Mendry    ·    Florida 501(c)(3) Nonprofit    ·    Veteran-Built & Independent

Mendry

Become a Provider →

The Two-Hat Compliance Architecture in 2026: How DOs Maintain the Legal Separation

  • 7 min REAd

The two-hat model — VA Community Care under one hat, state-legal medical cannabis evaluation under the other — works because the two hats stay legally and operationally separate. With the April 23 DEA Schedule III order, the upcoming CCN Next Generation transition, and the pending Veterans Equal Access Act, the regulatory environment around both hats is shifting. The compliance architecture that keeps the model defensible has to evolve too. This is the practical walkthrough of how DOs maintain that separation in 2026.

Bottom Line Up Front

The two-hat model requires four operational separations: separate medical records, separate billing systems, separate consents, and separate documentation per encounter. Each is non-negotiable. The April 23 DEA order changes the federal compliance posture for the cannabis hat but does not change the separation requirements. CMS-0057-F prior authorization rules and the 2026 HIPAA Security Rule update affect the CCN hat. Both hats now operate in tighter regulatory environments.

The four separations that define the two-hat compliance architecture

Separation 1: Medical records. CCN encounters generate documentation that flows into the VA system through CCN documentation submission (Optum or TriWest portals; the new AI-driven eFax processing tool — AIEFF — is rolling out across 2026). State cannabis evaluations generate documentation that lives in a separate, private patient record maintained for state program purposes. The two records do not cross-reference. A patient seen for both should have two distinct records in your practice management system, not one combined record with mixed entries.

Separation 2: Billing. CCN claims go to the regional TPA. State cannabis evaluations are typically self-pay or paid through state program mechanisms — never billed to VA, Medicare, Medicaid, or commercial insurance. Your billing system should treat them as separate service lines with separate fee schedules, separate claim destinations, and separate accounts receivable handling. A single billing event that mixes the two is a compliance failure on both sides.

Separation 3: Consents. CCN treatment consent covers the federally-authorized care being provided through VA Community Care. State cannabis evaluation consent covers the private state-program service. The consents are different documents, signed at different points, with different scopes. A patient should not be asked to sign a single combined consent for both — the legal frameworks are different, and combining them confuses the patient about what they’re agreeing to.

Separation 4: Encounter documentation. Each visit’s clinical note should be either a CCN visit or a state cannabis evaluation, not both. If a patient comes in for CCN-authorized chronic pain management and asks about state cannabis options, that conversation gets documented appropriately in the CCN note (cannabis use is appropriate to discuss and document — VHA Directive 1315 allows this). The actual cannabis evaluation, if pursued, becomes a separate encounter on a separate day with a separate note in the separate state-cannabis record.

The single most common compliance failure

The most common two-hat compliance failure is a single patient encounter that drifts across both hats. The patient comes in for a CCN-authorized visit. The conversation evolves into a state cannabis evaluation. The DO documents both in the CCN note. The result: cannabis evaluation content in the VA system (which violates VHA Directive 1315 if the DO is also acting as a VA clinician), and CCN-authorized care content in the state record (which can complicate the state program audit). This failure mode is preventable with strict encounter-by-encounter discipline.

How the April 23 DEA order changes compliance for the cannabis hat

State-licensed medical marijuana is now Schedule III at the federal level. For DOs operating state cannabis evaluations, this introduces new federal compliance obligations layered on top of the state program requirements:

DEA registration. The expedited registration window for state-licensed operators closes June 22, 2026. Practitioners conducting cannabis-related research must be DEA-registered and source material from a state licensee with valid federal registration at time of transfer.

Schedule III recordkeeping. Schedule III substances have stricter recordkeeping, reporting, security, and labeling requirements than Schedule I. Facilities need to be DEA-accessible. Records of all transactions need to be maintained per Schedule III standards.

State license dependency. A DEA registration automatically suspends if the underlying state license is suspended, revoked, or expires. This adds a layer of risk: a state license issue now also creates a federal compliance gap.

