On August 7, Massachusetts Governor Maura Healey signed into law a new Shield Law (S.2543) – the Shield Act 2.0 – that restricts providers’ ability to disclose information in certain health care-related investigations, among other provisions.  Like the Washington Shield Law that was enacted in 2023, the Shield Act 2.0 covers gender-affirming treatment in addition to reproductive health care.  The passage of the Shield Act 2.0 follows Massachusetts’s enactment, in 2022, of a Shield Law that provided protections for Massachusetts healthcare providers from sanctions for providing or assisting in the provision of legally protected reproductive healthcare services or gender-affirming healthcare services in the state.

In particular, Section 6 of the Shield Act 2.0 is relevant to Massachusetts-based providers that may be subject to out-of-state legal process.  Section 6 is scheduled to take effect 90 days from the date of enactment, or November 5, 2025.  Below we summarize some key aspects of Section 6:

  • Prohibition:  This provision prohibits a business entity that “operates in” Massachusetts and provides “electronic communication services” or “remote computing services” from disclosing, in response to a civil or criminal legal request, “information or assistance that the business entity knows relates to a resident, health care provider or business entity in the commonwealth in connection with legally-protected health care activity.”  “Legally-protected health care activity” is defined under the original Shield Law to include reproductive health or gender-affirming care that is lawful in Massachusetts, such as abortion care. 
  • Exceptions:  The prohibition on disclosure in Section 6 does not apply if:  (1) the disclosure is required under applicable federal law, or (2) the requestor provides an attestation, signed under penalty of perjury, certifying that the legal request does not seek documents, information, or testimony relating to an investigation into or the enforcement of another state’s law that imposes civil or criminal liability for the provision or receipt of legally-protected health care activity that is lawful in Massachusetts.
  • Applicability:  As noted above, Section 6 applies to Massachusetts businesses providing electronic communication services (“ECS”) or remote computing services (“RCS”).  “Electronic communication services” is defined as “any service which provides to users thereof the ability to send or receive wire or electronic communications” — in other words, the same definition found in the federal Stored Communications Act (“SCA”).  Courts interpreting the SCA have generally understood this term to refer to services that facilitate user-to-user communications.  Section 6 similarly defines “remote computing service” to incorporate the definition of this term under the SCA (i.e., “the provision to the public of computer storage or processing services by means of an electronic communications system”).  Generally, businesses typically qualify as an RCS if they provide storage services to the public, such as a cloud storage services.
  • Penalties: The Attorney General may bring a civil action against covered businesses to compel compliance with this requirement, and any person who submits a false attestation is subject to a statutory penalty of up to $50,000 per violation.

Tags: Health Privacy, Massachusetts, Shield Laws
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Alexander Berengaut Alexander Berengaut

Alex Berengaut is a nationally recognized litigator and co-chair of the firm’s Government Litigation practice. He has served as lead counsel in a range of commercial disputes and government enforcement proceedings, and currently represents several leading technology companies in litigation and compliance matters…

Alex Berengaut is a nationally recognized litigator and co-chair of the firm’s Government Litigation practice. He has served as lead counsel in a range of commercial disputes and government enforcement proceedings, and currently represents several leading technology companies in litigation and compliance matters relating to data privacy, platform liability, artificial intelligence, and cybersecurity.

In recent years, Alex’s practice has focused on high-stakes disputes involving novel exercises of government power. For over four years, Alex has served as lead counsel to TikTok in defending against legal challenges to its operations in the United States, including by delivering the winning argument in 2020 that blocked a nationwide ban of the app hours before it was set to take effect. He also represented Xiaomi Corporation in challenging the Department of Defense designation that would have barred the company from U.S. financial markets, delivering the winning argument that led the court to enjoin the designation, restoring $10 billion to Xiaomi’s market capitalization.

At the state level, Alex has successfully challenged unconstitutional state legislation and defended against state consumer protection actions—a string of victories which resulted in Alex being recognized as Litigator of the Week, as well as a Law360 MVP in both the Cybersecurity & Privacy and the Technology categories.  

