We have posted before about how state laws can be more stringent than the HIPAA Rule requirements. Here is another example. A New Jersey state law amendment signed into law this week. The law affects health insurance carriers. It raises the bar another notch.
Under the new law, if health insurance carriers want to store Personal Information about its insured on its network or software, it must encrypt desktop computers, laptops, tablets, mobile devices, and removable media used to access the information. It is immaterial whether the devices [i.e. computer, laptop, tablet, cell phone] have Personal Information stored on them. If the computer, laptop, tablet, cell phone is used to get on the insurance carriers’ network or access the carriers’ software online, the computer, laptop, tablet, cell phone must be encrypted. What about personally owned devices-BYOD policies? Let’s say an employee of the health insurance carrier uses his or her own cell phone to access the carrier’s network, does the cell phone have to be encrypted? The answer would seem to be yes!
As with other state laws, notice the term variance from the HIPAA Rule. The New Jersey law uses the term Personal Information. HIPAA uses the terms Protected Health Information [PHI] and identifiable health information. These varying terms carry varying definitions. Personal Information under New Jersey law means an individual’s name in parity with the individual’s social security number, address or identifiable health information. This is an expansive definition. This would include , for example, an insured mailing list.
Strict new law. It goes into effect August 1 of this year. As the incidents of breaches mount, we can expect more state law enactments and tougher laws in general. The New Jersey law carries a monetary fine of not more than 10,000 dollars for the first offense, not more than 20,000 dollars for a second and subsequent offense, and treble damages and costs to injured person. Individual persons may file suit for violations under the law.