Effective August 1, 2015, insurance carriers that issue health insurance in New Jersey must use encryption or other technology that renders personal information unreadable, undecipherable, or unusable by unauthorized persons when compiling or maintaining computerized records that include personal information. Password protection is inadequate to comply with this law, known as Senate Bill 562 or S562. The New Jersey legislature unanimously enacted S562 in response to heightened public concern about privacy and security issues.
Unlike most state data breach laws that require businesses to take actions in response to a data security breach, this law intends to prevent data breaches. This is unique in that it goes beyond HIPAA laws that only suggest using encryption to protect personally identifiable information (PII). The New Jersey law requires encryption. Law makers and security experts believe that New Jersey’s law may serve as a model for other states as they try to protect personal information while preventing data breaches.
Under S562, “Personal information” means an individual’s first name or first initial and last name linked with any one or more of the following data elements: (1) Social Security number; (2) driver’s license number or State identification card number; (3) address; or (4) identifiable health information. Failure to encrypt personal information is a violation of New Jersey’s consumer fraud statute and subjects violators to the Attorney General’s enforcement powers as well as treble damages. A violation could be a very expensive proposition.
Encryption provides greater security than password protection because it alters the protected data making it unreadable unless someone provides the security key for access. Assigning a dynamic security policy or user access controls to the encrypted information, further enhances the security. If data is only protected by a password, a hacker or other unauthorized user could use brute force or other methods to “guess” the password. A Google search on password crackers shows over 1.5 million hits on password crackers, so it would be fairly easy to break through this type of protection.
S562 also differs from HIPAA because it does not expressly address the statutory obligations of business associates. These are organizations that perform functions for or provide services to health insurance carriers, like medical equipment companies, attorneys, auditors and even technology companies that provide network and system support. Business associates have access to the same personal information as health insurance carriers and could logically extend to healthcare providers, since they obviously do business with insurance companies.
It is unclear if the New Jersey legislature intended to omit business associates from the scope of S562, but it may revise the statute to be more in line with HIPAA. New Jersey health insurers should consider adding encryption standards to their business associate agreements to protect themselves.
All businesses handling healthcare information and sharing it with health insurance providers should encrypt that data to comply with this new law. As more states look at how to prevent data breaches, they will most likely follow suit and enact similar legislation. It’s best to get ahead of this issue by starting now.