N.J. Law Requires Insurers to Encrypt
New Requirement Goes Beyond HIPAA
By Marianne Kolbasuk McGee, January 12, 2015.
A New Jersey law that will go into effect in July requires health insurers in the state to encrypt personal information that they store in their computers - a stronger requirement than what's included in HIPAA .
See Also: Threat Intelligence: Real-Time Breach Discovery
The new law, signed by N.J. governor Chris Christie last week, was triggered by a number of health data breaches in the state, including the 2013 Horizon Blue Cross Blue Shield of New Jersey breach affecting 840,000 individuals. That breach involved the theft of two unencrypted laptops.
The new law states: "Health insurance carriers shall not compile or maintain computerized records that include personal information, unless that information is secured by encryption or by any other method or technology rendering the information unreadable, undecipherable, or otherwise unusable by an unauthorized person.
Personal information covered by the encryption mandate includes individual's first name or first initial and last name linked with any one or more of the following data elements: Social Security number; driver's license number or State identification card number; address; and identifiable health information.
Different than HIPAA"The New Jersey law differs from HIPAA in that it mandates implementing encryption, whereas HIPAA mandates addressing encryption," privacy attorney Adam Greene of law firm Davis Wright Tremaine says.
The Department of Health and Human Services offers this explanation of the HIPAA encryption requirement on its website: "The encryption implementation specification is addressable, and must therefore be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of electronic PHI.
"If the entity decides that the addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate. If the standard can otherwise be met, the covered entity may choose to not implement the implementation specification or any equivalent alternative measure and document the rationale for this decision."
Greene points out that because the new state law is tougher than HIPAA, "A New Jersey health plan could determine that some of its protected health information does not require encryption under HIPAA, but they will nevertheless be required to encrypt the information under the New Jersey law."
Follow Marianne Kolbasuk McGee on Twitter: @HealthInfoSec