Cannabis Industry Records Management Requirements
Including records management for digital files and physical files, a records inventory list, and patient records for medical dispensaries.
Importance of Records Management
Operating a business involves a host of transactions, contracts, purchases and sales, tax filings, and numerous other processes for which records must be kept. In order to effectively operate a business – and in order to comply with applicable federal, state, and local laws – the business must maintain these records in an organized, safe, and secure manner.
Implementation of a Records Management System is not simply a matter of staying organized. Damage to or loss of records can lead to legal liability or lawsuits. In the case of a cannabis operation, these consequences could potentially lead to the loss of licenses that allow the business to operate at all.
In the case of a medical dispensary, there are additional legal requirements involving compliance with patient records. Failure to implement an organized, safe, and secure Records Management System can be fatal to the business.
The importance of a Records Management System for cannabis businesses cannot be overstated. The risks posed by improper records management are not just a matter of lost profit but can lead to loss of licenses and possibly forced the closure of the business (that’s why cannabis dispensary training is so desperately needed).
If the operation is a medical dispensary, additional records management requirements apply to patient records. Good managers should maintain an effective Records Management System:
- Records Inventory List
- Destruction Process
- HIPAA Compliance
An effective Records Management System is necessary for the longevity of every business, especially a cannabis business. An organized, safe, and secure Records Management System will minimize the risk of lawsuits or other legal liability that could be fatal to the business.
Records management is critical for maintaining an orderly operation and complying with applicable laws. For this reason, every operation must maintain a Records Management System and follow established procedures.
An effective Records Management System will ensure the organized storage, retention, and protection of all records and supporting data. Every Records Management System must include the following:
- Records Inventory List: The Records Inventory List is a master list of all records and control requirements.
- Destruction Process: The Records Management System must include policies on retention time and destruction/deletion methods of all records.
- HIPAA Compliance: Patient records control and destruction requirements in accordance with HIPAA.
Given the prevalence of digitals records in a modern business, the operation must have specific procedures for the management of all digital files. Below you’ll learn the specific procedures relating to digital files that must be included in every Records Management System:
- System Access Controls
- User Controls and Tracking (Viewing, Printing, Editing, and Deleting)
- Standard File Labeling and Organized Storage Hierarchy
- Data Encryption
- File deletion schedules and processes including deletion of data on obsolete computers and data storage devices.
- Data Backup: Cloud Storage, Digital Storage Service, Offsite Storage (of Backup Hard Drives)
- Automatic File Backup
- Long-Term Protection and File Integrity
Physical Records Management
In addition to the procedures for digital files, the Records Management System must include specific procedures for physical records. So you’ll need to learn the specific procedures relating to physical files that must be included in every Records Management System.
- Restricted Storage Areas
- Lockable Filing Systems
- Sign-In/Sign-Out Procedures for File Review/Removal
- Organized Filing Systems
- Physical Records (filed in a timely manner)
- Destruction Schedules and Processes
- Crisis Protection
- Long-Term Storage and Environmental Controls
- The operation must assign a worker to manage the records system, and the worker must have the time allotment, skills, and experience to adequately meet the position requirements.
- Management must conduct a self-assessment of the records process at least every 90 days, document the assessment, and complete any corrective action.
All records management procedures must comply with applicable federal, state, and local regulations. Records management is critical for maintaining an orderly operation and complying with applicable laws.
Every operation must implement a Records Management System that includes specific procedures for digital files and physical files.
The operation must assign a worker to manage the records system and a manager to conduct a self-assessment every 90 days. Next, we will learn about creating a Records Inventory List.
Records Inventory List
In order to ensure that all records are included in the Records Management System, the operation must list all records used or received by the business on a Records Inventory List. The Records Inventory List should identify the following aspects of the records:
- Each Record (by title)
- Persons/Positions Authorized (to view the record)
- The Revision or Deletion Authorizations
- Retention Period
- Destruction Method
- Storage and Back-Up Requirements
- Record Location
- Other Controls (as required)
The Records Inventory List must identify all records related to the categories listed below. There may be multiple records per category. There are 32 categories that have been grouped into related fields. Below we’ll learn the 32 categories of records that must be identified by the Records Inventory List.
The Records Inventory List must include the following financial records:
- Accounting Ledgers and Reports
- Tax Returns, Tax Correspondence, and Supporting Information
- Payroll and Wages
The Records Inventory List must include the following legal records:
- Contracts and Agreements
- Corporate Organization, Bylaws, Organization Charts
- Intellectual Property
- Legal Files, Court Documents, Attorney Files
- Public Filings
- Security Records
The Records Inventory List must include the following electronic records:
- Logins and Electronic Permissions
- Electronic Mail
The Records Inventory List must include the following employment records:
- Employment and Worker Files
- Training Records and Program Documentation
- Safety and Health (OSHA, worker’s comp, medical, SDS)
The Records Inventory List must include the following operations records:
- Audit Reports, Inspection Reports, and Self-Assessments
- Quality Control Procedures, Logs, and Records
- Vendor Records
- Customer Information
- Patient/Customer Records
- Inventory Records
The Records Inventory List must include the following product records:
- Production Records
- Product Test Data and Test Lab Reports
- Product Transfers
- Test Method Documentation (Lab Only)
- Sample Management and Control Records
Sales and Communication
The Records Inventory List must include the following sales and communication records:
- Sales and Marketing Plans
- Sales Transactions
- Press Releases
Facility and Equipment
The Records Inventory List must include the following facility and equipment records:
- Maintenance Logs for Facilities and Equipment
- Calibration, Maintenance, and Repair Logs
- Sanitation Logs
In order to ensure that all records are included in the Records Management System, the operation must list all records used or received by the business on a Records Inventory List. The List must identify the records using several aspects of the records. There are 32 categories of records that must be included in the Record Inventory List.
As has been discussed in this module, all records management must be done in compliance with federal, state, and local laws. For medical dispensaries, one such law is the Health Insurance Portability and Accountability Act of 1996 (HIPAA). A medical dispensary must manage patient records according to HIPAA regulations.
HIPAA Compliant Procedures (United States)
The operation must have procedures and controls for all Protected Health Information such as:
- Medical Record Numbers
- Contact Information
- Diagnosis Codes
- Patient Verification Information (ex. Driver’s License, Passport, etc.)
- Data Security
In order to protect patient records, the operation must install and use website security (SSL Certificate) or similar for patient data access or Internet transmission. Procedures must control patient verification system access and output. Compliance with HIPAA regulations for medical dispensaries requires additional procedures for patient records.
Let us know what you think.