• New Jersey Becomes Latest State to Mandate Encryption for Health Information
  • March 16, 2015
  • Law Firm: Mintz Levin Cohn Ferris Glovsky Popeo P.C. - Boston Office
  • All health insurance carriers in New Jersey, including health, hospital and medical insurance corporations, will be required by law to encrypt protected health information (PHI), including a patient’s name linked with a Social Security number, driver’s license or other state-issued identification, address, etc. NJ Governor Chris Christie last week signed legislation that effectively exceeds HIPAA in its requirement that health insurers compiling or maintaining computerized records with personal information secure that information by encryption or another “method or technology rendering it unreadable, undecipherable or otherwise unusable by an unauthorized person.” The legislation comes a year after two laptops with unencrypted data were stolen from the state’s largest health insurer, Horizon Blue Cross Blue Shield. That theft put the personal information of nearly 850,000 Horizon members at risk. The law also applies to PHI both at rest (stored) and in transit “across public networks.”

    Under the law, personal information is defined to include an individual’s first name or first initial and last name linked with a Social Security number, a driver’s license or state identification card number, an address, or identifiable health information.

    The law becomes effective August 1, 2015 and failing to comply with these standards is punishable by a maximum fine of $10,000 for a first offense and $20,000 for a second or any subsequent offense. A violation can also bring cease and desist orders issued by the attorney general and the AG can seek treble damages for injured parties.