The Illinois Department of Financial and Professional Regulation officially released guidelines on how to implement the Illinois Compassionate Use of Medical Cannabis Program Act’s data security and privacy standards (A280). IDFPR recently produced a FAQ detailing its understanding of the Act’s mandate that Illinois cannabis dispensaries meet with certain provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules, as well as the timeframes associated with it.
IDFPR’s guideline outlines the procedures that dispensaries should take to ensure the privacy and security of health information, in accordance with the HIPAA Security and Privacy Rules. Dispensaries must furnish clients with a Statement of Privacy Practices by August 1, 2021. By December 1st, the FAQ instructs dispensaries and many of their vendors to undertake a security risk study that identifies health information security concerns, as well as the possibility and effect of such threats. By December 1, 2021, dispensaries must also implement HIPAA-compliant administrative, technical, and physical measures.
Dispensaries and their agents could face fines of up to USD 10,000 per infringement. Revealing computer passwords, exchanging health information with foreign parties, no focus on industry-standard firewall, and not encoding networks and computers which stores health information are all examples of infractions noted in the FAQ.
Dispensaries and technology vendors who handle health information on their behalf should meet with legal representation to discuss how these new standards might be implemented into current compliance programs as quickly as possible.
As the cannabis sector grows, state legislators and regulators are paying more attention. Cannabis dispensaries and technology vendors operating in Illinois should assess their privacy and security protocols to ensure that they are in compliance with HIPAA’s criteria, which Illinois integrated into the Compassionate Use of Medical Cannabis Program Act (A280).
It is critical for cannabis firms to speak with professionals who are familiar with HIPAA compliance when planning for HIPAA compliance. Foley Hoag’s healthcare group has extensive experience advising clients on HIPAA compliance and other data privacy problems, including HIPAA risk evaluation, and involves attorneys who are familiar with the cannabis sector and its clients’ needs.