Massachusetts Healthcare Compliance Requirements
State-specific breach notification rules, medical records retention periods, PDMP requirements, and mandatory reporting obligations for medical practices operating in Massachusetts.
Massachusetts medical practices operate under the strictest cybersecurity rule for non-hospital healthcare settings in the country. M.G.L. c.93H sets the breach-notification regime, and 201 CMR 17 — the Massachusetts Written Information Security Program (WISP) regulation — imposes ongoing operational duties that go far beyond notification-after-breach. Every entity that holds personal information about a Massachusetts resident must maintain a documented WISP covering administrative, technical, and physical safeguards, including encryption of PI at rest and in transit, designated security officer accountability, third-party vendor due diligence, and per-employee training records. Breach notification under c.93H goes to the affected individual, the Massachusetts Attorney General, and the Director of Consumer Affairs and Business Regulation simultaneously, "as soon as practicable and without unreasonable delay." Medical-record retention sits at 7 years from last treatment under 243 CMR 2.07(13), with pediatric records running until age of majority plus 7 years. MassPAT requires every prescriber to query before every Schedule II prescription, with carve-outs for hospice, cancer, ER 24-hour supplies, and inpatient/long-term care.
Breach Notification Rules
Notification deadline
Most expedient time possible
Notification must be made as soon as practicable and without unreasonable delay. AG and Director of Consumer Affairs and Business Regulation must be notified simultaneously.
AG notification threshold
All breaches
Notify: AG + Director of Consumer Affairs and Business Regulation
Harm analysis required
Penalty range
Up to $5,000 per violation under Consumer Protection Act (Ch. 93A)
Enforcement Posture
The Massachusetts Attorney General is one of the most active state enforcers of healthcare data security in the United States. The AGO has separate enforcement authority under both M.G.L. c.93H and Chapter 93A (the Consumer Protection Act), and has historically pursued Chapter 93A actions against healthcare organizations whose WISPs were inadequate or whose breach response was delayed. The WISP requirement under 201 CMR 17 is uniquely operational — it is not just a notification rule but a continuous-compliance rule, meaning a practice can be in violation today even without a breach having occurred. That distinction makes Massachusetts the state where a written WISP, demonstrated training records, and documented vendor due diligence matter most. Department of Public Health licensing surveys add a parallel enforcement track on the retention rule.
Medical Records Retention
| Record type | Retention period | Measured from |
|---|---|---|
| General medical | 7 years | Last treatment |
| Pediatric | 7 years | Patient turns 18 |
Controlled-Substance Prescription Monitoring (MassPAT)
MassPAT (the Massachusetts Prescription Awareness Tool) must be queried before every Schedule II prescription, with exemptions for hospice patients, active cancer treatment, ER prescriptions of 24 hours or less, and inpatient hospital or long-term care administration. Delegation to authorized staff is permitted. The licensing boards can impose discipline up to license suspension, and civil fines run up to $5,000 per violation.
Check required
schedule_ii
Check frequency
Every prescription
Delegation allowed
Penalty range
Licensing board discipline; fines up to $5,000 per violation; possible license suspension
Exemptions
Hospice patients, cancer treatment, inpatient hospital or long-term care administration, ≤24 hour supply in ER
How Massachusetts Rules Hit by Specialty
Behavioral health
Massachusetts mental-health record confidentiality under M.G.L. c.123 §36 and 104 CMR 27 imposes consent and disclosure rules that exceed HIPAA, and 201 CMR 17 still applies on top — meaning the WISP must address how psychotherapy notes are encrypted, who has access, and how access is logged.
Pain management
MassPAT queries are required before every Schedule II prescription, with separate requirements for chronic-pain regimens. Pain practices need the PDMP query timestamp, a documented treatment agreement, and the WISP-required encryption of the patient's electronic chart.
Pharmacy/compounding
Compounding pharmacies are subject to enhanced 247 CMR oversight following the 2012 NECC matter and must integrate MassPAT queries and the 201 CMR 17 WISP with their facility-specific quality systems.
Hospital systems
Massachusetts hospitals face 105 CMR 130 licensure requirements, the same M.G.L. c.93H breach rule, and 201 CMR 17 WISP obligations — including per-employee training records that surveyors can request during licensure visits.
Mandatory Reporting Obligations
Mandated reporters
Physicians, nurses, dentists, psychologists, social workers, EMTs, and all healthcare professionals
Report to
Department of Children and Families (DCF)
Timeline
Immediately / as soon as possible
Penalty for failure
Up to $1,000 fine; civil liability for damages caused by failure to report
Immunity provision
Good faith reporters immune from civil and criminal liability under M.G.L. c. 119 s. 51A
Mandated reporters
Physicians, nurses, dentists, social workers, and all licensed healthcare professionals
Report to
Executive Office of Elder Affairs, Protective Services
Timeline
Immediately / as soon as possible
Penalty for failure
Up to $1,000 fine
Immunity provision
Good faith reporters immune from civil and criminal liability
Mandated reporters
Healthcare providers are not mandated to report domestic violence in adults; patients may choose to report
Report to
Local law enforcement (voluntary reporting permitted)
Timeline
Immediately / as soon as possible
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
Physicians, laboratories, and healthcare facility administrators
Report to
Massachusetts Department of Public Health, local board of health
Timeline
Within 24 hours
Penalty for failure
Up to $1,000 fine per violation
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
All physicians and healthcare providers treating gunshot wounds or stab wounds
Report to
Local law enforcement
Timeline
Immediately / as soon as possible
Penalty for failure
Misdemeanor, up to $1,000 fine
Immunity provision
Good faith reporters immune from civil and criminal liability
Massachusetts Compliance FAQs
A documented Written Information Security Program covering: a designated security officer; an inventory of personal information; risk assessment with administrative, technical, and physical safeguards; encryption of PI on portable devices and in transit across public networks; per-employee training records; third-party vendor due diligence and contracts; and ongoing monitoring with at least annual review. The duty is continuous — non-compliance can exist without a breach.
Yes. M.G.L. c.93H requires notification to the affected individual, the Massachusetts Attorney General, and the Director of Consumer Affairs and Business Regulation simultaneously, with no resident-count threshold.
MassPAT must be queried before every Schedule II prescription. Exemptions cover hospice, cancer treatment, ER ≤24-hour supplies, and inpatient/long-term care administration. Delegation to staff is permitted.
7 years from last treatment under 243 CMR 2.07(13). Pediatric records run until age of majority plus 7 years.
Yes — Chapter 93A unfair-or-deceptive-practices authority covers material misrepresentations about a practice's data security posture and inadequate WISPs under 201 CMR 17. Enforcement is not gated on a notifiable breach having occurred.
Guides & Articles
Stay audit-ready in Massachusetts
GuardWell tracks Massachusetts-specific breach deadlines, retention periods, MassPAT PDMP queries, and mandatory reporting obligations automatically.