Epstein Becker Green Health Care and Life Sciences Client AlertIn response to data breaches that have occurred across the United States, several of which involved the theft of laptop computers, beginning August 1, 2015, health insurance carriers in New Jersey will be obligated to do more to protect patient information than simply comply with the federal Health Insurance Portability and Accountability Act (“HIPAA”). A new law, signed by Governor Chris Christie on January 9, 2015, specifically requires health insurance carriers to encrypt electronically gathered and stored personal information.

The key terms in the law are defined as follows:

  • “Health insurance carriers” means “an insurance company, health service corporation, hospital service corporation, medical service corporation, or health maintenance organization authorized to issue health benefits plans in this State.”
  • “Personal information” means “an individual’s first name or first initial and last name linked with any one or more of the following data elements: (1) Social Security number; (2) driver’s license number of State identification card number; (3) address; or (4) identifiable health information.”

Although New Jersey already has a law requiring notification to individuals in the event of a data breach of their personal information, the new law is aimed at preventing breaches in the first place and further reducing the risks of misappropriation and identity theft.

In addition, while HIPAA mandates the protection of personal information, HIPAA suggests encryption only when sufficient risk is identified and encryption is reasonable. New Jersey’s new law goes a step further by mandating that all computerized data be rendered “unreadable, undecipherable, or otherwise unusable by an unauthorized person.” The law applies to “end user computer systems” (e.g., desktop and laptop computers, tablets, and mobile devices), and to “computerized records transmitted across public networks.”

With the new law, password-protected user access will no longer be legally sufficient security for protecting personal information. Failure to comply will be deemed a violation of New Jersey’s Consumer Fraud Act, which can result in treble damages.

What Should New Jersey Health Insurance Carriers Do to Prepare?

Health insurance carriers inside New Jersey should do the following:

  • Revise existing risk assessment criteria and modify any protocol that permits discretion with regard to data protection.
  • Confirm that no end-user computer system, including laptops or mobile devices, contains unencrypted personal information.
  • Establish protocols and procedures to ensure that all personal identification on end-use computer systems is secured by encryption, regardless of the potential difficulty, cost, or maintenance of such a program.
  • Establish routine audits/testing to confirm and ensure the integrity of the encryption programs once installed. Scans should be performed to determine whether hidden or unknown repositories of personal information (e.g., email servers) are contained within the environment.
  • Review any “Bring Your Own Device” policy and procedures to ensure that employees’ personal devices used for business have the necessary encryption of protected personal information.

What Should Health Insurance Carriers Outside New Jersey Do?

Health insurance carriers outside New Jersey should stay tuned. While a similar law already exists in Massachusetts, it would be reasonable to forecast that other states will follow suit in the near term.

The federal government also has taken heed. As recently as last week, it was reported by the Centers for Medicare & Medicaid Services that the agency is adding layers of encryption to the HealthCare.gov website to protect enrollees.

* * *

This Client Alert was authored by Mollie K. O’Brien. For additional information about the issues discussed in this Client Alert, please contact the author or the Epstein Becker Green attorney who regularly handles your legal matters.

PDF Client Alert Beyond HIPAA New Jersey Law Requires Encryption of Personal DataDownload
Jump to Page

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.