Massachusetts security regulations

On Monday, March 1, 2010, regulations to protect the security of personal information of Massachusetts residents went into effect. These regulations can be found at 201 CMR 17.00, and are called the “Standards for the Protection of Personal Information of Residents of the Commonwealth.”

Personal information is defined as a Massachusetts resident’s first name, last name and either Social Security number, credit card number or other financial account number. All businesses that maintain this type of information, including health plans, providers, employers, and stores—from the corner store to large department stores—must comply with the new regulations. The security safeguards that must be implemented under these regulations include, but are not limited to:

  • Development of a company-wide security plan
  • Encryption of email that contains personal information
  • Encryption of portable media  (laptops, back-up tapes) that store personal information
  • Development and implementation of policies and procedures
  • Update contracts to require service providers to implement security measures that are consistent with these regulations.

Fallon Community Health Plan closely followed the drafting and enactment of these Massachusetts regulations. The final regulation no longer requires owners or licensees of personal information to obtain written certifications from service providers that they have written information security programs. However, the regulation does require owners and licensees of personal information to require service providers, by contract, to implement and maintain appropriate security measures for personal information.

Current contracts or agreements (entered into by March 1, 2010) must be amended on or before March 1, 2012. New contracts entered into with service providers after March 1, 2010, must include language requiring the service providers to implement and maintain appropriate security measures.

FCHP is in compliance with 201 CMR 17.00 and has in place appropriate security measures to protect personal information. As part of our compliance activities, FCHP has added language to our group services agreements acknowledging our obligations, and those of our contracted employers, with respect to these regulations. Employers will receive the amended group services agreement at their next renewal.