Encryption

Time to Get Rid of Those Post-it Notes with All Your Passwords!!!

Posted by Ryan Blaney on January 22, 2015
Encryption / No Comments

This month, Governor Chris Christie signed into law a New Jersey bill requiring health insurance carriers (e.g., insurance companies, health service corporations, hospital service corporations, medical service corporations, HMOs that issue health benefits plans in New Jersey) to encrypt or otherwise secure  computerized records of personal information (e.g., SSN, address, identifiable health information, driver’s license number) (“Bill”). The Bill provides an alternative to encryption if the carrier uses, a “method or technology rendering the information unreadable, undecipherable, or otherwise unusable by an unauthorized person.” However, password protection for computer programs, which is commonly used in the industry, is inadequate under the Bill if “the program only prevents general unauthorized access to the personal information, but does not render the information itself unreadable, undecipherable, or otherwise unusable by an unauthorized person operating, altering, deleting, or bypassing the password protection computer program.”

The Bill does not address the ramifications for insurance carriers that fail to adhere to its requirements. However, in a statement by the Bill’s sponsors, the lawmakers explained that health insurance carriers that violate the Bill would be subject to penalties under the New Jersey consumer fraud statute, such as a monetary penalty up to $10,000 for an initial offense, and no more than $20,000 for each subsequent offense(s). Lawmakers further explained that “a violation can result in cease and desist orders issued by the Attorney General and the awarding of treble damages and costs to the injured party.”

Interestingly, this Bill only applies to health insurance carriers and not to healthcare providers, such as hospitals or physician group practices. However, it is anticipated that New Jersey will follow the industry enforcement trend that although encryption is not technically required under HIPAA it is considered a “reasonable” technical safeguard and therefore becoming an industry standard best practice. The timing of the Bill is also interesting as President Obama and the Federal Government discuss potential Federal legislation on cybersecurity, student privacy, and a national breach standard.  Tune back in to the Health Law Informer for future blogs on these issues.

Ryan Blaney

Ryan Blaney

Ryan Blaney joined Cozen O'Connor as a member of the firm's Health Law group. Ryan practices in the firm's Washington, D.C., office. He focuses his practice on representing clients in the health care and life sciences industries in a wide range of matters, including health care fraud and abuse, civil and criminal government investigations, qui tam and whistle-blower disputes under the False Claims Act and other federal and state laws and regulations, HIPAA privacy and data security, compliance and transactional services, and antitrust matters.

More Posts - Website

Tags: , , , , , , , , ,