Data Protection Report - Norton Rose Fulbright

Following a number of reports of theft and misplacement of computer disks, laptops, and thumb drives containing unencrypted patient information from New Jersey medical centers, the New Jersey state legislature enacted a law on January 9, 2015, which prohibits health insurance carriers from electronically compiling and maintaining certain patient information unless that information has been encrypted.

The law, New Jersey S562 (“S562”), which will become effective on August 1, 2015, supplements the New Jersey Division of Consumer Affairs Consumer Fraud Act. It was passed in response to an epidemic of breaches at New Jersey hospitals that resulted in the compromise of thousands of patients’ records that were stored on unencrypted computers and computer equipment. The records included patients’ names, addresses, dates of birth, social security numbers and medical information.

By mandating that health care insurers encrypt sensitive patient data, New Jersey seeks to ensure that patients’ personal information is no longer subjected to potential disclosure to unauthorized persons. Sponsors of the legislation argued that it sends a clear message to the public that the government is committed to enforcing the state’s consumer protection laws against health care insurers that have access to patients’ private information.

The key requirements of S562, as well as our recommendations are summarized below.

Businesses affected by S562

S562 applies to all health insurance carriers authorized to issue health benefit plans in the state of New Jersey, including:

  • health insurance companies,
  • health service corporations,
  • hospital service corporations,
  • medical service corporations and
  • health maintenance organizations.

The law defines a health benefit plan as one that “pays or provides hospital and medical expense benefits for covered services” and “is delivered or issued for delivery” in New Jersey by or through the health insurance carrier.

Types of information that must be encrypted

The law requires that the following types of patients’ personal information be secured by encryption:

  • first names or first initials and last names COMBINED WITH
  • social security numbers; and/or
  • driver’s license numbers or state identification card numbers; and/or
  • addresses; and/or
  • identifiable health information.

Identifiable health information means information that the health insurance carrier collects from a patient, which identifies that patient (or can be used to identify the patient) and relates to his or her past, present or future physical or mental health, provision of healthcare, or payment for the provision of healthcare.

Methods of protecting personal information

While S562 uses the word “encryption” to describe the default method by which health insurers must protect patients’ sensitive personal information, the law also allows for “any other method or technology” that renders the “information unreadable, undecipherable, or otherwise unusable by an unauthorized person.”  Stated differently, health insurance carriers are free to employ any method that would have the same effect as encryption.  As stated in the text, the main goal of S562 is to prevent an unauthorized person from being able to access, read or use sensitive personal data.

The law requires personal information to be encrypted or otherwise protected from unauthorized disclosure on all end user computer systems (and from computerized records transmitted across public networks), including:

  • desktop computers,
  • laptop computers,
  • tablets and other mobile devices, and
  • removable media.

Penalties for violation of S562

New Jersey’s Consumer Fraud Act (the “Act”) sets forth the penalties imposed for violating any section of the Act, including the new encryption requirements outlined in S562.  Specifically, violators of the Act face penalties of not more than $10,000 for the first offense and not more than $20,000 for the second and each subsequent offense. Additionally, the New Jersey Attorney General has authority to issue cease and desist letters to violators and to seek a court-ordered award of damages and other costs for persons adversely affected by violators.

S562 compared to HIPAA

S562, unlike the Security Rule found in the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), makes encryption (or a similar encryption-like method) of a patient’s electronically stored personal information mandatory.  HIPAA’s Security Rule, on the other hand, only refers to encryption as an optional tool or as an “addressable implementation specification,” meaning that it should be implemented only if, after conducting a risk assessment, the covered entity determines that it would be reasonable and appropriate to do so.  If not, the covered entity can simply implement an equivalent alternative measure, provided that that measure is also both reasonable and appropriate.

Notably, HIPAA’s Breach Notification Rule makes clear that covered entities that decide to secure their patients’ electronic personal health information by encryption are exempt from providing the required notifications following a breach.  Therefore, though not mandatory, encryption should still be considered the recommended method for protecting patients’ electronically-stored personal information under HIPAA.

Our recommendations 

To prepare for compliance with S562, health care insurers should:

  • understand the requirements of the statute;
  • analyze how patient information flows through the organization and where it is stored;
  • inventory computers, laptops, tablets and other mobile devices on which patient information may be maintained;
  • assess the method by which patient information is secured in storage;
  • as necessary, verify, implement or update, the security measures in place to safeguard the data;
  • implement security policies and procedures governing the collection and storage of patients’ data, and if such policies already exists, update them to reflect the requirements identified in S562; and
  • be prepared to articulate their information security practices if asked by regulators or patients.

Taking these steps will help health insurance carriers bring their data protection practices into compliance with S562 before the law becomes effective later this year.