Navigating Patient Data Privacy Protections in Medical Cannabis and Psychedelics

Medical cannabis and psychedelic-assisted therapies present new challenges to patient privacy rights. The regulations surrounding cannabis and psychedelic medicine do not always align with provider practices and patient expectations. Bridging the gap between current regulations and data privacy best practices requires careful data management, and failure to recognize the pitfalls can result in fines, legal liability, and loss of patient trust. While it sounds reasonable to keep and monitor records regarding new treatment modalities, would-be patients can find themselves asking, “what about HIPAA?” or “what about my state’s data-protection laws?” 

HIPAA Basics 

The Health Insurance Portability and Accountability Act of 1996, or HIPAA, is a U.S. law that establishes standards to protect health data from disclosure without patient consent. Not every piece of health data is covered by HIPAA, and neither is every provider. Instead, the HIPAA privacy and security rules apply to how covered entities can use a patient’s protected health information (“PHI”). Covered entities include:

• Healthcare providers who transmit PHI in connection with transactions involving health insurance;
• Health plans, like insurers, HMOs, Medicare/Medicaid, and employer-sponsored group health plans; and
• Healthcare clearinghouses, which are entities that receive identifiable PHI when they provide processing services for health plans and healthcare providers. 

The regulations also apply to:

• Business associates, which are not covered entities or members or employees of covered entities directly, but rather other entities that use identifiable PHI. Vendors that provide claims processing or billing for covered entities are two examples.

In limited circumstances, a covered entity can disclose PHI without patient consent. Outside of those narrow exceptions, covered entities and their business associates must protect PHI and e-PHI (electronically-transmitted PHI) from release or transmission without patient consent.

Federal and State Data Privacy Laws in Cannabis and Psychedelics 

Similarly to cannabis and psychedelics, cybersecurity and data privacy laws are patchwork across the United States. While laws like HIPAA apply nationally, as of May 2024, 47 U.S. states have enacted their own data privacy laws. Additionally, all 50 U.S. states, Washington D.C., and three U.S. territories have enacted data breach notification laws. 

The complexity of this regulatory environment, coupled with the relative novelty of cannabis and psychedelic medical regulation, can result in conflicts. For example, in April of 2025, the Iowa House of Representatives passed a bill that, if enacted, would legalize medical psilocybin treatment in the state. The bill requires that all medical psilocybin sessions be recorded and available for inspection upon request by government officials. However, the bill also requires that the providers be doctors, advanced nurse practitioners, advanced practice nurses, psychologists, or social workers who complete psilocybin continuing education requirements, register with the state, and pay a registration fee. 

Many of the aforementioned providers are likely already covered entities under HIPAA. Issues will likely arise when providers attempt to comply with the Iowa bill’s record and inspect requirement and with HIPAA as well.

What Happens If State Law And HIPAA Conflict?

State laws that conflict with HIPAA's Privacy Rule are preempted by HIPAA, unless a specific exception applies. Exceptions include if the state law:

• Relates to the privacy of individually identifiable health information and provides greater privacy protections or privacy rights with respect to such information; 
• Provides for the reporting of disease or injury, child abuse, birth, or death, or for public health surveillance, investigation, or intervention; or
• Requires certain health plan reporting, such as for management or financial audits. 

In these circumstances, a covered entity is not required to comply with a contrary provision of the Privacy Rule.

Thus, when a state medical cannabis or medical psychedelics law includes provisions that would require a covered entity to violate HIPAA, HIPAA will usually preempt those laws. However, if it is impossible for a covered entity to follow both state law and HIPAA, the Department of Health and Human Services (HHS) defines that law as "contrary" to HIPAA. If the state law is both contrary to HIPAA and meets certain additional criteria, HHS will determine that the state law is not preempted. 

What Happens When Health Insurance Isn’t Involved? 

Data privacy issues also arise when health insurance isn’t involved. Although there are some limited ketamine-assisted therapy insurance reimbursements available, medical cannabis and psychedelic-assisted therapies are typically not covered by health insurance. Accordingly, medical cannabis and psychedelic-assisted therapy providers may not be covered entities under HIPAA. In those cases, providers must look to state data privacy laws to determine their obligations. 

Best Practices For Medical Cannabis, Psychedelics, And Ketamine Assisted Therapy Businesses Obligated To Follow HIPAA

Given the intricate nature of these intersecting regulations, providers should consider: 

• Comprehensive compliance planning: Providers should seek to work with lawyers with cybersecurity expertise and cannabis/psychedelic medicine knowledge to create a compliance plan, spot potential conflicts, and design a response to regulatory conflicts. 
• Privacy by design: Providers should incorporate data privacy practices into workflow design, employee training, digital content, and patient education to adequately set expectations and avoid mistakes. 
• Employee Training: Medical cannabis and psychedelics providers should invest in training their employees in applicable regulations, possible conflicts, and how to respond. 
• Preemption Determination Requests: Covered entities that cannot follow both their state law requirements and HIPAA regulations can request a preemption determination from the Department of Health and Human Services. A knowledgeable attorney can help providers to make those requests. 

Work With The Right Experts

Medical cannabis and psychedelics programs are expanding, but so is the network of applicable data privacy regulations. Rudick Law Group’s attorneys bring experience in healthcare and cyber law, as well as medical cannabis and psychedelic law expertise. Our firm is well-positioned to support new and growing medical cannabis and psychedelic providers in meeting the unique challenges posed by balancing competing requirements in these industries. To speak with a knowledgeable medical cannabis and psychedelic law attorney, contact Rudick Law Group. 

‍