The proliferation of personal health data – and the possibility that it could fall into the wrong hands – has spurred growing concern among consumers.
And those concerns have prompted New Jersey legislators to propose requiring health insurers to encrypt personal health data on all of their computers.
The bill, A-3322/S-562, comes nearly a year after two laptops with unencrypted information were stolen from Horizon Blue Cross Blue Shield of New Jersey’s Newark headquarters.
The laptops had data for 839,711 members, including Social Security numbers and limited clinical data for some members. Horizon executives said there was no indication that any identity theft resulted from the November 2013 incident and offered those who were affected one year of free identity-theft monitoring.
Assemblyman Carmelo G. Garcia (D-Hudson) said the national proliferation of identity theft “strikes at the heart of every person’s humanity” and makes encryption a necessity.
“I believe wholeheartedly that health insurance carriers need to protect the privacy of that patient and consumer,” he said.
Garcia said the bill’s language, which requires either encryption or use of any other method or technology that would make personal health data unreadable, is open-ended enough to address future changes in technology.
The lack of encryption in the Horizon case violated a company policy that any member information on company computers be encrypted. A similar incident occurred in 2008, when another non-encrypted laptop containing personal information from 300,000 members was stolen from a Horizon employee. The company said after that incident that additional steps had been taken to secure member information on computers.
Rules enforcing the federal law that guarantees patient privacy – the Health Insurance Portability and Accountability Act of 1996 – require various technological and organizational safeguards to ensure privacy. While these rules call for encryption where it’s “reasonable and appropriate,” they don’t have an absolute requirement of encryption.
Insurance industry advocates have said that having each state set separate encryption rules would be costly. However, the New Jersey Association of Health Plans didn’t take a position on the proposed bill and Association President Wardell Sanders said that an amendment to the bill last spring appropriately limited the bill’s scope. That change clarified that the bill applies to end-user computer systems and information transmitted across public networks.
Association Vice President Sarah M. Adelman said earlier this year that protecting personal information is a “critical priority” for insurers and that they spend time and money investing in technology. She said the techniques insurers use to protect data include encryption; password protection; locking out computer users who enter incorrect passwords; automatically logging off unused computers, and building virtual private networks.
Primary bill sponsor Assemblyman Gary S. Schaer (D-Bergen and Passaic) said the encryption mandate is reasonable.
“We’ve seen far too many examples of personal information being stolen from retailers and other invasions of privacy, so some common sense is needed when it comes to securing health information, which is for many people as personal as it gets,” Schaer said in a statement.
Under the bill, protecting a computer with a password isn’t enough, since it doesn’t permit someone who bypasses the password from reading the data. The personal information protected by the bill includes an insured person’s name and address; Social Security number; driver’s license or state identification card numbers; or identifiable health information.
Any violation would count as a breach of the state’s consumer fraud law and would be punishable by a fine of up to $10,000 for the first offense and as much as $20,000 for subsequent offenses.
The bill, which drew support from groups representing doctors, has been approved by the state Senate on a 37-0 vote and was released yesterday by the Assembly Financial Institutions and Insurance Committee, setting the stage for a vote by the full Assembly.