HIPAA Compliance in Massachusetts: State-Specific Requirements for Covered Entities and Business Associates

Massachusetts overlays HIPAA with additional privacy and security duties that affect how you prepare for breaches, secure systems, and respond to patient requests. This guide explains the state-specific rules that apply to covered entities and business associates operating in the Commonwealth—and how to align them with your HIPAA obligations.

Massachusetts Data Breach Notification Requirements

Who must notify and whom to notify

If you own or license “personal information” about a Massachusetts resident and experience a breach, you must notify: (1) the affected residents; (2) the Massachusetts Attorney General; and (3) the Office of Consumer Affairs and Business Regulation (OCABR). Vendors that maintain but do not own the data must notify the owner/licensor, who then notifies regulators and residents. ([malegislature.gov](https://malegislature.gov/Laws/GeneralLaws/PartI/TitleXV/Chapter93H/Section3))

Timelines and permissible delays

State law requires notice “as soon as practicable and without unreasonable delay.” There is no fixed day-count under Chapter 93H, but notice may be delayed if a law-enforcement agency determines that notification would impede a criminal investigation. Once that risk ends, send notice without unreasonable delay. Remember that HIPAA breach notices for PHI still carry a federal outer limit of 60 days—plan to meet both standards. ([malegislature.gov](https://malegislature.gov/Laws/GeneralLaws/PartI/TitleXV/Chapter93H/Section3))

What goes in (and stays out of) the resident notice

Consumer notices must include information on police reports, how to place a security freeze, that freezes are free, and any mitigation services offered. Do not include the nature of the breach or the number of affected residents in the resident notice (those details go to regulators). ([malegislature.gov](https://malegislature.gov/Laws/GeneralLaws/PartI/TitleXV/Chapter93H/Section3))

Credit monitoring when SSNs are involved

If Social Security numbers were disclosed or reasonably believed to be disclosed, you must offer at least 18 months of free credit monitoring (42 months if the breached entity is a consumer reporting agency) and certify compliance to the AG and OCABR. ([malegislature.gov](https://malegislature.gov/Laws/GeneralLaws/PartI/TitleXV/Chapter93H/Section3A))

Data Breach Notification Compliance tips

• Maintain draft templates for AG/OCABR and resident notices aligned to Chapter 93H content rules.
• Document “law enforcement delay” decisions and re-start timelines the day the hold lifts.
• Map HIPAA breach response steps to state notice triggers to avoid gaps or duplication.

Written Information Security Program Rules

Who is covered and what “personal information” means

Massachusetts’ data-security regulation, 201 CMR 17.00, applies to any person or organization that owns or licenses personal information (PI) about a Massachusetts resident, regardless of sector. PI includes a resident’s name plus SSN, driver’s license/ID number, or financial account numbers (with or without required codes). ([mass.gov](https://www.mass.gov/regulations/201-CMR-1700-standards-for-the-protection-of-personal-information-of-ma-residents?utm_source=openai))

Core elements your WISP must address

• Administrative, technical, and physical safeguards appropriate to your size, scope, data volume, and risks.
• Secure user authentication and access controls; encryption of PI transmitted across public networks and stored on portable devices.
• Firewall protection, up‑to‑date malware protection, and security patching on Internet-connected systems containing PI.
• Vendor oversight with contractual requirements to maintain appropriate security measures.
• Ongoing monitoring, workforce training, enforcement, and periodic program review/upgrades. ([mass.gov](https://www.mass.gov/doc/201-cmr-17-standards-for-the-protection-of-personal-information-of-residents-of-the/download?utm_source=openai))

Where Multi-factor Authentication fits

201 CMR 17.00 doesn’t use the phrase “Multi-factor Authentication,” but its secure authentication requirements and modern threat environment make MFA a practical control—especially for remote access and privileged accounts. The upcoming HIPAA Security Rule update (see below) explicitly proposes MFA across relevant ePHI systems, which will further normalize MFA across your environment. ([govinfo.gov](https://www.govinfo.gov/content/pkg/FR-2025-01-06/pdf/2024-30983.pdf))

Patient Medical Records Access Regulations

HIPAA baseline: access to Designated Record Sets

Under HIPAA, individuals can access PHI in their Designated Record Sets (DRS)—medical and billing records and other records used to make decisions about them—generally within 30 days (with one 30‑day extension if needed). You must provide the format requested if readily producible and charge only a reasonable, cost‑based fee. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html?utm_source=openai))

