From July, 2015, all New Jersey healthcare organizations, health plans, clearing houses and business associates will be required to comply with updated New Jersey HIPAA Data Encryption Laws, which make data encryption on all PHI mandatory. The measure is a further safeguard consumers’ privacy in the wake of major data breaches to hit the state in recent months.
A new law has just been signed by New Jersey Governor, Chris Christie, which covers electronic health records and Personal Health Information and the safeguards which must be used to secure it.
The new law will apply to all devices used to store or transmit healthcare data, including BYOD Smartphones, laptops, storage devices and desktop computers. Data must be encrypted whether it is stored or in transit and under the new law, the use of Smartphones in healthcare for communicating PHI will only be permissible if encrypted text message software is used.
New Jersey has seen more than its fair share of HIPAA breaches in recent years and over 1 million residents are believed to have had their data either exposed or stolen according to breach reports issued to the Department of Health and Human Services’ Office for Civil Rights.
The Beth Israel Medical Center in Newark has suffered three breaches over the past four years; Blue Cross Blue Shield exposed 840,000 patient health records, with many smaller breaches including 1,411 records by Vineland Inspira Medical Center last year.
The theft of devices used to store or access PHI is the most common cause of HIPAA data breaches and data encryption would prevent the vast majority of these. Without a security key encrypted data cannot be read or unencrypted. A device may be lost, but it would not cause any exposure of patient data.
The law not only covers PHI, but also any personally identifiable information such as names, initials, addresses and telephone numbers, driver’s license details and Social Security numbers.
All companies or organizations using or accessing PHI have only 6 months to introduce the necessary encryption technologies in order to comply with the New Jersey HIPAA data Encryption laws or they will face financial penalties and other sanctions for non-compliance.