Following a number of reports of theft and misplacement of computer disks, laptops, and thumb drives containing unencrypted patient information from New Jersey medical centers, the New Jersey state legislature enacted a law on January 9, 2015, which prohibits health insurance carriers from electronically compiling and maintaining certain patient information unless that information has been encrypted.

The law, New Jersey S562 (“S562”), which will become effective on August 1, 2015, supplements the New Jersey Division of Consumer Affairs Consumer Fraud Act. It was passed in response to an epidemic of breaches at New Jersey hospitals that resulted in the compromise of thousands of patients’ records that were stored on unencrypted computers and computer equipment. The records included patients’ names, addresses, dates of birth, social security numbers and medical information.

By mandating that health care insurers encrypt sensitive patient data, New Jersey seeks to ensure that patients’ personal information is no longer subjected to potential disclosure to unauthorized persons. Sponsors of the legislation argued that it sends a clear message to the public that the government is committed to enforcing the state’s consumer protection laws against health care insurers that have access to patients’ private information.

The key requirements of S562, as well as our recommendations are summarized below.