New Jersey Law to Impose Encryption Obligations on Health Insurance Carriers
New Jersey Governor Chris Christie signed into law last week a bill that requires health insurance and care providers that do business in the state to encrypt patient information and healthcare data. The new law arose from the discovery of a series of data breaches involving approximately 1 million New Jersey patients’ healthcare information.
The measure goes into effect on August 1 and will apply to health insurance carriers, including health service corporations, hospital service corporations, and health maintenance organizations authorized to issue New Jersey health benefit plans. It bars such health insurance carriers from collecting a patient’s name linked with his or her Social Security number, driver’s license or other state identification number, address, and other identifiable health information unless this data is encrypted or otherwise unusable by an unauthorized third party. Furthermore, the law requires security measures to extend beyond a simple password and mandates that health insurance carriers implement safeguards that render the data unreadable, undecipherable, or otherwise unusable by someone who can bypass the password protection. The law applies to all end-user computers, such as desktops and laptops, and all data and information transmitted via public networks.
New Jersey’s new encryption standard is a permissible extension of the security rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) requirements, and in fact, many healthcare privacy experts believe that encryption provides assurances against noncompliance with HIPAA regulations. Violations fall under New Jersey’s Consumer Fraud Act, which poses penalties of $10,000 for the first offense and $20,000 for any subsequent offense. The Attorney General may also seek treble damages for any injured parties.