Schedule III Is Coming:
Is Your IT Ready for HIPAA?
February 12, 2026 · 9 min read
On December 18, 2025, President Trump signed Executive Order 14370 directing the Attorney General to reschedule cannabis to Schedule III. While the final rulemaking is still in progress, the direction is clear — and the IT implications are significant. If cannabis becomes a Schedule III substance and insurance companies begin covering it, medical dispensaries that submit electronic claims will likely become HIPAA-covered entities. That triggers a cascade of cybersecurity requirements most cannabis businesses aren't remotely prepared for.
How Schedule III triggers HIPAA
HIPAA applies to "covered entities" — healthcare providers who transmit health information electronically in connection with certain transactions, primarily insurance claims. Today, most cannabis dispensaries aren't covered entities because federal illegality prevents insurance coverage. Schedule III changes that equation. Once cannabis is a legal prescription medication, insurers can cover it, providers can submit electronic claims, and HIPAA's full security framework applies.
Illinois already requires medical cannabis dispensaries to comply with HIPAA. Washington's My Health My Data Act imposes health-data protections regardless of HIPAA status. These are previews of what's coming nationally.
What HIPAA requires from your IT infrastructure
Encryption everywhere
All patient health information (PHI) must be encrypted at rest and in transit. That means encrypted drives on POS terminals, encrypted database storage, TLS on every internal and external connection, and encrypted backups. No exceptions.
Access controls and audit logging
Every person who accesses patient data needs unique credentials (no shared logins), role-based access limiting what each person can see, and every access event logged and retained. Your POS system, seed-to-sale platform, and patient management system all need individual audit trails.
Security risk assessments
HIPAA requires documented risk assessments evaluating threats and vulnerabilities to PHI. This isn't a one-time checklist — it's an ongoing process that must be repeated at least annually and whenever significant system changes occur.
Business associate agreements
Every vendor that touches patient data — your POS provider, cloud hosting company, payment processor, IT managed services provider — needs a signed Business Associate Agreement (BAA) specifying their HIPAA obligations. Vendors who won't sign a BAA can't handle your patient data. Period.
Workforce training
Every employee with access to patient information needs documented HIPAA security training. For cannabis operations with 40–60% turnover in the first two months, this means continuous onboarding training programs — not an annual webinar.
The penalty for getting this wrong
HIPAA violations carry fines up to $71,162 per violation (2026 inflation-adjusted), with annual maximums reaching $2.19 million per violation category. Criminal penalties for knowing violations can include imprisonment. For a cannabis dispensary already operating under intense regulatory scrutiny, a HIPAA violation could compound into a license-threatening event.
What you should do now — before the rule is final
Don't wait for the Federal Register notice. The operators who prepare now will transition smoothly; those who wait will scramble. Start with an IT security assessment to identify gaps against HIPAA's Security Rule. Implement encryption on all systems handling patient data. Eliminate shared logins and deploy MFA. Begin documenting your security policies and procedures. Identify every vendor that touches patient data and start BAA conversations. Build an employee training program that accounts for your turnover rate.
Regardless of whether your specific operation becomes a HIPAA-covered entity, every action on this list strengthens your cybersecurity posture and your compliance readiness under existing state privacy laws like CCPA and Washington's My Health My Data Act.
This article is for informational purposes only and does not constitute legal or regulatory advice. The regulatory landscape around cannabis rescheduling is evolving. Consult qualified legal counsel for guidance specific to your operation.
Get HIPAA-ready before the deadline hits.
Book a free assessment. We'll evaluate your current infrastructure against HIPAA's Security Rule and show you exactly what needs to change.
Book Free Assessment →