State Compliance

Massachusetts 201 CMR 17.00 for Healthcare: The Written Information Security Program

9 min read · Last reviewed May 23, 2026

Massachusetts 201 CMR 17.00 — the Standards for the Protection of Personal Information of Residents of the Commonwealth — requires every business that holds a Massachusetts resident's personal information to maintain a Written Information Security Program (WISP) with specifically enumerated administrative, technical, and physical safeguards. The single biggest divergence from HIPAA: the WISP is a discrete, named, written document with mandatory contents that the HIPAA Security Rule does not equivalently require.

What 201 CMR 17 actually requires

The regulation is promulgated under M.G.L. c. 93H and codified at 201 CMR 17.00. Effective March 1, 2010, it applies to every person who owns or licenses personal information about a Commonwealth resident — including healthcare practices in any state with MA-resident patients.

The core obligation is the Written Information Security Program (WISP) under 201 CMR 17.03. The WISP must contain administrative, technical, and physical safeguards appropriate to:

  • the size, scope, and type of business;
  • the amount of resources available;
  • the amount of stored data; and
  • the need for security and confidentiality.

Mandatory WISP contents under 17.03(2):

  • Designated coordinator (17.03(2)(a)) responsible for the program.
  • Risk identification (17.03(2)(b)) — internal and external risks to the security, confidentiality, integrity of records.
  • Employee training (17.03(2)(b)(1)).
  • Employee compliance enforcement (17.03(2)(b)(2)) — disciplinary measures.
  • Employee separation procedures (17.03(2)(e)) — termination of access on departure.
  • Vendor due diligence (17.03(2)(f)) — verify vendors hold appropriate safeguards; contract for them.
  • Limitations on personal-information collection (17.03(2)(g)).
  • Physical access restrictions (17.03(2)(h)).
  • Regular monitoring (17.03(2)(i)).
  • Annual review (17.03(2)(j)) — and on material change in business practices.
  • Incident response (17.03(2)(k)) — documented incident response, post-incident review, mandatory documentation of responsive actions.

201 CMR 17.04 lists the computer system security requirements:

  • 17.04(1) — secure user authentication protocols.
  • 17.04(2) — secure access control measures.
  • 17.04(3) — encryption of personal information transmitted across public networks and on portable devices.
  • 17.04(4) — reasonable monitoring of systems for unauthorized use.
  • 17.04(5) — encryption of all transmitted records containing personal information that travel wirelessly.
  • 17.04(6) — up-to-date firewall and operating-system patches.
  • 17.04(7) — current malware protection with up-to-date virus definitions.
  • 17.04(8) — employee education and training on proper use of computer-system security and importance of personal-information security.

Where Massachusetts is stricter than HIPAA

The comparison table.

| Topic | HIPAA | 201 CMR 17 / M.G.L. c. 93H | Stricter | |---|---|---|---| | Written program | Required policies (45 CFR § 164.316) but no single named "WISP" document | Single WISP document with mandatory contents (201 CMR 17.03(2)) | MA | | Portable-device encryption | Addressable (45 CFR § 164.312(a)(2)(iv)) | Required to extent technically feasible (201 CMR 17.04(3) and (5)) | MA | | Public-network transmission encryption | Addressable (45 CFR § 164.312(e)(2)(ii)) | Required to extent technically feasible (201 CMR 17.04(3)) | MA | | Designated coordinator | Privacy Official + Security Official (45 CFR §§ 164.530(a), 164.308(a)(2)) | One coordinator (201 CMR 17.03(2)(a)) | Tie | | Vendor due diligence | BAA required (45 CFR § 164.504(e)) | Diligence + contractual safeguards (201 CMR 17.03(2)(f)) | Tie | | Breach-notice window | 60 days (45 CFR § 164.404(b)) | "As soon as practicable and without unreasonable delay" (M.G.L. c. 93H § 3) — no fixed statutory outer bound | MA in practice | | Private right of action | None | None directly; 93A predicate creates indirect path | MA (indirect via 93A) | | Periodic program review | Periodic + change-driven update (45 CFR § 164.316(b)(2)(iii)) | Annual + on material change (201 CMR 17.03(2)(j)) | MA (fixed annual cadence) | | AG penalty | None directly; state AG enforcement under 42 USC § 1320d-5(d) | $5,000 per violation (M.G.L. c. 93A § 4) plus 93H AG remedies | MA for direct AG action |

What practices most often miss is that the WISP is a single named artifact. The HIPAA program can be a portfolio of policies, procedures, the risk analysis, training records, and the sanction policy. The Massachusetts AG expects to find one document titled (or clearly labeled as) the WISP that maps to every 17.03(2) subsection. A HIPAA program can be 201 CMR 17-compliant in substance and fail in form because no single document carries the WISP label and contents in the order the regulation lists them.

