Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
sailfast 2 days ago

So are people storing these things in a non-HIPAA-compliant way or is this mostly attributable to some other vector that would not have been helped by compliance?

What a terrible leak - med records and marijuana use, especially in some circles - could be very useful blackmail material. :/

nickff 2 days ago | parent | next [-]

From some quick research, it seems unclear whether dispensaries are covered entities under HIPAA, as they are not reimbursed by Insurers, due to the federal illegality of the drug. https://mjbizdaily.com/do-medical-marijuana-companies-need-t...

sailfast 2 days ago | parent [-]

Kinda incredible - even if they’re not covered providers they are still requesting medical records!

lmkg 2 days ago | parent | next [-]

HIPAA is not a privacy law, nor even a healthcare law. It's an insurance law. It does not cover medical records generally. It deals strictly with how doctors bill insurance companies, and mandates security for health information being billed about.

For the same reason, health & wellness apps are not generally covered by HIPAA, and in fact quite a few of those exist solely for the purpose of selling medical data to data brokers. Especially ones related to women's health.

nickff 2 days ago | parent | prev [-]

They usually require records for compliance with state regulations (but the state does not require them to follow HIPAA).

time0ut 2 days ago | parent | prev | next [-]

Medical marijuana dispensaries are not covered entities under HIPAA [0]. The way the law works is weird, but they are not required to comply. All the more reason the federal government needs to catch up with the times on cannabis.

[0] https://www.hhs.gov/hipaa/for-professionals/covered-entities...

adi4213 2 days ago | parent | prev | next [-]

I think there are even more basic table stakes that were missed here well prior to conducting any manner of formal compliance auditing - like unauthenticated users accessing this database!

hx8 2 days ago | parent [-]

Sure, but if it was a HIPPA compliance issue then the legal action path is easier and more lucrative.

2 days ago | parent | prev [-]
[deleted]