FDCA limbo. The April 23 order leaves unresolved the legal status of marijuana sold as foods, dietary supplements, or unapproved drugs under the Federal Food, Drug, or Cosmetic Act. FDA enforcement discretion is the operative posture, but the legal ambiguity should inform what products DOs reference, recommend, or document around.

How CMS and HIPAA changes affect the CCN hat

The CCN hat operates entirely under federal VA Community Care rules, but the underlying healthcare regulatory environment is shifting in 2026:

CMS-0057-F prior authorization. Operational since January 1, 2026. Standard prior authorization decisions now have a 7-day window (down from up to 14). Expedited decisions: 72 hours. Denials must include specific reasons. While this rule technically applies to Medicare Advantage, Medicaid managed care, CHIP, and Federally-Facilitated Exchange QHPs — not VA — many CCN-side payers and processes are aligning with the same timelines. Build practice workflows assuming 7-day decision windows are the new normal across government payers.

2026 HIPAA Security Rule update. Expected finalization May 2026, enforcement early 2027. Eliminates the “addressable” vs “required” distinction — encryption, MFA, vulnerability scanning, network segmentation, and Business Associate technical verification all become mandatory. There is no small-practice exemption. Both hats must comply.

VA yearlong authorizations. 30 standardized services now carry 12-month authorizations. Update your CCN tracking workflows to reflect the longer windows and add mid-cycle eligibility re-verification at month 6.

The compliance architecture in summary

Four separations (records, billing, consents, encounter documentation). Two regulatory tracks (CCN under VA/CMS/HIPAA; state cannabis under state law plus the new federal Schedule III framework). Multiple parallel changes in 2026 (DEA rescheduling, CCN Next Gen transition, HIPAA Security Rule update, CMS-0057-F operational, AIEFF document processing). Each piece is manageable on its own. The practices that struggle in 2026 are the ones that try to manage them as one combined initiative.

Two-hat compliance architecture checklist
  • Audit your separations: records, billing, consents, encounter documentation — each genuinely separate?
  • If state-licensed for medical cannabis, file DEA registration before June 22, 2026
  • Update Schedule III recordkeeping and security protocols at facility
  • Confirm state license currency — DEA registration suspends if state license fails
  • Map your CCN workflows against CMS-0057-F decision windows (7 days standard, 72 hours expedited)
  • Plan for 2026 HIPAA Security Rule update: encryption, MFA, vulnerability scans, BA verification
  • Update CCN authorization tracking for 12-month windows on standardized services
  • Add month-6 eligibility re-verification to long CCN authorizations
  • Document your two-hat compliance architecture in writing — this is your audit defense
  • Engage healthcare attorney annually to review the architecture against current regulatory environment
  • Track Veterans Equal Access Act in FY2026 budget process — affects VA clinician scope but not your two-hat structure
The principle that holds it all together

The two-hat model is not a compromise. It’s the architecture that makes serving veterans across the federal/state legal seam possible without violating either set of laws. Each hat operates fully within its own legal framework. The separations are not bureaucratic theater — they are the structural integrity of the model. As 2026’s federal cannabis policy continues to shift and the CCN landscape transitions to Next Generation, the architecture is what holds. Maintain it disciplined.

Sources & further reading:Mendry — Dual Roles, Clear Lines: How Osteopathic Providers Can Serve Veterans (Mendry blog, November 2025)
U.S. Department of Justice — Justice Department Places FDA-Approved Marijuana Products in Schedule III (April 2026)
VA Public Health — VA and Marijuana: VHA Directive 1315
CMS — CMS Interoperability and Prior Authorization Final Rule CMS-0057-F
Medcurity — 2026 HIPAA Security Rule Update
CannDelta — DEA Reschedules Medical Marijuana: Guide for State Licensees

IMPORTANT NOTICE: Educational use only. No medical or legal advice. Mendry is a 501(c)(3) nonprofit, not a government agency, and not affiliated with the VA or any federal or state agency. Mendry does not provide treatment, prescribe or sell cannabis, or collect PHI. Healthcare decisions are yours and your licensed clinicians’ only. Emergency: 911 | Veterans Crisis Line: 988 (Press 1)