A medical cannabis patient hands over a state ID, a medical card, sometimes a diagnosis, and a record of every product they buy. They reasonably assume this information is protected the way their other medical records are — by HIPAA, the federal health-privacy law that governs doctors and hospitals. That assumption is, in most cases, wrong. And the gap between what patients expect and what the law actually requires is one of the most consequential — and least understood — privacy problems in cannabis.
Why dispensaries usually aren’t covered by HIPAA
HIPAA does not protect “health information” in the abstract. It protects health information held by specific covered entities — health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically in connection with standard transactions like insurance billing.
That definition is the whole problem. Because cannabis remains federally illegal and is not reimbursed by insurance, most dispensaries never engage in the billing transactions that would make them HIPAA-covered entities. The recommending physician who certifies a patient is bound by HIPAA. The dispensary where the patient actually buys cannabis generally is not. The patient experiences it as one continuous medical journey; the law sees a covered provider handing off to an entity that, for HIPAA purposes, looks more like a retailer.
The consequence: a dispensary can collect a patient’s identity documents, medical card, qualifying-condition information, and complete purchase history, and HIPAA’s privacy and security rules may simply not apply to any of it. There is no federal floor for how that data must be secured, who can access it, how long it is kept, or what happens when it is breached.
A patchwork where a floor should be
In HIPAA’s absence, protection depends entirely on state law — and state law is inconsistent. Some medical-cannabis programs do impose HIPAA-equivalent obligations by statute. Illinois’s medical program, for example, requires dispensing organizations to keep patient-identifying information in compliance with federal HIPAA privacy and security standards even though HIPAA would not otherwise reach them. Other states say little, leaving real legal uncertainty about what a dispensary must do with patient data.
The Federal Trade Commission and several states have explicitly recognized this gap between HIPAA and non-HIPAA entities that handle health-related information, and it is especially pronounced in cannabis. The result is that two patients with identical conditions, buying identical products, can have radically different privacy protections depending solely on which state they are in.
This is the same fragmentation we mapped in our 21-state privacy compliance checklist — and for medical operators it is sharper, because the data is health data.
The laws closing the gap: consumer health-data statutes
The most important development for medical-cannabis privacy is not a change to HIPAA. It is a new category of state consumer health-data laws that protect health information regardless of who holds it.
The leading example is Washington’s My Health My Data Act (MHMDA). Rather than tying protection to the type of entity, MHMDA protects “consumer health data” based on the nature of the information. Critically, its definition is broad enough that a consumer’s purchase of certain cannabis products can itself reveal “past, present, or future physical or mental health status” — which pulls dispensaries squarely within the law’s reach. MHMDA imposes meaningful obligations: a separate consumer-health-data privacy policy, affirmative consent before collecting or sharing such data, strict limits on selling it (with a signed authorization requirement), and consumer rights to access and delete. It also carries a private right of action, meaning individuals — not just regulators — can sue.
Washington is not alone. Nevada enacted a closely comparable consumer-health-data law, and Connecticut amended its privacy act to add health-data provisions. These statutes emerged in the wake of the U.S. Supreme Court’s abortion decision and a broader recognition that sensitive health information was flowing through entities HIPAA never touched. For cannabis operators, the effect is direct: in a growing number of states, the privacy obligations you avoided by not being a HIPAA covered entity are arriving anyway — through consumer-health-data law.
What this means for operators
The strategic takeaway is that “we’re not a HIPAA covered entity” is no longer a privacy strategy. It is, at best, a temporary technicality that newer state laws are deliberately routing around. Operators handling medical-patient data should act on several fronts.
1. Stop relying on the HIPAA loophole. Treat medical-cannabis patient data as the sensitive health information patients believe it to be, regardless of whether HIPAA technically applies. That is both the ethical posture and, increasingly, the legally required one.
2. Map where consumer health-data laws reach you. If you operate in or serve customers in Washington, Nevada, or Connecticut — and watch for more states following — determine whether your data practices trigger these statutes. MHMDA’s consent, authorization-to-sell, and deletion requirements are specific and enforceable, and the private right of action raises the stakes.
3. Apply HIPAA-grade controls as a baseline. Encryption at rest and in transit, role-based access, access logging, defined retention and deletion, and a breach-response process. Even where no law mandates it, these are the controls that prevent the breaches and limit the damage when one occurs — and they map cleanly onto whichever state regime applies. Our GDPR compliance guide for dispensaries covers much of the same control set for operators with international exposure.
4. Minimize what you collect and keep. The strongest defense against a health-data breach is not holding the data. Collect only what the program requires, and apply the verify-don’t-store discipline to identity and medical documentation. Less retained patient data means a smaller breach, a smaller notification burden, and a smaller litigation target.
5. Get consent and policies right. Consumer-health-data laws are consent-driven. A generic website privacy policy will not satisfy MHMDA’s requirement for a distinct consumer-health-data policy and affirmative consent. Build these properly; the private right of action means getting it wrong invites lawsuits, not just enforcement letters.
The bottom line
Patients trust dispensaries with information as sensitive as anything in their medical file, on the assumption that health-privacy law has them covered. For most dispensaries, HIPAA does not — and that gap has left medical cannabis data under-protected for years. The encouraging shift in 2026 is that states are closing the gap directly, with consumer-health-data laws that protect the information based on what it is rather than who holds it.
Operators who get ahead of this — by treating patient data as protected health information, mapping the new state laws, and applying HIPAA-grade controls as a voluntary baseline — will be ready as the legal floor rises. Those still leaning on “HIPAA doesn’t apply to us” are defending a position the law is actively dismantling, one state at a time.
This article is provided for informational purposes only and does not constitute legal advice.



