Massachusetts Businesses Really Need to Protect Medical Data

While it is obviously important for any business to keep medical data safe (we’ll review why in a moment), businesses here in Massachusetts should find it particularly pressing due to a few laws that we have on the books. Let’s review what these laws say, and what can be done to make sure a business is compliant.

First of all, if we’re talking about medical data, we need to talk about the Health Information Portability and Accessibility Act (HIPAA).

What Does HIPAA Require a Business to Do?

The Health Information Portability and Accessibility Act of 1996 was created in an effort to make a national standard concerning the protection of a patient’s sensitive health information. It does so in two parts: the Privacy Rule, and the Security Rule.

The HIPAA Privacy Rule

This section of the act establishes the controls that an individual has over how their information is used, while (more pertinent to our purposes here) also defining who is beholden to the Privacy Rule and, by extension, the greater tenets of HIPAA. These “covered entities,” as the law calls them, include healthcare providers, insurance companies, and business associates—in other words, any business that works with one of the other covered entities and handles this kind of data as a part of their services.

The HIPAA Security Rule

This section of the act takes the Privacy Rule and specifically applies it to electronic data—namely, any electronic data that one of the above covered entities develops, communicates, or stores. The Security Rule requires that these entities:

• Make sure that all electronic protected health information (ePHI) remains confidential and secure, while also readily available to those authorized to see it
• Protect ePHI against any anticipated threats
• Prevent ePHI from being used or disclosed in a way that goes against the Privacy Rule
• Ensure that their workforces are prepared to maintain these standards

Breaking either of these rules or otherwise violating the requirements of HIPAA can cost organizations a pretty penny: each willful violation comes with a minimum fine of $50,000, and a maximum of $250,000, in addition to reimbursing any victims of this violation and potentially serving jail time.

Yikes.

What Does Massachusetts Law Require a Business to Do?

Supplementing HIPAA, Massachusetts has passed a variety of legislation that adds additional data protections onto patient records. For our purposes, we’ll focus on one in particular: 201 CMR 17, or the Standards for the Protection of Personal Information of Residents of the Commonwealth.

201 CMR 17

This law, while not specific to the healthcare field, complements HIPAA quite well as it establishes its own standards for any business or individual to follow if they possess the personal information of a Massachusetts resident. This law outlines some very intensive requirements regarding the steps that must be taken, including:

• Developing and implementing a comprehensive information security program
• Assigning an employee to maintain this program
• Evaluating the risks various cyberthreats pose, and how prepared the organization is to handle them
• Developing the policies necessary to protect data from the aforementioned risks
• Ensuring all vendors and business associates are abiding by similarly stringent policies

The law also outlines what this business’ or individual’s cybersecurity needs to look like, specifying different authentication protocols, access control measures, encryption requirements, monitoring standards, update policies, and user education that a business needs to uphold.

The full contents of the law can be found on the state’s website.

We Can Help You Ensure Compliance to These Requirements

We are well-versed and practiced at implementing the cybersecurity solutions and policies that fit these requirements to the letter, and can even help you evaluate your users on their cybersecurity awareness and your network on its resilience to threats. To find out more about what we can offer you, give us a call at (774) 213-9701 today.