New legislation signed by New Jersey Governor Chris Christie late last week mandates that health insurance companies in the state protect the personal information they compile or maintain through encryption or “by any other method or technology rendering it unreadable, undecipherable, or otherwise unusable by an unauthorized person.”
“Personal information” protected by the law includes an individual’s first name or first initial and last name linked with a Social Security number, driver’s license or state identification card number, address or identifiable health information. The law applies to “end user computer systems,” such as desktop computers, laptops, tablets or other mobile devices, or removable media, as well as computer records transmitted across public networks.
Prior health data breaches, including the theft of two laptops containing unencrypted personal information regarding 840,000 Horizon Blue Cross Blue Shield of New Jersey policyholders, triggered the legislation. Both houses of the state legislature unanimously approved the bill.
A violation of the law – which takes effect on August 1, 2015 – will constitute a breach of New Jersey’s consumer fraud statute. First offenses could trigger fines of up to $10,000, with fines of up to $20,000 for any subsequent violations.
More Stringent than Federal Law
In contrast to the New Jersey law’s required encryption, the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) treats encryption as an addressable implementation specification. Under HIPAA, an entity could determine, after a risk assessment, that the encryption implementation specification is not a reasonable and appropriate safeguard and could implement an equivalent alternative measure. Theoretically, a New Jersey health insurance carrier could therefore be required by state law to encrypt information despite its determination that HIPAA would not require such encryption. In practice, however, many treat encryption as a veritable HIPAA standard since it offers a safe harbor from HIPAA breach notification requirements.