State-specific guidance

HIPAA Business Associate Agreements in Massachusetts — 201 CMR 17 and BAA Implications

By BAA Generator Research Team · Published Apr 27, 2026 · Last reviewed Apr 27, 2026 · 6 min read

Quick answer: HIPAA establishes a federal floor for Business Associate Agreements. Massachusetts state law adds requirements above that floor. A BAA executed for a covered entity or business associate operating in Massachusetts should explicitly address the state-specific obligations below — not just the HIPAA baseline. Massachusetts regulators and the state AG can investigate and enforce state law independently of HHS OCR.

Massachusetts laws affecting BAA terms

Massachusetts Standards for the Protection of Personal Information

201 CMR 17.00

Requires a Written Information Security Program (WISP), encryption of personal information in transit and on portable devices, and specific access controls. BAs handling MA-resident data must implement these regardless of HIPAA status.

Massachusetts Data Breach Notification Law

M.G.L. c. 93H

Specific notification requirements that may exceed HIPAA timing.

What Massachusetts BAAs should add to the HHS model

Require BA to maintain a 201 CMR 17 WISP
Mandate encryption of PII in transit and on portable devices
Align breach notification with M.G.L. c. 93H

Operational notes

If your covered entity is based in Massachusetts, every BAA you sign with a vendor handling PHI of your patients should bind that vendor to Massachusetts's state-law obligations in addition to HIPAA. The HHS model BAA satisfies federal requirements but doesn't include state-specific language by default.

If your business associate operates in multiple states, you generally bind the BA to the strictest applicable state's requirements rather than each state separately. Practices in Massachusetts typically reference Massachusetts's rules in the BAA's "compliance with applicable law" clause.

For broader 2024–2026 HIPAA Privacy Rule context, see HIPAA BAA requirements. For state law and HIPAA interaction generally, see ComplyCreate's HIPAA vs state privacy laws guide.

Generate a compliant BAA in 5 minutes

HHS model BAA provisions · 45 CFR § 164.504(e) compliant · $49 one-time · clean PDF + editable Word

Generate my BAA → See pricing →

No subscription · PDF + Word · Free watermarked preview

Your practice also needs an NPP

A BAA covers vendor relationships. The Notice of Privacy Practices is the patient-facing document required under § 164.520. Massachusetts state law also affects NPP content.

Generate an NPP at NPP Generator →