Where HIPAA is stricter than Massachusetts

HIPAA wins in two areas:

  • PHI scope. HIPAA's PHI definition at 45 CFR § 160.103 covers all individually identifiable health information. 201 CMR 17's "personal information" definition under M.G.L. c. 93H § 1 is identity-data focused (name + SSN / license / financial / biometric). A medical record that contains diagnosis information but no SSN or driver's-license number may be outside 201 CMR 17's scope while remaining squarely inside HIPAA.
  • Patient access rights. HIPAA at 45 CFR § 164.524 creates a federal patient right of access with a 30-day turnaround. 201 CMR 17 imposes no parallel access right.
  • Accounting of disclosures. HIPAA at 45 CFR § 164.528 requires an accounting of certain disclosures. 201 CMR 17 has no parallel.
  • Breach-trigger methodology. HIPAA's four-factor risk assessment at 45 CFR § 164.402 is more structured than 93H's "unauthorized acquisition or unauthorized use of personal information" standard.

Breach notification timeline

Massachusetts runs notification in parallel with HIPAA:

  • M.G.L. c. 93H § 3 individual notice — "as soon as practicable and without unreasonable delay" once the practice knows or has reason to know of a breach. The statute sets no fixed numeric outer bound; many practitioners use 30 days from determination as a conservative working target, but longer delays must be defensible against the "without unreasonable delay" standard.
  • Attorney General + Office of Consumer Affairs and Business Regulation (OCABR) notice under 93H § 3(b) — on the same expedient cadence as individual notice. The OCABR publishes received notices in a public registry, which is the most-used MA breach database for plaintiffs' counsel research.
  • Substitute notice under 93H § 1 — available when individual notice would exceed $250,000 in cost, exceed 500,000 affected residents, or when contact information is insufficient.
  • HIPAA parallel track45 CFR § 164.404 60-day individual notice and § 164.408 HHS notice. The MA timeline typically controls because it is shorter.

Encryption is the meaningful safe harbor. 93H § 1 defines "breach of security" as the unauthorized acquisition or unauthorized use of unencrypted data. If the personal information was encrypted and the encryption key was not also compromised, the incident is generally not a notifiable breach under 93H — though it may still be a HIPAA breach.

Penalties and 93A exposure

The numbers:

  • M.G.L. c. 93A § 4 AG penalty — up to $5,000 per violation plus reasonable attorney's fees and costs, in actions brought by the Attorney General.
  • M.G.L. c. 93A § 9 private right of action (consumer) — actual damages, with a minimum of $25, doubled or trebled for knowing or willful violations, plus attorney's fees. The damages floor and the multipliers are what make 93A class actions viable for breaches that produce no quantifiable actual harm.
  • 93H AG remedies — injunctive relief plus civil penalties under 93A; the AG has assessed multi-million-dollar settlements in healthcare breach matters in recent years.
  • HIPAA parallel exposure — OCR Civil Monetary Penalties under 45 CFR § 160.404 run on the same incident; the AG and OCR often coordinate.
  • Licensure consequences — Board of Registration in Medicine and Board of Registration in Nursing receive notice of significant data-security failures and may impose separate professional discipline.

The 93A treble-damages multiplier is the litigation wedge. A 5,000-patient breach at a $25 statutory floor doubled is $250,000 in baseline damages before attorney's fees and any actual damages. Trebled for willful conduct it is $375,000. The 93A predicate makes Massachusetts a meaningfully different litigation environment than New York, which has no equivalent multiplier.

Compliance checklist for Massachusetts practices

A MA-specific overlay to a HIPAA program:

  • A single document titled "Written Information Security Program" that maps to every 201 CMR 17.03(2) subsection in order, signed by the designated coordinator.
  • Encryption on every laptop, USB drive, mobile device, and removable medium holding any MA-resident personal information. The 17.04(3) and (5) "to the extent technically feasible" language is a high bar; the AG has rejected the affordability defense in published enforcement.
  • Public-network transmission encryption — TLS 1.2+ for every channel carrying MA-resident personal information; documented for email, EHR, billing, and patient portal.
  • Designated WISP coordinator named in writing — may be the same person as the HIPAA Security Official, but the WISP-coordinator role should be explicit.
  • Vendor diligence file under 17.03(2)(f) for every vendor that handles MA-resident personal information. SOC 2 Type II or equivalent attestation, plus a contract clause incorporating 201 CMR 17 by reference, layered on the HIPAA BAA.
  • Annual WISP review documented under 17.03(2)(j); also after any material change in business practices.
  • 93H breach-response protocol triggering individual + AG + OCABR notice on the "expedient and without unreasonable delay" cadence (no fixed statutory outer bound; many practices target 30 days from determination as a conservative working ceiling).
  • Workforce training under 17.03(2)(b)(1) and 17.04(8) covering both PHI under HIPAA and personal information under 201 CMR 17, with completion records.
  • Employee separation procedure under 17.03(2)(e) — termination of physical and electronic access on departure; access-removal log per separated employee.
  • MA-resident inventory. If the practice does not know how many MA residents are in its records, the WISP cannot meaningfully size its safeguards. Run the inventory.

