As of August 1, 2015, health insurance companies in New Jersey will be required to enact greater security measures as part of personally identifiable information protection. The new standard will require encryption of "personal information," which includes:
- The social security number;
- the driver's license, or other state-issued identification;
- the member's address; and
- any other identifiable health information.
It is important to note that the requirements of this law are more stringent than the requirements of the federal Health Insurance Portability and Accountability Act ("HIPAA"). HIPAA merely requires that health insurance carriers merely protect the information - there is nothing specified as to what a minimum level of protection technologically looks like. The New Jersey law, on the other hand, requires basic encryption.
An important point missing from the law is how business associates of insurers who share information will fare. This would include device manufacturers, IT firms, lawyers, and other such service providers. In order to avoid any possible future liability arising from this law, it is advisable that service agreements now contain clauses that explicitly deal with encryption standards for any service provider who handles patient data.