Effective August 1, 2015, New Jersey will require health insurance carriers authorized to issue health benefit plans in New Jersey to encrypt personal information that they store electronically. The new law (P.L. 2014, c. 88, codified at N.J. Stat. Ann. §§ 56:8-196 - 56:8-198) is unique relative to existing data security requirements, as follows:
This unique encryption requirement applies to licensed health insurance companies, HMOs, medical service corporations, and other entities licensed to issue health benefit plans in New Jersey. In preparation for the effective date of this new requirement, each such company should review its data security safeguards and protocols for compliance. Given the expansive definition of personal information and the extension of the encryption requirement to all computer systems and programs accessible by end users, many companies will likely need to extend their existing encryption technology to cover additional systems and data.
Particularly given the recent announcement of a high profile breach involving a health plan affecting tens of millions of Americans, this New Jersey legislation may well inspire similar legislative initiatives in other states. Therefore, carriers in all jurisdictions should monitor legislative and regulatory initiatives imposing similar encryption requirements that may be expected to follow. As the health insurance industry is by no means the only industry threatened by attacks on the privacy and security of personal information, companies in every industry should consider extending the scope of current encryption practices for risk mitigation, and be vigilant in monitoring legislative developments for new encryption requirements that may be inspired by this unique New Jersey requirement.
Theodore P. Augustinos is a Partner and Karen L. Booth is an Associate in Locke Lord’s Hartford office. They can be reached at ted.augustinos@lockelord.com and karen.booth@lockelord.com.
Sign up for our newsletter and get the latest to your inbox.