Legislation Assembly Democrats Gary Schaer, Carmelo Garcia and Joseph Lagana sponsored to better secure personal health information has now been signed into law.
The new law (A-3322) requires health insurance carriers when compiling or maintaining computerized records that include personal information, to secure the information by encryption or by any other method or technology rendering it unreadable, undecipherable or otherwise unusable by an unauthorized person.
This requirement only applies to end user computer systems and computerized records transmitted across public networks.
“We’ve seen far too many examples of personal information being stolen from retailers and other invasions of privacy, so some common sense is needed when it comes to securing health information, which for many people is as personal as it gets,” said Schaer (D-Passaic/Bergen). “This law is a reasonable requirement to protect personal privacy in this digital age.”
“It’s bad enough that people have had their financial information hacked,” said Garcia (D-Hudson). “Health records are even more personal for many people, so with that in mind, we need this law now more than ever.”
“This law requires reasonable steps to protect personal health information that should always remain confidential,” said Lagana (D-Bergen/Passaic). “People need to have confidence that their health information is secure, and this law is a step toward accomplishing that vital goal.”
Compliance with this new requirement shall require more than the use of a password protection computer program, if that program only prevents general unauthorized access to personal information, but does not render the information itself unreadable, undecipherable or otherwise unusable by an unauthorized person operating, altering, deleting or bypassing the password protection program.
As defined in the law, “personal information” means an individual’s first name or first initial and last name linked with any one or more of the following data elements: (1) Social Security number; (2) driver’s license number or state identification card number; (3) address; or (4) identifiable health information.
It would be an unlawful practice and a violation of the consumer fraud law for a health insurance carrier to violate the provisions of this law. Such violation is punishable by a monetary penalty of not more than $10,000 for a first offense and not more than $20,000 for a second or any subsequent offense. In addition, a violation can result in cease and desist orders issued by the attorney general and the awarding of treble damages and costs to the injured party.