Will complying with requirements in 201 CMR 17 give any tips to healthcare entities?

With the rapidly approaching March 1 deadline when Massachusetts’ new personal data protection law (201 CMR 17) finally goes into effect, one of many requirements facing organizations covered by the law is the need to encrypt all records or files containing personal information while the data is in transit across public networks or via wireless transmission, as well as information stored on laptops or other portable devices. The requirements notably stop short of requiring encryption of all personal data at rest (for data on Internet-connected systems, the law requires up to date patches and firewall protection), although the definition of “breach of security” in the regulation applies only to disclosure of unencrypted data, or encrypted data along with the means to decrypt it.

Much like the exception to data breach notification rules for personal health information that took effect last September, organizations who choose to use comprehensive encryption for personally identifiable information stored or in transit give themselves one less thing to worry about. It remains to be seen if this provides sufficient incentive for encryption of data at rest to become more pervasive. To the extent that organizations publicize their experiences complying with the Massachusetts regulations, achieving compliance with 201 CMR 17 may provide a useful data point for organizations in the health arena. Healthcare entities face stronger data privacy and security requirements from the HITECH Act’s effect on existing HIPAA rules, and also have to plan ahead for the security requirements contained among the “meaningful use” criteria that will be used to determine eligibility for federal health IT incentives to organizations adopting electronic health records and associated systems. These criteria include the ability to encrypt and decrypt data both in storage and in transit, so once again may provide another reason for these entities to start encrypting their data. Under the law (HITECH and HIPAA), organizations are not specifically required to encrypt personal data, so any risk-based decision to do so will likely be centered on the potential impact to the organization of a data breach. Given Health Net’s experience and pending legal action, the decision by healthcare entities to continue to leave personal health data unencrypted seems to make less and less sense all the time.