Mass. Gen. Laws. Ann. ch. 66A, § 2 - Holders Maintaining Personal Data System; Duties

All holders of personal data systems must hold one person responsible for the prevention of access and dissemination of personal data, including health information.  The holder must also train employees using the personal data system on Massachusetts’ laws relating to the release of personal data.  The holder must also ensure that no other agencies or outside individuals have access to the information, unless access is authorized by law.  The holder’s responsibilities also include maintaining a list of all individuals who have accessed the information, providing the individual/patient with a list of uses that the personal data has been used for, including the identities of those who have accessed the data, maintaining accurate information, and allowing the individual/patient to contest, correct or amend his or her information.  

The law specifies that medical or psychiatric data is available to treating physicians, upon request, if a situation arises where the patient cannot provide authorization to release the information.  The law also protects the ability of law enforcement or an investigation unit to have access to the information for fraud detection purposes.