Massachusetts identity theft regs take effect January 1, 2009. Any business that does no more than keep a copy of a personal check from a client or customer on file is subject to these new rules, which require implementation of a security program covering any "personal information" maintained in a business' files. "Personal information" means any non-public linking of a person's name and Social Security Number, driver's license number, or financial account number (debit, credit or bank account number). The enabling statue does not apply to state government agencies, but Gov. Patrick brought them into the big tent by executive order.
Internal and external security audits and employee training will be required.
For those lucky enough (!) to be subject to HIPAA already, these requirements will not be that difficult to accommodate, as the new rules cover familiar territory. However, HIPAA pre-emption analyses and compliance programs will need to be reviewed, to be sure that Massachusetts health care providers, payors and clearinghouses maintain full compliance with both federal and state rules in this area.
Both healthcare and non-healthcare-sector businesses may have to consider doing a further pre-emption analysis, looking at the recently-delayed FTC Red Flag rule.
If HIPAA regulation and compliance efforts are an indicator, one of the thornier issues to deal with in coming into compliance with these rules will be establishing parameters for remote access of personal information. Also, as under HIPAA, it will be interesting to see whether private enforcement efforts will be permitted under the new law.
TOH: Colin Coleman, John Koenig.
The Harlow Group LLC
Health Care Law and Consulting