New Jersey law mandating health insurance data encryption may have broader implications

As one of his first acts in the new year on January 9, 2015, New Jersey Governor Chris Christie signed into law Senate Bill 562 after the bill unanimously passed both the New Jersey State Senate and Assembly. This new law goes into effect as of July 1, 2015. The genesis for this bill was the continued stream of data breaches in the financial services sector, including the Horizon Blue Cross Blue Shield breach in which approximately 840,000 records were compromised. The intent of this new law is to ensure that any personal information compiled or maintained by a health insurance carrier is adequately encrypted. In the scope of this legislation, a health insurance carrier is defined as a company authorized to issue health benefits plans in the state of New Jersey. The law does not appear to apply only to New Jersey domiciled companies. The exact text of the law states:

“A health insurance carrier shall not compile or maintain computerized records that include personal information, unless that information is secured by encryption or by any other method or technology rendering the information unreadable, undecipherable, or otherwise unusable by an unauthorized person. Compliance with this section shall require more than the use of a password protection computer program, if that program only prevents general unauthorized access to the personal information, but does not render the information itself unreadable, undecipherable, or otherwise unusable by an unauthorized person operating, altering, deleting, or bypassing the password protection computer program.”

 

For the context of this law, personal information is defined as an individual's first name or first initial and last name linked with one or more of the following data elements:

  • Social Security number,
  • Driver's license number or State identification card number,
  • Address, or
  • Identifiable health information.1

The loss of unencrypted devices and equipment is one of the leading causes of reported data breaches according to the US Department of Health and Human Services Office of Civil Rights. Part of this is driven by the fact many data protection and breach notification laws do not require disclosure of the breaches to regulatory authorities if the devices or equipment are encrypted. 

Unlike the Health Insurance Portability and Accountability Act (HIPAA), the new law does not allow for a company to perform an assessment to determine whether to encrypt, instead it mandates encryption of personal information and the end user computer systems and computerized records transmitted across public networks. As a result, failure to encrypt such information would now be in violation of the New Jersey law. 

One area unclear in the legislation is how this impacts third-party vendors who provide services to the entities required to comply with the law. Organizations should consider taking the following steps regardless of whether this law directly applies as it is possible similar legislation will follow or evolving legal interpretations will force their compliance:

  • Given the ease at which information, including personal information, can be transferred, organizations should inventory all potential locations of personal information, including on mobile devices, and assess whether the current encryption requirements are being met. 
  • Rigorously enforce that all employees attend security awareness training to help them to understand where personal information should or should not be accessed, stored, or transmitted. Often times breaches are related to equipment that management was unaware had personal information. 
  • Perform a comprehensive, thorough, and documented risk assessment of the risks to the integrity, confidentiality, and security of personal information and map that risk assessment and findings to the applicable legal requirements, such as HIPAA, Payment Card Industry Data Security Standard (PCI DSS), and the New Jersey law.

For more information on this topic, or to learn how Baker Tilly insurance industry specialists can help, contact our team.


  1. Defined in Department of Health and Human Services: 45 CFR 160.103