201 CMR 17.00 vs HIPAA (Massachusetts)
Massachusetts 201 CMR 17.00 prescribes specific data-security elements for personal information of MA residents. HIPAA provides the PHI-specific federal baseline. Both apply.
Last reviewed May 24, 2026
Side by side
201 CMR 17.00 (Massachusetts)
Massachusetts regulation prescribing minimum standards for the protection of personal information of MA residents — written information security program (WISP), specific safeguards, third-party oversight.
201 CMR 17.00- Applies to any entity holding personal info of a MA resident.
- Requires a documented WISP with administrative, technical, and physical safeguards.
- Encryption of PI on portable devices and across public networks.
HIPAA
Federal baseline for PHI held by covered entities and business associates.
45 CFR Parts 160 & 164- Covers PHI specifically; 201 CMR 17 covers PI generally.
- Cross-references: 45 CFR 164.312 maps to several 201 CMR 17 controls.
When to use 201 CMR 17.00 (Massachusetts)
- Any practice holding PI of MA residents — document the WISP and meet the prescribed controls.
When to use HIPAA
- All practices handling PHI — HIPAA Security Rule applies.
Common mistakes
- Treating HIPAA compliance as automatic 201 CMR 17 compliance — there is overlap but 201 CMR 17 has prescriptive elements (e.g., encryption on portable devices) not strictly mandated under HIPAA.
- Skipping the WISP document — it is the named artifact MA regulators ask for.
Sources
- Massachusetts — 201 CMR 17.00https://www.mass.gov/regulations/201-CMR-1700-standards-for-the-protection-of-personal-information-of-residents-of-the
- Mass. AG — Data Breachhttps://www.mass.gov/topics/data-breach
Related
Document the WISP in the SRA readiness check
Open sra studio →D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
This comparison is a research aid for billing and compliance staff. It does not provide legal, medical, or financial advice and does not replace counsel. References cited link to primary sources at CMS, HHS, OCR, eCFR, NIST, and the relevant payer or state regulator. Last reviewed May 24, 2026.