When dealing with HIPAA it is important to note that not just the medical providers need to be concerned about compliance. The Business Associates that work with medical providers and MMJ dispensaries also need to be aware of the fact that they are also required to adhere to HIPAA rules.
Some possible Business Associates are:
Data Centers that host PHI*.
Outbound marketing agencies.
A CPA firm whose accounting services to a doctor or dispensary involve access to PHI.
An attorney whose legal services to a health plan involve access to PHI.
Any consultant that has access to PHI records.
CRM, ERP and POS system providers.
*PHI - Protected Health Inofrmation includes the following:
First and/or Last Names
All geographical identifiers smaller than a state
Dates (other than year) directly related to an individual
Social Security Numbers
Medical record numbers
Health insurance numbers
Vehicle identifiers and serial numbers, including license plate numbers;
Device identifiers and serial numbers;
Internet Protocol (IP) address numbers
Biometric identifiers, including finger, retinal and voice prints
Full face photographic images and any comparable images
Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data