I have been presenting webinars on, as well as participating in discussions of, the new Massachusetts privacy law, MA 201 CMR 17.00 Privacy law. The focus has been on how this law affects dental offices and what steps need to be taken to be in compliance with the law. In future posts I will discuss the different sections of the law in more detail. The focus of the post is on the definition of personal information in the law and how this definition is critical to the implementation of policies and solutions for compliance. This post is not specific to dental offices, rather it is a general discussion and rant about the law.
This law applies to both paper and electronic records and information.
First, the definition of personal information taken directly from the State pdf file on the law:
"Personal information, a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public."
The first thing that jumped out at me about the definition is that it does not include Date of Birth. The argument has been made that because this information is readily available in public records, i.e. birth records kept at town hall, available online through sites like Ancestry.com and through other public access means, it fails the "publicly available information" test. OK, I agree with that argument and I can accept the exclusion of date of birth from the law.
The law applies to "to all persons that own or license personal information about a resident of the Commonwealth". This means it applies to almost every business in Massachusetts, but I would argue that it also applies to any group or association that accepts checks and/or credit card payments. For example, when I sign my daughter up for softball, I send them a check which has my first and last name and checking account number on it. This meets the definition of first and last name and financial account number. So, the group that runs the softball league now needs to comply with this law. Does your associations accept dues payments? Time to get compliant!
Government agencies are excluded from the law including "any political subdivision thereof". Yes, that is correct, you are forced to comply with the law, but the people who wrote the law and are in charge of enforcing it do not have to comply with it. Why? Isn't that the way it always is in MA, "do as I say, not as I do"! Why should the State have to go through the hassle of complying with the law? Don't you know it is only you peasants who get hacked, disclose personal information, and don' t know how to protect people's personal information?
As the definition states, there has to be a combination of information for it to be personal information. If I obtain a list of social security numbers, but can not associate the numbers with names, then it is not personal information. This law is not like HIPAA in that it does not relate to medical or dental information. So, if your dentist sends you an email telling you have an appointment next Wednesday at 1 PM and does not encrypt the email, they are NOT breaking this law. But, if they send you an email that has your patient record and it includes your social security number, then it must be encrypted because of the combination test. If they send you an email with your name and images of your x-rays, it does not have to be encrypted under this law. I may be able to see that you have had a root canal on a tooth, but I can't steal your identity from an x-ray. Whether it breaks HIPAA rules is another argument.
Does the law apply to companies in other states that have this information on residents of Massachusetts? Yes, but good luck enforcing the law on these companies. For example, if you own a business in a Rhode Island border town and take payments from MA residents, then you fall under this law. But, I don't think the law arm of the MA law can extend across the state border. This is similar to when Gov. Duval wanted New Hampshire to collect MA state sales tax from MA residents buying goods in NH. The NH governor told Duval to go pound salt.
The basis of the law and what you need to do to be in compliance hinges on the definition of personal information in the law. If you are "a natural person, corporation, association, partnership..." and your records, whether paper or electronic, contain any of the possible combinations under the law, then you need to get compliant with the law.
More information available at http://www.patriotnetworks.com/MA_201_CRM_17.html
Thanks for reading my blog, please feel free to pass along to friends and colleagues!