Alex has served as counsel to Microsoft Corporation in precedent-setting cases involving government surveillance issues, including Microsoft’s landmark challenge to the government’s attempt to compel disclosure of customer emails stored in Ireland using a search warrant; Microsoft’s First Amendment challenge in the Foreign Intelligence Surveillance Court to restrictions on disclosures about government surveillance; and Microsoft’s constitutional challenge to the statute that allows courts to impose gag orders on technology companies, resulting in nationwide reform of the government’s practices under the statute.

Alex maintains an active pro bono practice, focusing on trial-level indigent criminal defense and youth immigration matters. From 2017 to 2020, Alex represented the University of California in challenging the rescission of the Deferred Action for Childhood Arrivals (DACA) program, ultimately resulting in a 5-4 victory in the U.S. Supreme Court.

Read more about Alexander BerengautEmail
Show more Show less
Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on managing privacy, cyber security, and artificial intelligence risks, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with U.S. and global privacy laws.

Libbie Canter represents a wide variety of multinational companies on managing privacy, cyber security, and artificial intelligence risks, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with U.S. and global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state laws, including the California Consumer Privacy Act, the Colorado AI Act, and other state laws. As part of her practice, she also regularly represents clients in strategic transactions involving personal data, cybersecurity, and artificial intelligence risk and represents clients in enforcement and litigation postures.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

Chambers USA 2025 ranks Libbie in Band 3 Nationwide for both Privacy & Data Security: Privacy and Privacy & Data Security: Healthcare. Chambers USA notes, Libbie is “incredibly sharp and really thorough. She can do the nitty-gritty, in-the-weeds legal work incredibly well but she also can think of a bigger-picture business context and help to think through practical solutions.”

Read more about Libbie CanterEmail
Show more Show less
Photo of Olivia Vega Olivia Vega

Olivia Vega advises global companies on a broad spectrum of privacy, healthcare, and technology matters, helping them navigate both established and emerging laws and regulations. Her practice includes helping clients comply with state privacy laws, such as the California Consumer Privacy Act and…

Olivia Vega advises global companies on a broad spectrum of privacy, healthcare, and technology matters, helping them navigate both established and emerging laws and regulations. Her practice includes helping clients comply with state privacy laws, such as the California Consumer Privacy Act and the Washington My Health My Data Act, as well as federal frameworks like HIPAA and the privacy standards established by the Federal Trade Commission.

As part of her practice, Olivia helps clients develop privacy notices and policies, negotiate privacy terms with third-party vendors, and design governance programs for new products and services. Olivia also represents clients in enforcement actions brought by the Federal Trade Commission, particularly in areas like data privacy, artificial intelligence, and marketing practices. In addition, she plays a key role in advancing clients’ advocacy efforts during regulatory rulemaking processes on issues related to data privacy, cybersecurity, and artificial intelligence.

Olivia maintains an active pro bono practice, including assisting small and nonprofit entities with data privacy topics.

Read more about Olivia VegaEmail
Show more Show less
Photo of Diana Lee Diana Lee

Diana Lee is an associate in the technology regulatory group. She counsels clients on a range of regulatory and litigation matters involving electronic surveillance, government demands for data, national security, and data privacy and cybersecurity issues, with a particular focus on cross-border and…

Diana Lee is an associate in the technology regulatory group. She counsels clients on a range of regulatory and litigation matters involving electronic surveillance, government demands for data, national security, and data privacy and cybersecurity issues, with a particular focus on cross-border and multi-jurisdictional concerns.

Before rejoining the firm, Diana clerked for the Honorable Victor A. Bolden on the U.S. District Court for the District of Connecticut.

Diana is a member of the Bars of New York and the District of Columbia.

Read more about Diana LeeEmail
Show more Show less
Photo of Jorge Ortiz Jorge Ortiz

Jorge Ortiz is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity and the Technology and Communications Regulation Practice Groups.

Jorge advises clients on a broad range of privacy and cybersecurity issues, including topics related…

Jorge Ortiz is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity and the Technology and Communications Regulation Practice Groups.

Jorge advises clients on a broad range of privacy and cybersecurity issues, including topics related to privacy policies and compliance obligations under U.S. state privacy regulations like the California Consumer Privacy Act.

Read more about Jorge OrtizEmail
Show more Show less