Massachusetts Data Privacy & Security Policy

If your company is based in the state of Massachusetts, does significant business there, OR provides services to the resident of the state, then you are required to have your privacy and security policies in place to meet certain requirements. To meet Massachusetts data protection laws, policies and procedures need to be created to meet the requirements of the following regulations.

M.G.L.  93H SECURITY BREACHES

  • defines Personal Information as an individual’s name in combination with any of the following:
    • Social Security Number
    • Driver’s License Number
    • State Identification Card Number
    • Financial Account Number, credit or debit card number
  • Requires the state and affected parties to be notified in the event of a security breach or unauthorized usage of personal information.

M.G.L. 93I DISPOSITIONS AND DESTRUCTION OF RECORDS

  • Requires that personal information is destroyed in a manner that leaves it unrecoverable.

201 CMR 17.00

  • Requires certain steps to verify that third-party vendors with access to personal information do not introduce risk.
  • Requires limiting the amount of personal information collected.

Which Companies may need this service?

Any company that is based in the state of Massachusetts (MA) or offer services to the resident of the state. 

Project Methodology & Scope: 

The following are the steps on the methodology to determine which policy and procedures are required based on the business model and how information is stored and accessed.

  1. Evaluation of operation to determine the type and quantity of personally identifiable information company handle, and their process for collection, use, and disclosure of it.
  2. Review of existing P & P to determine privacy and security policies that might exist as regards MA laws on privacy.
  3. Once those determinations have produced results, we will define what policies would require creation or modification to bring them into line with the legal requirements.
  4. The policies will then be created on the company’s corporate document template and submitted for their approval.  These documents will contain all the necessary language to translate the legal wording into policy language.
  5. As regards the matter of “style” or similar nuances wanted:  the policies will be, when presented, in a draft form for Company members to review and comment on.  We assume at this point there may come questions on style and content, and we will be presenting the documents expressly for this purpose.  These we will gather and edit the documents in accordance with the expressed desires and requested changes.
  6. The final deliverables will be the policy documents required to establish a firm basis for operating compliantly when collecting, using, and disclosing PHI/IIHI/ePHI/PII. 

Key Deliverables 

  • An “Executive Brief” on the phone that shall address the reasonable and appropriate steps that the organization must take in order to achieve policy and procedure requirements 
  • Set of policies that address the reasonable and appropriate safeguards for compliance.
  • Set of procedures that address the reasonable and appropriate safeguards for compliance.  

Policy deliverables must be implemented and maintained, and that all members of the Company workforce must be trained and adhere to the policies in order for compliance to be achieved and maintained.

Contact us to understand your requirements so we can create a proposal to help you meet the regulatory requirement. Call us today on 515-865-4591 or send us an email at Bob@hipaatraining.net