ASSEMBLY, No. 3322

STATE OF NEW JERSEY

216th LEGISLATURE

INTRODUCED JUNE 5, 2014

Sponsored by:

Assemblyman  GARY S. SCHAER

District 36 (Bergen and Passaic)

Assemblyman  CARMELO G. GARCIA

District 33 (Hudson)

SYNOPSIS

     Requires health insurance carriers to encrypt certain information.

CURRENT VERSION OF TEXT

     As introduced.

An Act concerning the security of certain personal information and supplementing P.L.1960, c.39 (C.56:8-1 et seq.).

     Be It Enacted by the Senate and General Assembly of the State of New Jersey:

     1.    As used in this act:

     "Computer" means an electronic, magnetic, optical, electrochemical or other high speed data processing device or another similar device capable of executing a computer program, including arithmetic, logic, memory, data storage or input-output operations and includes any computer equipment connected to such a device, computer system, or computer network.

     "Computer equipment" means any equipment or device, including all input, output, processing, storage, software, or communications facilities, intended to interface with a computer.

     "Computer network" means the interconnection of communication lines, including microwave or other means of electronic communication, with a computer through remote terminals, or a complex consisting of two or more interconnected computers.

     "Computer program" means a series of instructions or statements executable on a computer, which directs the computer system in a manner to produce a desired result.

     "Computer software" means a set of computer programs, data, procedures, and associated documentation concerning the operation of a computer system.

     "Computer system" means a set of interconnected computer equipment intended to operate as a cohesive system.

     "Computerized record" means any record, recorded or preserved on any computer, computer equipment, computer network, computer program, computer software, or computer system.

     "End user computer system" means any computer system that is designed to allow end users to access computerized information, computer software, computer programs, or computer networks.  End user computer system includes, but is not limited to, desktop computers, laptop computers, tablets or other mobile devices, or removable media.

     "Health benefits plan" means a benefits plan which pays or provides hospital and medical expense benefits for covered services, and is delivered or issued for delivery in this State by or through a carrier.  Health benefits plan includes, but is not limited to, Medicare supplement coverage and risk contracts to the extent not otherwise prohibited by federal law.  For the purposes of this act, health benefits plan shall not include the following plans, policies, or contracts:  accident only, credit, disability, long-term care, TRICARE supplement coverage, coverage arising out of a workers' compensation or similar law, automobile medical payment insurance, personal injury protection insurance issued pursuant to P.L.1972, c.70 (C.39:6A-1 et seq.), or hospital confinement indemnity coverage.

     "Health insurance carrier" means an insurance company, health service corporation, hospital service corporation, medical service corporation, or health maintenance organization authorized to issue health benefits plans in this State.

     "Identifiable health information" means individually identifiable health information as defined in 45 C.F.R. s.160.103.

     "Personal information" means an individual's first name or first initial and last name linked with any one or more of the following data elements: (1) Social Security number; (2) driver's license number or State identification card number; (3) address; or (4) identifiable health information.  Dissociated data that, if linked, would constitute personal information is personal information if the means to link the dissociated data were accessed in connection with access to the dissociated data.

     "Public network" means a network to which anyone, including the general public, has access and through which a person can connect to other networks or the Internet.

     "Record" means any material, regardless of the physical form, on which information is recorded or preserved by any means, including written or spoken words, graphically depicted, printed, or electromagnetically transmitted.  Record does not include publicly available directories containing information an individual has voluntarily consented to have publicly disseminated or listed.

     2.    a.  A health insurance carrier shall not compile or maintain computerized records that include personal information, unless that information is secured by encryption or by any other method or technology rendering the information unreadable, undecipherable, or otherwise unusable by an unauthorized person.    Compliance with this section shall require more than the use of a password protection computer program, if that program only prevents general unauthorized access to the personal information, but does not render the information itself unreadable, undecipherable, or otherwise unusable by an unauthorized person operating, altering, deleting, or bypassing the password protection computer program.

     b.    This section shall only apply to end user computer systems and computerized records transmitted across public networks.

     3.    It shall be an unlawful practice and a violation of P.L.1960, c.39 (C.56:8-1 et seq.) to violate the provisions of this act.

     4.    This act shall take effect on the first day of the seventh month next following enactment.

STATEMENT

     This bill requires health insurance carriers when compiling or maintaining computerized records that include personal information, to secure the information by encryption or by any other method or technology rendering it unreadable, undecipherable, or otherwise unusable by an unauthorized person.  This requirement only applies to end user computer systems and computerized records transmitted across public networks.  Compliance with this requirement shall require more than the use of a password protection computer program, if that program only prevents general unauthorized access to personal information, but does not render the information itself unreadable, undecipherable, or otherwise unusable by an unauthorized person operating, altering, deleting, or bypassing the password protection program. 

     As defined in the bill, "personal information" means an individual's first name or first initial and last name linked with any one or more of the following data elements:  (1) Social Security number; (2) driver's license number or State identification card number; (3) address; or (4) identifiable health information.

     It is an unlawful practice and a violation of the consumer fraud law (C.56:8-1 et seq.) for a health insurance carrier to violate the provisions of this bill.  Such violation is punishable by a monetary penalty of not more than $10,000 for a first offense and not more than $20,000 for a second or any subsequent offense.  In addition, a violation can result in cease and desist orders issued by the Attorney General and the awarding of treble damages and costs to the injured party.