Health Law (HL)

 View Only

Privacy and Confidentiality | Massachusetts Residents' Data & Legal Practitioners’ Vigilance

By Lorianne Maria Sainsbury-Wong posted Mon March 09,2015 12:39 AM


Increasing accounts of security breaches nationwide render it a prudent and obligatory course of action that high-risk data compliance dominate law firm protocol.  Regardless of the size and staffing, law firms are not immune to security risks, despite daily safeguards consistently observed as a matter of practice in protecting client confidentiality and privacy. Massachusetts General Laws c. 93H  governs Massachusetts persons and agencies that own, license, receive, store, maintain, process or otherwise have access to personally identifiable information (PII) of Massachusetts consumers.  The law and its implementing regulations at 201 CMR 17.00 et seq. (, moreover, expand existing professional ethical obligations that legal practitioners routinely maintain during the course of representing a Massachusetts client, including third-party vendor relationships.

Not only does Chapter 93H mandate the safeguarding of a resident's PII - wherever the legal practice is located - it incorporates relevant federal and other laws which address PII protocol.  As a result, the state definition of what is considered PII necessarily encompasses and extends to other high-risk data. Many law firms, therefore, whose businesses may not be subjected to duties under the Health Insurance Portability and Accountability Act (HIPAA)or Health Information Technology for Economic and Clinical Health (HITECH) have opted to voluntarily comply with HIPAA | HITECH to ensure the privacy of clients’ high-risk data, even though they are neither HIPAA | HITECH covered-entities nor business associates.  Best business practices would dictate advancing state compliance obligations to clients by adopting, to the extent feasible if not a HIPAA | HITECH entity, the more stringent federal standards. 

The 2014 MBA Health Law Section Annual Conference addressed protected health data, personal information, and social media as it relates to legal practitioners and office management.  In addition, during the 2014-2015 term, the MBA Health Law Section has been honored to engage with outstanding presenters at Health Law Section Council meetings and at Health Law Section CLEs, including a brown bag luncheon, which included developments from Nixon and Peabody’s Providence Office.  Details and access information concerning the December 15, 2014 brown bag luncheon, “HIPAA Compliance 101” can be found at [You may view the 2014 Health Law Section Annual Conference by accessing your MBA on demand programs at MyBarAccess | Member Options:]  Further, my reflections from these outstanding MBA events, together with my additional knowledge and experience, are incorporated into a presentation, entitled “Confidentiality and Privacy, Protecting Consumers’ Healthcare Data under Massachusetts and federal laws.” Here is a link:  

Social media and cyber liability will be included in our upcoming June 12, 2015 Health Law Section Annual Conference at the Massachusetts Bar Association’s Boston OfficeMatters of high-risk client data and duties to safeguard it warrant continued analysis and dialogue among legal practitioners in the Commonwealth and/or those who practice in other state jurisdictions but who have at least one Massachusetts resident as a client.  If you or your staff have suggestions or recommendations regarding this upcoming conference, please feel free to contact any of the MBA Health Law Section Council Members, who are identified here:

Your continued interest and support of the MBA Health Law Section is a valuable and much appreciated contribution to our efficacy in the health law context. 
Lorianne M. Sainsbury-Wong
MBA Health Law Section, Chair

Health Law Advocates, Inc.
Litigation Director & Compliance Atty.