How to Comply with the HIPAA Privacy Rule
Who needs to do what in New JerseyBy S.M. Oliva | Last updated on January 26, 2023
Use these links to jump to different sections:
- Who Is Covered by HIPAA?
- What Does HIPPA Protect?
- What Actions Must Covered Entities Take?
- New Jersey’s Encryption Mandate
Who Is Covered by HIPAA?The Health Insurance Portability and Accountability Act of 1996—commonly known as HIPAA—is the main federal law governing data privacy and security in the healthcare field. HIPAA establishes a common set of rules that govern health care providers, health insurance companies, and any other entity that serves as a clearinghouse for PHI. In addition to these “covered entities,” HIPAA also applies to “business associates,” which are individuals and businesses that use PHI on behalf of a covered entity.
What Does HIPPA Protect?Basically, HIPAA regulations protect anything involving an individual’s past, current, or expected future medical condition, whether related to their physical or mental health. This includes any information related to the individual’s medical treatment, health plans, and any payments for services rendered. HIPAA also covers any individually identifiable health information that may be used to identify a particular individual, such as their name, address, date of birth, and Social Security number.
What Actions Must Covered Entities Take?It is critical to understand what the law actually requires of covered entities. Aside from maintaining the privacy of PHI, a covered entity or business associate must also take certain affirmative steps to ensure the security of any data in their possession. This includes:
- Making sure any PHI remains confidential (i.e. is not made available or disclosed to any unauthorized individuals or entities)
- Identifying and protecting against “reasonably anticipated threats” to the security of any PHI
- Ensuring all employees and contractors working for the covered entity or business associate complies with HIPAA’s security rules.
New Jersey’s Encryption MandateBeyond HIPAA’s requirements, New Jersey has taken additional steps to ensure the security of PHI. In 2015, the state adopted legislation requiring the use of “data encryption software” on any electronic devices that may contain electronic health records and PHI. Although HIPAA requires covered entities to “address” encryption as part of their overall compliance planning, New Jersey’s law expressly mandates encryption. What this means in practice is New Jersey health care providers and insurance companies must ensure that any computer, smartphone, tablet, or external storage device that contains any kind of patient information must be encrypted by default. As noted above, this includes personal identifying information. So, if you are a doctor who keeps a patient contact list on your smartphone, you need to make sure that phone is encrypted. This extends to IT vendors as well. Before you enter into an agreement with a vendor, Ojserkis recommends performing security assessments and reference checks. The agreement itself should detail expectations for security and privacy, insurance requirements, “and contain clear language about breach responsibility, financial and otherwise, in the liability and indemnification sections. Most importantly, providers need to ensure that IT vendor agreements contain limitations on use and disclosure of PHI provided to or through them.” A qualified New Jersey health care attorney can provide you with more specific advice tailored to a health care organization’s need. “It is better to pay counsel and consultants for prevention than to pay fines or judgements or find that you are in breach of an agreement or not in compliance with your insurance policies or the law,” Ojserkis says. For more information on this area of law, see our overview of health care law.
Find top lawyers with confidence
The Super Lawyers patented selection process is peer influenced and research driven, selecting the top 5% of attorneys to the Super Lawyers lists each year. We know lawyers and make it easy to connect with them.Find a lawyer near you