Retail | Is BLAZE HIPAA Compliant?

BLAZE® is considered a Business Associate and complies with all applicable rules and regulations of the Health Insurance Portability and Accountability Act (HIPAA) of 1996. HIPAA is a federal regulation that may apply to medical cannabis transactions (see 45 C.F.R. Subtitle A, Subchapter C, Part 164).   The Department of Health and Human Services (HHS) is responsible for HIPAA enforcement.  HHS does not recognize nor offer a “certification” for HIPAA compliance.   HHS provides the following compliance guidance: https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html

To summarize, this guidance is designed for a covered entity to provide the following:

  1. Ensure the confidentiality, integrity, and availability of all e-PHI created, received, maintained, or transmitted;
  2. Identify and protect against reasonably anticipated threats to the security or integrity of the information;
  3. Protect against reasonably anticipated, impermissible uses or disclosures; and
  4. Ensure workforce compliance.

The fundamental question HIPAA is designed to resolve is whether a given customer’s Personal Health Information (PHI) is secure and subject to third-party dissemination only with the specific consent of the customer.

Specifically, for health information to be considered to be PHI and protectable under HIPAA, it must:

  • be personally identifiable healthcare information; and.
  • relate to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
  • be created or received by a covered entity; and
  • be transmitted or maintained in electronic media or any other form or medium with respect to a covered transaction.

BLAZE® presumes your customer’s personal information that we collect and retain on your behalf is personal identified information (PII) that is relevant and applicable to items 1 and 2 above.  Moreover, BLAZE® considers all PII to be covered by the California Privacy Rights Act (CA Civil Code Section 1798.1, et seq), which are the strictest consumer privacy regulations in the nation.  BLAZE’s adherence to the California regulations ensures compliance in all states with consumer privacy regulations. Compliance with the California regulations requires, amongst other items that are otherwise compliant with HIPAA guidelines, prompt notification to consumers of any breach of PII data regardless of whether financial information is involved.

Lastly, HIPAA only applies to businesses that transmit or store PHI with respect to a covered transaction*.* BLAZE® presumes all your transactions we process to be covered transactions*.* In that regard, BLAZE® utilizes HIPAA-eligible web services and currently holds SOC1 and SOC2 certifications. These ensure that we follow strict data security standards in how we operate as a company and how we develop our software. There is a very large amount of overlap in what is covered by these SOC certifications and what is covered by HIPAA guidelines. As stated previously, HIPAA is not a certification, but rather a set of guidelines for compliance that are to be followed. Arguably, the SOC 1 and SOC 2 certifications alone provide substantial compliance with HIPAA guidelines. The corollary is that if your software provider does not have both SOC 1 and SOC 2 certifications, they are most likely not HIPAA compliant.