I already comply with HIPAA. Must I comply with 201 CMR 17.00 as well?
Yes. If you own or license personal information about a resident of the Commonwealth, you must comply with 201 CMR 17.00, even if you already comply with HIPAA.
What is the extent of my "monitoring" obligation?
The monitoring that you put in place must be such that it is reasonably likely to reveal unauthorized access or use.
What are the penalties for non-compliance?
The penalties for non-compliance with 201 CMR 17 are enforced through Massachusetts General Law Title XV: Regulation of Trade, chapter 93A, section 4. Violators may be faced with a civil penalty of $5,000 for each violation, are required to pay the reasonable costs of investigation and litigation of such violation (including reasonable attorney’s fees), and are subject to additional civil action since 201 CMR 17 creates a baseline standard that allows plaintiffs in civil suits to argue that a business that lost data was negligent. Title XV also requires any data breach be reported to both the Office of Consumer Affairs and Business Regulation (OCABR) and the Attorney General.
Do you have a checklist to help me comply with 201 CMR 17?
You can find a detailed checklist here, but here are some quick guidelines to help you get started:
- Document a written information security program ("WISP") applicable to all records containing personal information about a resident of the Commonwealth of Massachusetts ("PI")
- Document any actions taken in connection with any breach of security; and does that procedure require post-incident review of events and actions taken to improve security
- Assign unique identifications plus passwords (which are not vendor-supplied default passwords) to each person with computer access; and are those IDs and passwords reasonably designed to maintain the security of those access controls
- Limit access to PI records limited to those persons who have a "need to know‟ in connection with your legitimate business purposes, or in order to comply with state or federal regulations
- Encrypt all PI records and files that are transmitted across public networks, and that are to be transmitted wirelessly
- Encrypt all PI stored on laptops or other portable devices
- Deploy a log management solution for security and compliance to alert you to the occurrence of unauthorized use of or access to PI
- Ensure and document that any system connected to the Internet has up-to-date firewall protection for files containing PI; and operating system security patches to maintain the integrity of the PI
- Deploy system security agent software (including malware protection) and reasonably up-to-date security patches and virus definitions
- Establish training for employees on the proper use of your computer security system, and the importance of PI security
- Establish a procedure for regularly monitoring to ensure that the WISP is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of PI; and for upgrading it as necessary
- Review your security measures at least annually, or whenever there is a material change in business practices that may affect the security or integrity of PI records