New guidance in Illinois revealed by the Division of Monetary and Skilled Regulation (IDFPR) requires medical and co-located dispensaries within the state to guard affected person info in accordance with the privateness and safety guidelines set out within the federal Well being Info Portability and Accountability Act (HIPAA) statute and attendant laws, JD Supra experiences.
Below the steering, dispensaries that promote medical hashish — together with these with adult-use licenses — should full a HIPAA safety threat evaluation by December 1. That threat evaluation contains figuring out areas of high-security threat for Digital Protected Well being Info (ePHI); an analysis of the chance and impression of the dangers; implementation of safety measures to handle the dangers; and documentation of the measures and their rationale.
Amongst different laws, HIPAA requires that coated medical suppliers full preliminary after which recurring assessments of dangers to their IT infrastructure, and undertake sure bodily, administrative, and technical safeguards to safeguard affected person info, the report says.
Illinois required that sufferers got discover of Privateness Practices for Protected Well being Info by August 1, in keeping with the steering. The principles additionally require dispensaries which have had affected person info breached notify the IDFPR of the breach inside 60 days of discovery. The steering notes that within the occasion of a theft of dispensary computer systems which are encrypted, companies usually are not required to report the theft however are “strongly inspired” to file a report with the company.
Illinois is just not the primary state to guard medical hashish affected person info; Massachusetts additionally requires that dispensary staff are educated on affected person privateness and confidentiality and have information programs which are configured to guard affected person privateness.
Get each day hashish enterprise information updates. Subscribe