Breach Response , Data Breach , Encryption & Key Management

N.J. Law Requires Insurers to Encrypt

New Requirement Goes Beyond HIPAA
N.J. Law Requires Insurers to Encrypt

A New Jersey law that will go into effect in July requires health insurers in the state to encrypt personal information that they store in their computers - a stronger requirement than what's included in HIPAA .

See Also: Live Webinar | Levers of Human Deception: The Science and Methodology Behind Social Engineering

The new law, signed by N.J. governor Chris Christie last week, was triggered by a number of health data breaches in the state, including the 2013 Horizon Blue Cross Blue Shield of New Jersey breach affecting 840,000 individuals. That breach involved the theft of two unencrypted laptops.

The new law states: "Health insurance carriers shall not compile or maintain computerized records that include personal information, unless that information is secured by encryption or by any other method or technology rendering the information unreadable, undecipherable, or otherwise unusable by an unauthorized person.

The law applies to "end user computer systems" and computerized records transmitted across public networks. It notes that end-user computer systems include, for example, desktop computers, laptop computers, tablets or other mobile devices, or removable media.

Personal information covered by the encryption mandate includes individual's first name or first initial and last name linked with any one or more of the following data elements: Social Security number; driver's license number or State identification card number; address; and identifiable health information.

Different than HIPAA

"The New Jersey law differs from HIPAA in that it mandates implementing encryption, whereas HIPAA mandates addressing encryption," privacy attorney Adam Greene of law firm Davis Wright Tremaine says.

The Department of Health and Human Services offers this explanation of the HIPAA encryption requirement on its website: "The encryption implementation specification is addressable, and must therefore be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of electronic PHI.

"If the entity decides that the addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate. If the standard can otherwise be met, the covered entity may choose to not implement the implementation specification or any equivalent alternative measure and document the rationale for this decision."

Greene points out that because the new state law is tougher than HIPAA, "A New Jersey health plan could determine that some of its protected health information does not require encryption under HIPAA, but they will nevertheless be required to encrypt the information under the New Jersey law."


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.