIPAA and as such must be robustly protected. This includes ensuring that only secure emails are used to send and receive sensitive information.
The repercussions of a security breach in HIPAA or PCI are severe and come in the form of fines and sanctions, which can be imposed on the MMJ business and employees for various breaches. For example,for a ‘did not know’ violation, first offence fines can be between $100 and $50,000, rising to $1,500,000 for subsequent offences. Where it is found that there is reasonable cause, a fine of between $1000 and $50,000 can be imposed with again a rise of anything up to $1,500,000 for subsequent breaches. Where it is found that there is “willful neglect – corrected” the fine can be between $10,000 and $50,000 again rising upwards to $1,500,000 for subsequent breaches. Where there is found to be “willful neglect –uncorrected” the fine can be a flat $50,000 fine rising to the highest sanction of $1,500,000 fine.
With such hefty sanctions in place, it is important for all MMJ businesses, employees and associates to familiarize themselves fully with the legal and ethical requirements of HIPAA compliance, audit and security requirements necessary to ensure compliance is fully met.
Written By Alyssa Riccio, Cloud Solutions Consultant – Aspen Technology Group
What questions do you have about HIPAA compliance? Do you think it is easier or more difficult to be compliant in the medical cannabis industry? Join the conversation and comment below!