In a post several months ago (see "If It Fits, You Must Encrypt"), I discussed the Nevada statute that will require Nevada businesses that store or use information of any individual to being encrypting customer information that they send electronically (other than by fax) on October 1, 2008. The movement towards legally required encryption took another step forward last month in Massachusetts.
Massachusetts adopted regulations on September 22 that will require businesses that store or use information about Massachusetts residents, to implement comprehensive information security programs by January 1, 2009. The new regulations make Massachusetts the second state to mandate reasonable security practices for all businesses, after California.
While covered entities subject to the HIPAA Security Rule should have already implemented an information security compliance program, the Massachusetts regulations may raise the bar a bit in certain areas. For example, the Massachusetts regulations require encryption of personal information stored on laptops or transmitted across public or wireless networks. Under the HIPAA Security Rule, encryption of PHI is an "addressable€VbCrLf implementation specification, but is not required.
For healthcare organizations, the new Massachusetts regulations are yet another reason why a comprehensive, formal information security compliance program is highly advisable €¦ and (depending on your business and the states you're operating in) it may be the law.