The d3rx compliance binder state-overlay branches on Massachusetts and produces a WISP structured to 201 CMR 17.03(2)'s named subsections, the 17.04 technical-controls checklist, and the 93H breach-response timeline a MA practice runs alongside its federal HIPAA backbone. It is an administrative documentation aid; the practice and its counsel remain responsible for actually executing the controls and responding to any AG inquiry under 93H or 93A.

Step 1 · Get the binder

Get the d3rx compliance binder for your practice

Pre-filled to address the gaps this guide coversMassachusetts 201 CMR 17.00 for Healthcare: The Written Information Security Program. We will email you the section preview and your binder intake link.

No PHI required. We use your email to send the binder preview and intake link only.

Frequently asked

Does my HIPAA risk analysis satisfy the MA WISP requirement?

Partially. The HIPAA Security Risk Analysis under [45 CFR § 164.308(a)(1)(ii)(A)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.308) supplies most of the risk-identification work, but 201 CMR 17.03(2) requires a written information security program (WISP) that explicitly addresses personal information of MA residents — not just PHI. The WISP must also designate a coordinator under 17.03(2)(a), incorporate vendor obligations under 17.03(2)(f), and integrate with M.G.L. c. 93H breach response. Layer the WISP on top of the HIPAA SRA; do not assume identity.

Does 201 CMR 17 apply to an out-of-state practice that treats Massachusetts residents?

Yes. 201 CMR 17.01(2) explicitly applies to 'every person that owns or licenses personal information about a resident of the Commonwealth,' regardless of where that person is located. The Massachusetts Attorney General has asserted jurisdiction in enforcement actions against out-of-state actors. A telehealth practice in another state that holds MA-patient records is covered.

What does 'personal information' mean under 201 CMR 17?

M.G.L. c. 93H § 1 defines it as a Massachusetts resident's first name (or initial) and last name combined with: SSN, driver's license / state ID, financial account or credit/debit card number with required access code, OR biometric information. The definition is identity-data focused — not the same as HIPAA's PHI under [45 CFR § 160.103](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-A/section-160.103), though most patient records contain both PHI and 'personal information' simultaneously.

Is encryption mandatory under 201 CMR 17?

Effectively yes for portable devices and transmissions over public networks. 201 CMR 17.04(3) requires encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all personal information stored on laptops or other portable devices. 'To the extent technically feasible' is the qualifying language. For desktop or server storage, the requirement is risk-based but the AG has consistently treated unencrypted laptops as material gaps in enforcement actions.

Can a Massachusetts patient sue my practice for a 201 CMR 17 violation?

Indirectly. 201 CMR 17 itself does not create a private right of action. But M.G.L. c. 93A § 9 — the Massachusetts Consumer Protection Act — does, and Massachusetts courts have held that a 201 CMR 17 violation can constitute an unfair or deceptive act under 93A. 93A allows double or treble damages for knowing or willful violations plus attorney's fees, with a $25 minimum damages floor that supports class certification on otherwise low-dollar claims. The 93A predicate is the material litigation exposure.

What is the Massachusetts breach-notice timeline?

M.G.L. c. 93H § 3 requires notification to affected residents, the Attorney General, and the Office of Consumer Affairs and Business Regulation 'as soon as practicable and without unreasonable delay' after the breach is identified — the statute sets no fixed numeric outer bound, and the AG has not promulgated a 30-day rule. Many MA practitioners adopt 30 days from determination as a conservative working target; HIPAA's 60-day window at [45 CFR § 164.404(b)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.404) is wider, and MA notification under the 'expedient and without unreasonable delay' standard typically lands sooner.

Turn this into a review-ready binder

The Security Risk Analysis is where this guide becomes documentation you can actually hand to a reviewer — assembled into one review-ready binder. Source-grounded, citation-linked, and explicit about what it does and does not do.

Editorial process. This guide was drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and edited by the D3rx team for restraint and source fidelity. A named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged to verify citations — see the team page for status. Until that reviewer engagement is finalized, this page does not claim credentialed review.

This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, CMS, the Code of Federal Regulations, NIST, and state regulators.

Authored by D3rx

D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.

Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.

Sources & Citations
  1. 201 CMR 17.00https://www.mass.gov/regulations/201-CMR-17-standards-for-the-protection-of-personal-information-of-residents-of-the-commonwealth
  2. 45 CFR § 160.103https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-A/section-160.103
  3. 45 CFR § 164.524https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.524
  4. 45 CFR § 164.528https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.528
  5. 45 CFR § 164.402https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-A/section-164.402
  6. 45 CFR § 164.404https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.404
  7. § 164.408https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.408
  8. 45 CFR § 160.404https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-D/section-160.404

Sources verified as of May 23, 2026

Research Aid Notice

This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.

Related Guides