December 19, 2018

December 18, 2018

Subscribe to Latest Legal News and Analysis

December 17, 2018

Subscribe to Latest Legal News and Analysis

New Jersey Law to Impose Encryption Obligations on Health Insurance Carriers

New Jersey Governor Chris Christie signed into law last week a bill that requires health insurance and care providers that do business in the state to encrypt patient information and healthcare data. The new law arose from the discovery of a series of data breaches involving approximately 1 million New Jersey patients’ healthcare information.

The measure goes into effect on August 1 and will apply to health insurance carriers, including health service corporations, hospital service corporations, and health maintenance organizations authorized to issue New Jersey health benefit plans. It bars such health insurance carriers from collecting a patient’s name linked with his or her Social Security number, driver’s license or other state identification number, address, and other identifiable health information unless this data is encrypted or otherwise unusable by an unauthorized third party. Furthermore, the law requires security measures to extend beyond a simple password and mandates that health insurance carriers implement safeguards that render the data unreadable, undecipherable, or otherwise unusable by someone who can bypass the password protection. The law applies to all end-user computers, such as desktops and laptops, and all data and information transmitted via public networks.

New Jersey’s new encryption standard is a permissible extension of the security rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) requirements, and in fact, many healthcare privacy experts believe that encryption provides assurances against noncompliance with HIPAA regulations. Violations fall under New Jersey’s Consumer Fraud Act, which poses penalties of $10,000 for the first offense and $20,000 for any subsequent offense. The Attorney General may also seek treble damages for any injured parties.

Copyright © 2018 by Morgan, Lewis & Bockius LLP. All Rights Reserved.


About this Author

Barbara Melby, Morgan Lewis, data privacy and cybersecurity lawyer

Barbara Melby has been active in the outsourcing and technology transaction legal market for the last 25 years. As leader of the firm’s technology, outsourcing & commercial transactions practice, she represents clients in such complex transactions as outsourcing, strategic alliances, technology and data-related agreements, and other services transactions. She also advises businesses on privacy and security issues that arise in transactions involving sensitive data and technologies.