HIPAA Compliance for Medical Marijuana Programs and Dispensaries

Medical marijuana sits in an unusual regulatory position, and the first question for anyone handling its records is deceptively simple: does HIPAA even apply? The answer depends entirely on who is holding the data. A storefront dispensary and a physician who certifies a patient for a state program face very different obligations, and assuming HIPAA governs everything — or nothing — is where organizations get into trouble.

When a dispensary is not a covered entity

HIPAA applies to covered entities: health plans, health care clearinghouses, and health care providers that transmit health information electronically in connection with a standard HIPAA transaction. Because cannabis remains federally illegal, dispensaries do not bill Medicare, Medicaid, or commercial insurers for it, and most do not conduct the standard electronic transactions that trigger covered-entity status. As a result, a typical retail dispensary is not a HIPAA covered entity. That surprises many operators, but it is a direct consequence of how the rule defines its own reach.

The certifying provider always is covered

The physician, nurse practitioner, or clinic that evaluates a patient and issues a certification is unquestionably a covered entity. Their records — the diagnosis, the qualifying condition, the certification itself — are PHI and receive the full protection of the HIPAA Privacy and Security Rules. A provider who runs an in-house medical marijuana program, rather than simply referring out, carries the same obligations for every patient record the program generates.

State law often fills the gap — and goes further

Where HIPAA does not reach, state medical marijuana laws almost always do. Most state programs run a confidential patient registry and impose explicit confidentiality and data-security requirements on dispensaries and on the state agency itself, frequently with penalties that are stricter than HIPAA’s. Seed-to-sale tracking systems, registry identification numbers, and purchase histories are all sensitive data points that state statutes protect. An operator who concludes “HIPAA does not apply, so we are fine” has answered only half the question; the state confidentiality regime is usually the controlling one.

Run a Security Risk Analysis on the program

For any covered provider, the HIPAA Security Rule requires a Security Risk Analysis under 45 CFR § 164.308(a)(1)(ii)(A) — an accurate and thorough assessment of the risks and vulnerabilities to electronic PHI. For a medical marijuana program that means examining how certifications are stored, how staff access the qualifying-condition data, and how the practice connects to any state registry portal. Patients in these programs are often acutely sensitive about disclosure, so access controls and audit logging deserve particular attention.

The proposed 2026 Security Rule update

Providers should track the Notice of Proposed Rulemaking (NPRM) the HHS Office for Civil Rights published in December 2024, which proposes substantial Security Rule changes including mandatory encryption, multi-factor authentication, and verification of safeguards. It is a proposal, not a final rule — it has not been finalized — and once a final rule publishes, organizations would have a 240-day compliance window. Tightening access controls around sensitive certification data now positions a program well for whatever is finalized.

How Medcurity helps

Medcurity helps healthcare organizations complete and document the Security Risk Analysis HIPAA requires, mapping data flows like certification records and registry integrations and tracking remediation over time. Pricing is $499/year (about $42/month) for a single organization; larger or multi-entity organizations can request a quote. To go deeper on the vendors and tools that touch this data, see our guidance on the HIPAA Business Associate Agreement and our broader HIPAA compliance checklist.

Frequently asked questions

Is a medical marijuana dispensary a HIPAA covered entity?

Often not. A retail dispensary that does not transmit standard electronic health care transactions (such as billing insurance) usually falls outside HIPAA’s definition of a covered entity. The certifying physician and any provider-run program, however, are covered entities and must comply fully.

If HIPAA does not apply to a dispensary, is patient data unprotected?

No. State medical marijuana statutes typically impose their own confidentiality requirements on registries and dispensaries — frequently stricter than HIPAA. Dispensaries must follow those state rules even where HIPAA does not reach them.

Does a certifying physician need a Business Associate Agreement with a dispensary?

Generally a BAA is required only when a vendor creates, receives, maintains, or transmits PHI on behalf of a covered entity. A dispensary acting on its own behalf is usually not a business associate, but software vendors, billing services, and registry integrations a provider uses for PHI typically do require a BAA.

How does the HIPAA Security Rule apply to a provider’s medical marijuana program?

A provider operating a medical marijuana certification program must protect electronic PHI and include the program — certifications, patient records, and any state registry integration — in its Security Risk Analysis under 45 CFR § 164.308(a)(1)(ii)(A).