New Jersey Requires Encryption and More Onerous Privacy & Security Safeguards for Health Insurance Carriers

This month, Governor Chris Christie signed into law a New Jersey bill requiring health insurance carriers (e.g., insurance companies, health service corporations, hospital service corporations, medical service corporations, HMOs that issue health benefits plans in New Jersey) to encrypt or otherwise secure  computerized records of personal information (e.g., SSN, address, identifiable health information, driver’s license number) (“Bill”). The Bill provides an alternative to encryption if the carrier uses, a “method or technology rendering the information unreadable, undecipherable, or otherwise unusable by an unauthorized person.” However, password protection for computer programs, which is commonly used in the industry, is inadequate under the Bill if “the program only prevents general unauthorized access to the personal information, but does not render the information itself unreadable, undecipherable, or otherwise unusable by an unauthorized person operating, altering, deleting, or bypassing the password protection computer program.”

The Bill does not address the ramifications for insurance carriers that fail to adhere to its requirements. However, in a statement by the Bill’s sponsors, the lawmakers explained that health insurance carriers that violate the Bill would be subject to penalties under the New Jersey consumer fraud statute, such as a monetary penalty up to $10,000 for an initial offense, and no more than $20,000 for each subsequent offense(s). Lawmakers further explained that “a violation can result in cease and desist orders issued by the Attorney General and the awarding of treble damages and costs to the injured party.”

Interestingly, this Bill only applies to health insurance carriers and not to healthcare providers, such as hospitals or physician group practices. However, it is anticipated that New Jersey will follow the industry enforcement trend that although encryption is not technically required under HIPAA it is considered a “reasonable” technical safeguard and therefore becoming an industry standard best practice. The timing of the Bill is also interesting as President Obama and the Federal Government discuss potential Federal legislation on cybersecurity, student privacy, and a national breach standard.  Tune back in to the Health Law Informer for future blogs on these issues.