Massachusetts overlay: who may inspect, copying fees, and retention

Mass. Gen. Laws Chapter 111 §70 grants patients the right to inspect their hospital/clinic records and obtain copies. By statute, hospitals and clinics may charge up to a $15 base fee plus $0.50 per page for the first 100 pages and $0.25 thereafter; certain benefit‑related requests are fee‑exempt. Separate Board of Medicine rules require timely fulfillment and prohibit conditioning release on payment for care. Hospitals must retain records for at least 20 years after discharge/final treatment. ([malegislature.gov](https://malegislature.gov/Laws/GeneralLaws/PartI/TitleXVI/Chapter111/Section70?utm_source=openai))

Reconciling state fees with HIPAA

If you are a HIPAA‑covered entity, HIPAA’s reasonable, cost‑based fee rule governs your PHI access charges; the Massachusetts fee schedule is most relevant for non‑HIPAA entities and non‑PHI requests. Build workflows that (1) identify whether HIPAA applies; (2) determine DRS scope; and (3) apply the correct fee rule before invoicing. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html?utm_source=openai))

Disclosures to Public Health and Health Oversight Authorities

Public health reporting

HIPAA permits disclosure of PHI without authorization to public health authorities, including the Massachusetts Department of Public Health (DPH), for disease reporting, surveillance, investigations, or interventions. Apply the minimum necessary standard unless another law requires otherwise; you may rely on the public health authority’s representation of what is minimally necessary. Massachusetts regulations confirm that required disease reporting to DPH does not violate HIPAA. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/disclosures-public-health-activities/index.html))

Health oversight activities

HIPAA also permits disclosures to health oversight agencies (e.g., state medical boards, Medicaid Fraud Control Units, HHS/OCR) for audits, investigations, licensure, and similar oversight functions authorized by law—again subject to minimum necessary. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html?utm_source=openai))

What to document

• The legal authority for disclosure (e.g., 45 CFR 164.512(b) or (d), 105 CMR 300.000 for specific conditions).
• The scope of PHI released and your minimum‑necessary rationale or reliance on the authority’s request.
• Any attestations required by federal rule (e.g., reproductive health contexts under the 2024 HIPAA Privacy Rule). ([hhs.gov](https://www.hhs.gov/sites/default/files/hipaa-support-rhc-privacy.pdf))

HIPAA Security Rule Updates for 2026

Where things stand as of May 26, 2026

On January 6, 2025, HHS/OCR published a Notice of Proposed Rulemaking (NPRM) to modernize the HIPAA Security Rule. Final action is targeted for 2026. Even before the final rule arrives, you can begin implementing controls the NPRM proposes or clarifies. ([govinfo.gov](https://www.govinfo.gov/app/details/FR-2025-01-06/2024-30983?utm_source=openai))

Key proposals you should plan for

• Multi-factor Authentication: Require MFA across relevant ePHI systems, with narrow exceptions (e.g., unsupported devices, emergencies) and required compensating controls and migration plans. ([govinfo.gov](https://www.govinfo.gov/content/pkg/FR-2025-01-06/pdf/2024-30983.pdf))
• Encryption: Adopt encryption for ePHI that meets prevailing cryptographic standards for data in transit and at rest. ([govinfo.gov](https://www.govinfo.gov/content/pkg/FR-2025-01-06/pdf/2024-30983.pdf))
• Asset inventory and risk analysis: Maintain a current inventory of technology assets that create, receive, maintain, or transmit ePHI as part of the risk analysis process. ([govinfo.gov](https://www.govinfo.gov/content/pkg/FR-2025-01-06/pdf/2024-30983.pdf))
• Vulnerability and patch management: Patch critical risks within 15 days and high risks within 30 days, when updates are available. ([govinfo.gov](https://www.govinfo.gov/content/pkg/FR-2025-01-06/pdf/2024-30983.pdf))
• Penetration testing and logging: Conduct periodic penetration tests; implement audit trails and system logs with real‑time monitoring and alerts; test technical controls at least annually. ([govinfo.gov](https://www.govinfo.gov/content/pkg/FR-2025-01-06/pdf/2024-30983.pdf))
• Incident response and BA coordination: Formalize written incident response plans, test them annually, and clarify how business associates report security incidents; OCR solicited comment on 24‑hour notices after contingency plan activation. ([govinfo.gov](https://www.govinfo.gov/content/pkg/FR-2025-01-06/pdf/2024-30983.pdf))

