As more and more state laws allow the use of marijuana for medical conditions, and dispensaries are opening to provide users with access to marijuana for medical purposes (and recreational use), patients are questioning and becoming concerned about the protection of their privacy when purchasing marijuana in dispensaries. The concern is that federal law still outlaws marijuana, as do many states, and many employers conduct drug monitoring and may access and use data in the employment setting to terminate employees.

In response to these concerns, many states are enacting laws to protect the privacy of consumers who frequent marijuana dispensaries. For instance, Massachusetts does not require retailers to record customer information. Oregon does not allow marijuana retailers to record, retain or transfer personal information of customers of marijuana retailers.

Many ask whether HIPAA applies to medical marijuana dispensaries. The answer is that it depends on whether the dispensary is a covered entity under HIPAA—that is, whether they are billing or submitting a “covered transaction” that falls under the regulatory rubric of HIPAA. If the dispensary receives cash for the marijuana, it is probably not covered by HIPAA, and therefore consumers’ personal and health information is not protected by the HIPAA Privacy and Security Rules. Nonetheless, some state laws protect the privacy of consumers’ health information.

Although some dispensaries hold themselves out as being “HIPAA compliant” and provide patients who frequent the dispensary a Notice of Privacy Practices, which is required by HIPAA, in general, consumers should assume that a medical dispensary is not following HIPAA and that their health information can be shared, and is being shared and monetized like any other business.

If you visit a marijuana dispensary (or any other retail establishment) paying cash is always the best way to protect your privacy. Otherwise, your personal information will be collected, used, transmitted, and stored in the dispensary’s system and in the cloud, all of which have risks that have been discussed before in this blog.