Dear Stoner: Do HIPAA laws apply to dispensary owners in Colorado? They had no idea what happened to papers I signed, and it feels like these documents weren’t treated with any privacy.
Lee
Dear Lee: This is where that state/federal law can get a little messy. Medical marijuana legalization and protection for patients only occurs at the state level, but the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is federal legislation. Because the federal government still doesn’t officially recognize the legality of state MMJ programs, national laws like HIPAA don’t necessarily apply to dispensaries or MMJ patients, since they’re already breaking the law to begin with.
But just because the feds don’t have your back on this doesn’t mean the state won’t. The Colorado Department of Public Health and Environment guards all patient data and information, and it’s illegal for dispensaries to share your patient information with other stores. Outside of your doctor, caregiver or caregiver dispensary, only designated CDPHE employees — and no other entity — can look at patient information. Even state and local law enforcement are only allowed to confirm a patient’s card if a patient is approached or arrested. This is all state law, so remind your dispensary about the policy if you feel that your privacy has been breached, or reach out to the CDPHE at [email protected].
Send questions to [email protected].