[sailfast]

So are people storing these things in a non-HIPAA-compliant way or is this mostly attributable to some other vector that would not have been helped by compliance?

What a terrible leak - med records and marijuana use, especially in some circles - could be very useful blackmail material. :/

[nickff]

From some quick research, it seems unclear whether dispensaries are covered entities under HIPAA, as they are not reimbursed by Insurers, due to the federal illegality of the drug. https://mjbizdaily.com/do-medical-marijuana-companies-need-t...

[sailfast]

Kinda incredible - even if they’re not covered providers they are still requesting medical records!

[lmkg]

HIPAA is not a privacy law, nor even a healthcare law. It's an insurance law. It does not cover medical records generally. It deals strictly with how doctors bill insurance companies, and mandates security for health information being billed about.

For the same reason, health & wellness apps are not generally covered by HIPAA, and in fact quite a few of those exist solely for the purpose of selling medical data to data brokers. Especially ones related to women's health.

[nickff]

They usually require records for compliance with state regulations (but the state does not require them to follow HIPAA).

[time0ut]

Medical marijuana dispensaries are not covered entities under HIPAA [0]. The way the law works is weird, but they are not required to comply. All the more reason the federal government needs to catch up with the times on cannabis.

[0] https://www.hhs.gov/hipaa/for-professionals/covered-entities...

[adi4213]

I think there are even more basic table stakes that were missed here well prior to conducting any manner of formal compliance auditing - like unauthenticated users accessing this database!

[hx8]

Sure, but if it was a HIPPA compliance issue then the legal action path is easier and more lucrative.