Aside from MMJ dispensaries, are there other organizations in the cannabis ecosystem that need to be concerned with HIPAA compliance?

When dealing with HIPAA it is important to note that not just the medical providers need to be concerned about compliance. The Business Associates that work with medical providers and MMJ dispensaries also need to be aware of the fact that they are also required to adhere to HIPAA rules.

Some possible Business Associates are:

• Data Centers that host PHI*.
• Outbound marketing agencies.
• A CPA firm whose accounting services to a doctor or dispensary involve access to PHI. 
• An attorney whose legal services to a health plan involve access to PHI. 
• Any consultant that has access to PHI records. 
• CRM, ERP and POS system providers.

*PHI - Protected Health Inofrmation includes the following:

• First and/or Last Names
• All geographical identifiers smaller than a state
• Dates (other than year) directly related to an individual
• Phone numbers
• Fax numbers
• Email addresses
• Social Security Numbers
• Medical record numbers
• Health insurance numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers, including license plate numbers;
• Device identifiers and serial numbers;
• Web URLs
• Internet Protocol (IP) address numbers
• Biometric identifiers, including finger, retinal and voice prints
• Full face photographic images and any comparable images
• Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data