The Illinois Department of Financial and Professional Regulation (IDFPR) recently provided guidance interpreting data privacy and security requirements in Illinois’ Compassionate Use of Medical Cannabis Program Act (A280). Specifically, IDFPR recently published an FAQ outlining its interpretation of, and deadlines associated with, the Act’s requirement that Illinois cannabis dispensaries comply with certain sections of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.
The guidance from IDFPR describes steps dispensaries must take to protect the security and privacy of health information, consistent with requirements in the HIPAA Privacy and Security Rules. As of August 1, 2021, dispensaries are required to provide customers with a Notice of Privacy Practices. The FAQ directs dispensaries and many of their vendors to conduct a security risk analysis that identifies risks to health information, and the likelihood and impact of such risks, by December 1st. Dispensaries must also adopt administrative, technical, and physical controls consistent with HIPAA standards by December 1, 2021.
Fines of up to $10,000 per violation may be issued against dispensaries and their agents. Examples of violations cited in the FAQ include sharing computer passwords, discussing health information with third parties, not using an industry-standard firewall, and not encrypting computers or networks that store health information.
Dispensaries and technology vendors that host health information on behalf of dispensaries should meet with counsel to discuss how these new requirements can be efficiently incorporated into existing compliance programs. Specifically, dispensaries and vendors should confirm that their compliance programs include:
- Administrative safeguards: Under HIPAA these include a security management process, assigned security responsibility, workforce security, information access management, security awareness training, security incident procedures, a contingency plan, and an evaluation.
- Physical safeguards: Under HIPAA these include facility access controls, workstation use procedures, workstation security, and device and media controls.
- Technical safeguards: Under HIPAA these include access controls, audit controls, integrity controls, person or entity authentication, and transmission security.
Two HIPAA safeguards that IDFPR focuses on in its guidance are security risk analysis and encryption of health information at rest and in transit. Although HIPAA has no prescriptive timeframe for a security risk analysis, the IDFPR FAQ states that medical cannabis dispensing organizations should conduct a security risk analysis annually to identify areas of high-security risk to health information and implement security measures to address these risks.
Below are just a few key questions cannabis dispensaries and vendors should ask themselves as they evaluate readiness for these new requirements:
- Do I need to update my Notice of Privacy Practices or website privacy policies?
- Do I need to appoint additional privacy and security personnel?
- Is my training program appropriate and adequate?
- Do I need to consider additional administrative, technical, or physical controls to prevent unauthorized access (e.g., encryption, multi-factor authentication, heightened password requirements, access controls)?
- Is my annual risk analysis sufficient?
- Do I need to change my vendor management protocols or contract documents?
- Does my incident response plan consider relevant notification requirements?
- How should I document these compliance measures?
As the cannabis industry continues to grow, attention from state legislators and regulators increases. Cannabis dispensaries (and technology vendors operating in Illinois) should review their privacy and security programs to confirm compliance with HIPAA’s standards, which the state incorporated into the Compassionate Use of Medical Cannabis Program Act (A280).
Beckage focuses on the tech and privacy side of Cannabis so companies can grow smarter and more secure. We work closely with IT teams, general counsel, and executive leadership to accomplish these results. For more information regarding the Compassionate Use of Medical Cannabis Program Act (A280), email Beckage Cannaprivacy Team Lead Daniel P Greene, Esq., CIPP/US, CIPP/E at firstname.lastname@example.org or call 716.898.2102.
*Attorney advertising: prior results do not guarantee similar outcomes.