Do Massachusetts mental health providers face additional NPP requirements?

Yes. Massachusetts General Laws chapter 123 imposes confidentiality protections for mental health records that go beyond federal HIPAA psychotherapy-notes protections. Massachusetts mental health providers should ensure their NPP acknowledges these additional state-law protections.

Does Massachusetts require a WISP in addition to a HIPAA NPP?

Yes. Under 201 CMR 17.00, Massachusetts health care providers must maintain a Written Information Security Program (WISP). The WISP is an internal security document — separate from the patient-facing NPP — but both are required for Massachusetts covered entities.

State Requirements

HIPAA Notice of Privacy Practices for Massachusetts Practices

Q: Does Massachusetts have stricter HIPAA NPP requirements?

Yes. Massachusetts has strict data security regulations (201 CMR 17.00) and behavioral health record confidentiality laws (M.G.L. c. 123, § 36) that impose requirements beyond federal HIPAA. Massachusetts providers must comply with both — the more protective standard applies.

Q: What is Massachusetts 201 CMR 17.00?

201 CMR 17.00 is Massachusetts's data security regulation requiring comprehensive written information security programs (WISP) for personal information of Massachusetts residents. It applies to health care providers and requires specific technical and administrative safeguards for personal data — including PHI.

Massachusetts imposes strict health information privacy and data security requirements that supplement federal HIPAA. Practices in Massachusetts must comply with both — and wherever Massachusetts law is more protective, it governs. This guide covers the key state-law considerations for Massachusetts providers producing their HIPAA NPP.

Important: NPP Generator produces an NPP aligned to the federal HHS February 2026 model with a Massachusetts state-law flag. For a complete legal analysis of Massachusetts compliance for your specific practice type, consult a Massachusetts health care attorney.

Massachusetts 201 CMR 17.00 — data security

Massachusetts 201 CMR 17.00, the "Standards for the Protection of Personal Information of Residents of the Commonwealth," is one of the strictest state data security regulations in the United States. It requires any business — including health care providers — that handles personal information of Massachusetts residents to maintain a comprehensive Written Information Security Program (WISP).

Key requirements of 201 CMR 17.00 that affect health care providers:

Documented Written Information Security Program (WISP) — separate from the NPP, but both are required
Specific technical safeguards: encryption of stored and transmitted personal information
Access controls, monitoring, and incident response procedures
Vendor oversight for third parties that handle personal information

The WISP is an internal document — not patient-facing. It does not replace or substitute for the HIPAA NPP. Massachusetts providers need both.

Massachusetts mental health record confidentiality

Massachusetts General Laws Chapter 123 governs the confidentiality of records at facilities licensed by the Department of Mental Health. It imposes restrictions on disclosure of mental health treatment records that go beyond federal HIPAA's psychotherapy-notes protections:

Broader definition. Massachusetts MGL c. 123 applies to a broader category of mental health records than HIPAA's psychotherapy-notes definition. Records of "treatment" at DMH-licensed or -funded facilities are covered.
Disclosure restrictions. Many disclosures require patient consent even for treatment-related purposes — stricter than HIPAA's TPO exceptions.
Court access restrictions. Massachusetts courts have limited access to mental health records in civil proceedings beyond what federal law requires.

Mental health practices licensed by the Massachusetts DMH should consult legal counsel about MGL c. 123 compliance and how it affects their NPP disclosures. See states with stricter NPP requirements.

What Massachusetts practices need in their NPP

All federal HIPAA NPP requirements (HHS February 2026 model)
A statement that Massachusetts law may provide additional privacy protections beyond federal HIPAA
For mental health providers licensed by DMH: reference to Massachusetts confidentiality protections
Privacy Officer contact information for state-law questions
Separate internal WISP (not part of NPP) to comply with 201 CMR 17.00

Frequently Asked Questions

Does Massachusetts have stricter HIPAA NPP requirements?▼

Yes, particularly for mental health records (MGL c. 123) and data security (201 CMR 17.00). Massachusetts providers must comply with both federal HIPAA and applicable Massachusetts law — the more protective standard governs.

Does my Massachusetts practice need a WISP?▼

Yes, if you maintain personal information of Massachusetts residents. 201 CMR 17.00 requires a Written Information Security Program for businesses that handle personal data including health information. This is separate from — and in addition to — your HIPAA NPP and Security Rule compliance.

I'm a Massachusetts therapist — what extra NPP language do I need?▼

Your NPP should acknowledge that Massachusetts law may provide additional confidentiality protections for mental health records beyond federal HIPAA. If your practice is licensed by the Massachusetts DMH, consult legal counsel about MGL c. 123 implications for your specific disclosure practices.

Does Massachusetts have SUD record protections beyond federal Part 2?▼

Massachusetts has SUD treatment confidentiality provisions under MGL c. 111E and related regulations for programs licensed by the Bureau of Substance Addiction Services (BSAS). These may impose additional consent requirements for disclosure beyond federal Part 2. Massachusetts SUD programs should review both federal Part 2 and Massachusetts BSAS regulations.

Generate your Massachusetts practice NPP in under 5 minutes.

Federal HHS February 2026 model with Massachusetts state-law flag. PDF + editable Word. $49 one-time — no subscription.

Start your NPP — $49

Free watermarked preview available. See sample →

More guides: States with stricter NPP requirements · NPP for California practices · NPP for New York practices · NPP for mental health