(TRENTON) – Legislation Assembly Democrats Gary Schaer, Carmelo Garcia and Joseph Lagana sponsored to better secure personal health information was released Thursday by an Assembly panel.
The bill (A-3322) requires health insurance carriers when compiling or maintaining computerized records that include personal information, to secure the information by encryption or by any other method or technology rendering it unreadable, undecipherable or otherwise unusable by an unauthorized person.
This requirement only applies to end user computer systems and computerized records transmitted across public networks.
“We’ve seen far too many examples of personal information being stolen from retailers and other invasions of privacy, so some common sense is needed when it comes to securing health information, which is for many people as personal as it gets,” said Schaer (D-Passaic/Bergen). “This bill is a reasonable requirement to protect personal privacy in this digital age.”
“It’s bad enough that people have had their financial information hacked,” said Garcia (D-Hudson). “Health records are even more personal for many people, so with that in mind, we need this bill now more than ever.”
“The bill requires reasonable steps to protect personal health information that should always remain confidential,” said Lagana (D-Bergen/Passaic). “People need to have confidence that their health information is secure, and this bill is a step toward accomplishing that vital goal.”
Compliance with this requirement shall require more than the use of a password protection computer program, if that program only prevents general unauthorized access to personal information, but does not render the information itself unreadable, undecipherable or otherwise unusable by an unauthorized person operating, altering, deleting or bypassing the password protection program.
As defined in the bill, “personal information” means an individual’s first name or first initial and last name linked with any one or more of the following data elements: (1) Social Security number; (2) driver’s license number or State identification card number; (3) address; or (4) identifiable health information.
It would be an unlawful practice and a violation of the consumer fraud law for a health insurance carrier to violate the provisions of this bill. Such violation is punishable by a monetary penalty of not more than $10,000 for a first offense and not more than $20,000 for a second or any subsequent offense. In addition, a violation can result in cease and desist orders issued by the Attorney General and the awarding of treble damages and costs to the injured party.
The bill was released by the Assembly Financial Institutions and Insurance Committee.
