New Jersey Governor Chris Christie has signed a new law requiring health insurance companies to protect client health information by encrypting the data. The law applies to any insurance company, health service corporation, hospital service corporation, medical service corporation, or health maintenance organization authorized to issue health benefits plans in New Jersey. These entities must take steps to protect “individually identifiable health information” that they compile through encryption or “by any other method or technology rendering it unreadable, undecipherable, or otherwise unusable by an unauthorized person,” according to the legislation. The law will become effective on August 1, 2015.
In contrast, the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule applies to health plans (which includes the health insurance companies identified above, but also includes (among others) ERISA group health plans, federal programs providing health benefits, and any other individual or group plan, or combination of individual or group plans, that provides or pays for the cost of medical care), health care clearinghouses and certain health care providers, as well as their business associates. The HIPAA Security Rule requires the adoption of administrative, physical and technical safeguards to ensure the confidentiality, availability and integrity of electronic protected health information (PHI), but does not expressly require encryption. Under two separate technical standards (access controls and transmission security), encryption is an addressable implementation specification under HIPAA. That means a covered entity or business associate is required to adopt encryption if it is a reasonable and appropriate safeguard in the entity’s environment, when analyzed with reference to its likely contribution to protecting electronic PHI and if not, adopt an equivalent alternative measure if reasonable and appropriate. In reality, many believe that encryption has become a de facto HIPAA standard in many instances because it provides a safe harbor from HIPAA breach notification requirements and because of HHS’s investigatory and enforcement activities.
New Jersey now joins Massachusetts and Nevada in imposing specific security requirements for the protection of personal information that arguably go beyond federal law. The Massachusetts law imposes broader requirements, including the obligation for companies that store any type of personally identifiable information of Massachusetts residents to implement and maintain a comprehensive, written information security program. Similarly, Nevada’s statutory requirements apply to all personally identifiable information of Nevada residents and include compliance with the most current version of the Payment Card Industry Data Security Standard.
The New Jersey law does not specify the means or standard of the encryption requirement, which applies only to end user computer systems (e.g. desktops, laptops and other devices used by end users to access the data) and computerized records transmitted across public networks. It was spurred by recent health information privacy breaches in the state including incidents of stolen laptops containing unencrypted health information on approximately 840,000 individuals from a major New Jersey health insurance carrier in 2013.