|
BKD Health Care Webinars
For information about BKD Health Care Group's informative one-hour webinars, to register for an upcoming presentation, or to view an archived webinar, see our Health Care webinars page.
Qualified, experienced BKD client service professionals write the contents of these articles. We urge you to carefully consider all of the facts and circumstances of your situation before applying specific information in our articles. Consult your BKD advisor before acting on any matter covered in these articles.
|
May 2010
Massachusetts Law Designed to Prevent Breaches of Personal Data
 Stacey Zeigler To further clarify, the state has defined “owns or licenses” to mean: Receives, stores, maintains, processes or otherwise is permitted access to personal information through its provision of goods or services directly to a person (who) is subject to this regulation. This new law will be particularly important to health care organizations because they maintain so much private information, as well as medical information, about patients. Any health care provider that treats Massachusetts residents will be subject to this law, which will provide patients greater assurance that their private information is handled securely. Health care providers throughout the country should plan now to meet the law’s requirements. While most states have concentrated on breach notification laws, the new Massachusetts regulations are intended to prevent personal information from being breached in the first place. The focus of the new regulations centers on implementing security measures designed to prevent intentional wrongdoing and immature internal data handling procedures. The new law requires strong information technology (IT) controls to be in place and operating effectively. Massachusetts also has provided a very restrictive definition of “personal information” (PII). PII to be protected includes a Massachusetts resident’s name (either first and last name or first initial and last name) combined with a complete Social Security number, driver’s license or other state-issued number, a financial account number or a complete credit card or bank account number. This encompasses a wide variety of informational records, many outside of the normal health care arena. The regulations apply to all companies that “own or license” PII of Massachusetts residents, whether the company has offices in Massachusetts or not. The new Massachusetts privacy law requires companies to conduct regular reviews of their information security policies for relevancy and operational effectiveness, as well as regular reviews of organizational adherence to the established operational protocols. The regulations state these reviews must be conducted on an annual basis (at a minimum) or when a material change in business practices may affect the security or integrity of records containing personal information. In the event of a breach where it is determined the law’s compliance requirements have not been met, the Massachusetts Attorney General can file suit against the company. In addition, civil penalties could be imposed for noncompliance with Massachusetts’ data breach notification statute (Massachusetts General Law 93H.) The state may assess a civil penalty of $5,000 for each violation of 93H. Furthermore, under the portion of 93H concerning data disposal, businesses can be subject to a fine of up to $50,000 for each instance of improper disposal. Under this Massachusetts privacy law, applicable individuals and businesses must develop, implement, maintain and monitor a comprehensive, written information security program (WISP) to ensure the security and confidentiality of personal information in both physical and electronic format. The primary areas of concentration of the WISP are:
For more information on this issue or related matters, please consult your BKD advisor. 
|
