New guidance in Illinois published by the Department of Financial and Professional Regulation (IDFPR) requires medical and co-located dispensaries in the state to protect patient information in accordance with the privacy and security rules set out in the federal Health Information Portability and Accountability Act (HIPAA) statute and attendant regulations, JD Supra reports.
Under the guidance, dispensaries that sell medical cannabis — including those with adult-use licenses — must complete a HIPAA security risk assessment by December 1. That risk analysis includes identifying areas of high-security risk for Electronic Protected Health Information (ePHI); an evaluation of the likelihood and impact of the risks; implementation of security measures to address the risks; and documentation of the measures and their rationale.
Among other regulations, HIPAA requires that covered medical providers complete initial and then recurring assessments of risks to their IT infrastructure, and undertake certain physical, administrative, and technical safeguards to safeguard patient information, the report says.
Illinois required that patients were given notice of Privacy Practices for Protected Health Information by August 1, according to the guidance. The rules also require dispensaries that have had patient information breached notify the IDFPR of the breach within 60 days of discovery. The guidance notes that in the event of a theft of dispensary computers that are encrypted, businesses are not required to report the theft but are “strongly encouraged” to file a report with the agency.
Illinois is not the first state to protect medical cannabis patient information; Massachusetts also requires that dispensary workers are trained on patient privacy and confidentiality and have records systems that are configured to protect patient privacy.
Get daily cannabis business news updates. Subscribe