Massachusetts 201 CMR 17.00 and HIPAA: What Clinics Need to Know

Massachusetts clinics subject to HIPAA must also comply with two Massachusetts-specific frameworks: the security regulation at 201 CMR 17.00 and the breach notification statute at Massachusetts General Laws Chapter 93H. Both apply to any entity that handles personal information about Massachusetts residents, with no exemption for HIPAA-covered entities. Knowing where these state requirements add to HIPAA — not just overlap it — determines what your clinic still needs to do after its HIPAA program is in place.

201 CMR 17.00 Overview

The Massachusetts Office of Consumer Affairs and Business Regulation promulgated 201 CMR 17.00 — formally titled “Standards for the Protection of Personal Information of Residents of the Commonwealth” — under the authority of MGL c. 93H. The regulation applies to any person or entity that owns, licenses, stores, receives, maintains, processes, or otherwise has access to personal information about a Massachusetts resident in connection with business activities or employment.

“Personal information” under 201 CMR 17.00(1) means a Massachusetts resident’s first name (or first initial) and last name in combination with any of the following:

• Social Security number
• Driver’s license or state ID number
• Financial account number, credit or debit card number, with or without any required security code

Medical records are not separately enumerated in 201 CMR 17.00’s definition of personal information, but every patient record that includes a financial account number or Social Security number falls within scope. Nearly every clinic collecting standard patient demographics is subject to the regulation.

The Written Information Security Plan Requirement

The centerpiece of 201 CMR 17.00 is the mandatory Written Information Security Plan (WISP). Under 201 CMR 17.03, every covered entity must develop, implement, and maintain a comprehensive security program that contains administrative, technical, and physical safeguards. That program must be documented in a WISP. The required contents include:

Designated program coordinator. The WISP must identify an employee or employees responsible for maintaining the information security program.

Risk assessment. The plan must include an assessment of the internal and external risks to the security, confidentiality, and integrity of records containing personal information. This maps closely to the HIPAA Security Rule’s risk analysis requirement at 45 CFR § 164.308(a)(1), but must be documented in the WISP.

Employee training. The WISP must include provisions for training employees in the proper use and protection of personal information and in the requirements of the security program.

Vendor contract requirements. Any third-party service provider that receives, stores, maintains, processes, or otherwise has access to personal information must be contractually required to protect that information. This runs parallel to — but is not identical to — HIPAA’s business associate agreement requirement.

Documentation of responsive measures. The WISP must provide for documentation of how the entity responds to breaches and reviews the effectiveness of the security program after incidents.

Relationship to HIPAA’s Security Rule

HIPAA’s Security Rule at 45 CFR §§ 164.308–164.316 requires a documented security program, risk analysis, workforce training, and security incident procedures — all of which correspond to elements of a WISP. A clinic with a mature HIPAA Security Rule program will have substantial overlap with the 201 CMR 17.00 WISP requirements.

The two frameworks are not identical. Your WISP must be a single, cohesive written document — or an organized, labeled set of policies — specifically designated as your information security program. Many clinics keep HIPAA policies scattered across separate documents: a risk analysis here, a workforce training policy there, a separate incident response plan. Massachusetts law requires these elements to be organized and identifiable as your unified WISP. In a regulatory audit, a clinic that cannot produce its WISP is non-compliant regardless of whether its individual policies are sound.

Encryption Requirements for Portable Devices

201 CMR 17.04 specifies technical security measures that must be part of every covered entity’s security program. The most significant requirement for clinics is the encryption mandate at 201 CMR 17.04(6), which requires:

• Encryption of all personal information stored on laptops and other portable devices
• Encryption of all personal information stored on portable storage media (USB drives, external hard drives, backup tapes)
• Encryption of personal information transmitted over public networks

This is a mandatory requirement — not an addressable specification like HIPAA’s encryption standard. A Massachusetts clinic that lets clinicians take patient records home on unencrypted laptops violates 201 CMR 17.04(6) even if the clinic has documented an equivalent alternative that satisfies the addressable HIPAA encryption specification.

Practical controls that satisfy this requirement include:

• Full-disk encryption (BitLocker on Windows, FileVault on macOS) on all clinic laptops and mobile devices that may store personal information
• Prohibition of unencrypted portable storage media for any personal information
• Encrypted email or file transfer for communications containing patient-identifying information

The requirement applies whether the device belongs to the clinic or is a personal device used for work under a BYOD policy. If your clinic has a BYOD program, you must ensure that personal information stored on employees’ personal devices is encrypted.

Massachusetts Breach Notification: MGL c. 93H

Massachusetts General Laws Chapter 93H requires any person or entity that maintains or stores personal information about Massachusetts residents to notify affected individuals and the Massachusetts Attorney General when a breach occurs. The notice obligations are:

To affected individuals: Notice must be provided in the most expedient time possible and without unreasonable delay, but no later than 30 days after discovering the breach. The notice must include: (1) the consumer’s right to obtain a police report; (2) how to request a security freeze and the fees for doing so; and (3) the toll-free numbers and addresses for consumer reporting agencies.

To the Massachusetts AG: Concurrent with notification to affected individuals, the entity must notify the Massachusetts Attorney General’s Office. Massachusetts maintains an online portal for AG breach notification submissions.

HIPAA’s Breach Notification Rule at 45 CFR § 164.404 provides a 60-day ceiling for notification to affected individuals. For a Massachusetts clinic subject to both laws, the 30-day MGL c. 93H deadline is the operative outer limit for notifying Massachusetts residents. The clinic cannot take the full HIPAA 60 days for Massachusetts residents.

What Massachusetts Clinics Must Do

Produce or update your WISP. If your clinic does not have a single, cohesive written document that can be produced on demand as your information security program, create one. If HIPAA policies already exist, consolidate and cross-reference them into a WISP that explicitly meets 201 CMR 17.03’s requirements.

Encrypt all portable devices. Audit every laptop, mobile device, and portable storage medium used in connection with clinic operations. Enable full-disk encryption on all devices. Document that encryption has been enabled and by whom.

Update your breach response plan. Set the 30-day Massachusetts deadline as the governing notification window for breaches affecting Massachusetts residents. Build AG notification into the immediate response steps. For a template starting point, see the HIPAA breach notification templates and add Massachusetts-specific elements.

Review vendor contracts. Confirm that third-party vendors with access to personal information about Massachusetts residents have contractual security obligations. This requirement applies to any vendor touching personal information, not only vendors handling PHI under a business associate agreement. See how small clinics track vendor BAAs for a vendor management framework that can be extended to cover 201 CMR 17.00 vendor requirements.

Train staff on WISP requirements. Employee training is an explicit requirement of 201 CMR 17.03. Training must cover the security program’s requirements and the proper handling of personal information. Document the training, including who was trained, when, and the content covered.

Massachusetts Mental Health Record Protections

Beyond 201 CMR 17.00 and MGL c. 93H, Massachusetts clinics that provide mental health services should be aware of Massachusetts General Laws Chapter 123, Section 36, which governs the confidentiality of records created in the course of mental health treatment. Disclosure of these records generally requires patient authorization, a court order, or a specific statutory exception. This operates alongside — and in some situations is stricter than — HIPAA’s Privacy Rule provisions for psychotherapy notes at 45 CFR § 164.508(a)(2).

For a broader view of administrative safeguard requirements that underpin Massachusetts compliance, see HIPAA administrative safeguards. For audit log requirements that support breach detection and documentation, see HIPAA audit log requirements for small clinics.