New Jersey health insurance companies will now be required to protect customer health care records. The legislation was signed into law on January 9, 2015 by Governor Christie. The new law signals a strengthened commitment to protect confidential consumer data, but the law is not without its burdens. The new standards will require healthcare companies to assess the law and their own systems and practices so that a compliance plan to achieve compliance can be achieved. Compliance with this law is important because failure to comply may create liability under New Jersey’s Consumer Fraud Act.
The Jayson Law Group is dedicated to assisting both well-established and emerging New Jersey businesses. Our firm can provide trusted guidance regarding regulatory compliance and a number of commercial legal concerns.
What events spurred this legislation?
This legislation was apparently motivated by a string of healthcare data breaches. In November 2013, Horizon Blue Cross Blue Shield notified police that 2 company laptops had been stolen from its Newark offices. Although the computers had been chained to employee workstations, the locks securing the computers has apparently been broken. The computers contained healthcare data, social security numbers and other confidential personal information for approximately 840,000 policy holders. The data was not encrypted – meaning that anyone with physical access to the hard drive should be able to access the data.
However the Blue Cross Blue Shield data breach was far from the only patient data breach in New Jersey. NJ.com reports that there have been more than 14 data breaches involving confidential data since 2009. NJ.com has also reported that the state itself has been complicit to data breaches as a third-party contractor for New Jersey Department of Human Services apparently lost a thumb drive containing data for approximately 9,000 Medicaid subscribers. Small private offices have been particularly susceptible to laptop theft.
What does the new data encryption law require?
The handling of private healthcare data has been governed by Health Insurance Portability and Accountability Act (HIPAA) since 2009. However HIPPA does not strictly require encryption of healthcare data. This legislation would increase the security measures required to protect patient data. Under the law, health insurance carriers would be prohibited from keeping digital records including personal information unless the information is encrypted or otherwise secured. It is important to note that a simple access password would not be sufficient because the statute requires that the data be made, “unreadable, undecipherable, or otherwise unusable by an unauthorized person.” Simply making the data inaccessible by password would not suffice because simply preventing, “general unauthorized access to the personal information” is not sufficient.
Are New Jersey healthcare companies compliant with the new law?
While HIPPA itself did not require data encryption, there were already benefits in encrypting customer healthcare data. For instance, there is a breach and the data is encrypted, there generally is not a duty to report the breach to the US Department of Health and Human Services as would typically be required. This is because the encryption should render the data completely indecipherable. However it appears that healthcare insurance companies and medical providers in the state have been slow to adopt the encryption as a standard practice.
A state-wide audit conducted by the Office for Civil Rights uncovered at least one problem at 58 of 59 healthcare providers. Furthermore, of the 115 organizations that were audited nearly half lacked data encryption of any type. While the data was not broken down further, the facilities audited included 39 health care providers and 14 health insurance companies. If these stats did not already show that the healthcare industry needed to some action to adopt the security standards already in place in the banking, credit card, and financial industries, half of all breaches in New Jersey since 2009 involved unencrypted patient data. In short, compliance problems with the new law can be expected to be widespread.
Rely on the experience of the Jayson Law Group for your legal compliance concerns
The attorneys of the Jayson Law Group are experienced in addressing the legal concerns of established corporations and emerging start-ups. We can guide your health insurance company or other business through regulatory challenges. To discuss your legal concerns confidentially, call (908)768-3633 or contact us online.
Sources: