HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

New Jersey Extends HIPAA: PHI Data Encryption Mandatory

New Jersey Governor, Chris Christie, signed a new law last week that extends the reach of HIPAA, calling for New Jersey healthcare providers to make greater efforts to keep the electronic health records of patients secure. The new law will go into effect in July this year and requires all covered entities to use data encryption software on all electronic devices that contain Protected Health Information.

HIPAA does not currently require all health data to be encrypted. The legislation only states that the “encryption of healthcare data must be addressed”. The new law takes this further and mandates encryption. When the law comes into effect in the summer, all end user computer systems including laptop computers, desktop PCs, portable storage devices, tablets and Smartphones will require PHI to be encrypted. The new law states:

“Health insurance carriers shall not compile or maintain computerized records that include personal information, unless that information is secured by encryption or by any other method or technology rendering the information unreadable, undecipherable, or otherwise unusable by an unauthorized person.”

Data that must be encrypted includes personal identifiers such as first names, initials and surnames – if they are linked to any identifiable health information – in addition to Social Security numbers, Driver’s License details, ID card numbers and home addresses.

Please see the HIPAA Journal Privacy Policy

The new law has been introduced in the wake of a number major HIPAA breaches that have plagued the state’s healthcare providers. The breaches have exposed the health data of over 1 million N.J residents since 2009 according to U.S. Department of Health and Human Services.

Blue Cross Blue Shield was one of the New Jersey’s major offenders, having exposed the data of 840,000 N.J residents in late 2013; Newark Beth Israel Medical Center has suffered three data breaches since 2010 and Vineland’s Inspira Medical Center also experiencing a major HIPAA breach in 2014, to name but a few.

HIPAA sets a minimum standard which all states must follow; however tougher laws can be introduced at state level to further protect the health data of residents. From July, New Jersey will have some of the toughest laws covering data privacy and security which should drastically reduce the volume of data breaches.

Even if mobile devices containing PHI are lost or stolen, they will not result in the exposure of patient health information as encrypted data cannot be read, accessed or otherwise used without a security key.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.