New Jersey recently amended its privacy laws to now require health insurers and care providers that do business in the state to encrypt personal health information (PHI).
The new requirements apply to insurers authorized to issue New Jersey health benefit plans. Such insurers are prohibited from collecting both personally identifiable information and PHI (including a patient’s name linked with a corresponding Social Security number, driver’s license or other state identification number, address, and other identifiable health information) unless the data is “secured by encryption or by any other method or technology rendering the information unreadable, undecipherable, or otherwise unusable by an unauthorized person.”
The new law requires enhanced security measures including complex passwords and further mandates that health insurance carriers implement safeguards that render PHI “unreadable, undecipherable, or otherwise unusable by someone who can bypass the password protection.”
The New Jersey law applies to all end-user computers, desktops, laptops, and all data and information transmitted over public networks.
The Garden State’s encryption standard is, in fact, more extensive than the safeguards for data required by the Health Insurance Portability and Accountability Act (HIPAA), which itself does not expressly require encryption.
In this regard, under HIPAA, encryption is an “addressable standard” meaning that covered entities must decide whether encryption is “reasonable and appropriate” within its particular security framework and must implement an “equivalent alternative” if it is unreasonable and inappropriate.
In addition, HIPAA’s Notification Rule establishes a “safe harbor” by eliminating the requirement for covered entities to notify affected parties and the federal government in the event of a data breach if the data is encrypted. It is therefore already considered a HIPAA best practice to use an encryption standard to protect PHI.
The new law becomes effective August 1 of this year. Violations of the new standards will fall under New Jersey’s Consumer Fraud Act, which sets forth penalties of $10,000 for first offenses and $20,000 for subsequent offenses. The New Jersey Attorney General may also seek treble damages for any injured parties.
Richard J. Bortnick is senior counsel at Traub Lieberman Straus & Shrewsberry and contributing author for the Cyber Risk Network. He was previously shareholder in law firm Christie, Parabue and Young. Rick litigates and counsels US and international clients on cyber and technology risks, exposures and best practices, directors’ and officers’ liability, professional liability, insurance coverage, and commercial litigation matters.
He also drafts professional liability insurance policies of varying types, including cyber, privacy and technology forms, and is Publisher of the highly-regarded cyber industry blog, Cyberinquirer.com.
