New Jersey Senate Bill No. 562 (“SB 562”), signed into law on January 9, 2015, will require health insurance carriers authorized to issue health benefits plans in New Jersey to encrypt personal information. The law applies to personal information maintained in “end user computer systems and computerized records transmitted across public networks” beginning on August 1, 2015. As this law indicates, states are increasingly using consumer protection and unfair trade practice acts to impose and enforce privacy and security requirements. SB 562 therefore provides yet another example of how health care industry stakeholders must always account for state laws when implementing health care data security policies and procedures.
New Jersey is only the second state to explicitly impose encryption requirements, following Massachusetts (see, Mass. Gen. Law ch. 93H and related regulations). Although the Health Insurance Portability and Accountability Act (HIPAA) has long specified that encryption is an “addressable” requirement, the Department of Health and Human Services (HHS) has also increasingly appeared to treat encryption as a strict requirement in recent enforcement actions. Together these new laws and enforcement actions show that the trend toward encryption is growing even stronger.
Three elements of the law bear mentioning. First, SB 562’s definition of “end user computer systems” broadly includes desktops, laptops, tablets or other mobile devices, or removable media. Although SB 562 states that it shall only apply to such end user computer systems and computerized records transmitted across public networks, it is unclear whether the definition of public networks includes those records maintained in cloud storage (particularly private cloud environments).
Second, the encryption requirement broadly applies to combinations of an individual’s first name (or first initial) and last name linked with (1) a Social Security number; (2) driver’s license number or state identification card number; (3) address; and/or (4) individually identifiable health information as defined under 45 C.F.R. § 160.103.
Finally, health insurance carriers who violate the provisions of SB 562 may be subject to enforcement penalties of up to $10,000 for a first offense and $20,000 for all subsequent offenses under the New Jersey Consumer Fraud Act. In addition, the state Attorney General may issue cease and desist orders to violators and demand the award of treble damages and costs to individuals whose data is not encrypted in accordance with SB 562’s requirements.
Health care records have garnered particular focus given the sensitivity of the information and increased breach frequency. Given the difficulty for national companies with implementing varying policies and procedures in different jurisdictions, SB 562 may end up creating a data security floor for at least some companies (like Massachusetts has for companies that do business in that state). For now, all health insurance carriers that do business in New Jersey should review their policies and procedures to ensure they comply with SB 562.