Note: These items reflect proposals in the NPRM; your final obligations will depend on HHS’s final rule text. Building toward these controls now will accelerate compliance and reduce cyber risk. ([govinfo.gov](https://www.govinfo.gov/app/details/FR-2025-01-06/2024-30983?utm_source=openai))

Duty to Protect Personal Information

HIPAA meets Massachusetts Chapter 93H and 201 CMR 17.00

Beyond safeguarding Protected Health Information (PHI) under HIPAA’s Security Rule, organizations in Massachusetts have a statutory duty to protect residents’ personal information. Chapter 93H directs the state to adopt security regulations (201 CMR 17.00), which require a comprehensive, risk‑based Written Information Security Program scaled to your business and data footprint. ([malegislature.gov](https://malegislature.gov/Laws/GeneralLaws/PartI/TitleXV/Chapter93H/Section2))

Action checklist

• Inventory PHI and PI, and map where each is stored, processed, and transmitted.
• Implement Multi-factor Authentication for remote/privileged access and encrypt ePHI/PI in transit and on portable media.
• Embed vendor due diligence and contractual safeguards; verify service‑provider security routinely.
• Test, log, and monitor: real‑time alerts, annual pen tests, and timely patching.
• Keep your WISP and HIPAA security documentation current; conduct and document workforce training. ([mass.gov](https://www.mass.gov/doc/201-cmr-17-standards-for-the-protection-of-personal-information-of-residents-of-the/download?utm_source=openai))

Massachusetts Department of Public Health Confidentiality Procedures

Confidentiality of reportable disease data

DPH’s reportable disease regulations require strict confidentiality for personally identifying information collected for surveillance and case management. Records reported to or collected by DPH or local boards of health must be secured and treated as confidential, including within the MAVEN surveillance system. ([regulations.justia.com](https://regulations.justia.com/states/massachusetts/105-cmr/title-105-cmr-300-000/section-300-120/?utm_source=openai))

Agency policies and privacy notices

DPH maintains written confidentiality policies and publishes public health privacy notices describing how it safeguards PHI collected for licensure, inspections, and disease surveillance, including enhanced protections for sensitive conditions (e.g., HIV/STD). Align your disclosure practices to those frameworks when interacting with DPH. ([mass.gov](https://www.mass.gov/info-details/public-health-confidentiality-policy-and-procedures?utm_source=openai))

In practice, you should route reportable conditions through approved channels, share only the minimum necessary for public health purposes, and maintain documentation that links each disclosure to its legal authority.

FAQs

What are the specific breach notification timelines in Massachusetts?

There’s no fixed day-count in Chapter 93H. You must notify affected residents, the AG, and OCABR “as soon as practicable and without unreasonable delay.” If law enforcement determines notice would impede an investigation, you may delay—but send notice promptly once the hold is lifted. If PHI is involved, you also must meet HIPAA’s 60‑day outer limit. ([malegislature.gov](https://malegislature.gov/Laws/GeneralLaws/PartI/TitleXV/Chapter93H/Section3))

How does Massachusetts law affect patient access to medical records under HIPAA?

HIPAA gives patients access to their Designated Record Sets, usually within 30 days and at a reasonable, cost‑based fee. Massachusetts law affirms inspection and copying rights and sets fee caps for hospitals/clinics (e.g., base fee and per‑page limits), with fee waivers for certain benefit claims. If HIPAA applies, follow HIPAA’s fee rule; use the state fee schedule mainly when HIPAA does not apply. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html?utm_source=openai))

What new security measures are required under the 2026 HIPAA updates?

As of May 26, 2026, HHS/OCR has proposed—via a January 6, 2025 NPRM—controls such as mandatory Multi-factor Authentication, encryption meeting prevailing cryptographic standards, required penetration testing and enhanced logging/monitoring, defined patch timelines (e.g., 15 days for critical risks), and more rigorous incident response/testing. Monitor the final rule for exact requirements and timelines. ([govinfo.gov](https://www.govinfo.gov/app/details/FR-2025-01-06/2024-30983?utm_source=openai))

What disclosures are permitted to public health authorities without patient consent?

HIPAA permits disclosures without authorization to public health authorities (like Massachusetts DPH) for activities such as disease reporting, surveillance, and interventions. Apply minimum necessary, except when another law requires the disclosure; you may rely on the authority’s representation of what is minimally necessary. Disclosures for health oversight activities are also permitted under HIPAA. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/disclosures-public-health-activities/index.html))