An Act concerning the security of certain personal information and supplementing P.L.1960, c.39 (C.56:8-1 et seq.).
Be It Enacted by the Senate and General Assembly of the State of New Jersey:
C.56:8-196 Definitions relative to the security of certain personal information.
1. As used in this act:
“Computer” means an electronic, magnetic, optical, electrochemical or other high speed data processing device or another similar device capable of executing a computer program, including arithmetic, logic, memory, data storage or input-output operations and includes any computer equipment connected to such a device, computer system, or computer network.
“Computer equipment” means any equipment or device, including all input, output, processing, storage, software, or communications facilities, intended to interface with a computer.
“Computer network” means the interconnection of communication lines, including microwave or other means of electronic communication, with a computer through remote terminals, or a complex consisting of two or more interconnected computers.
“Computer program” means a series of instructions or statements executable on a computer, which directs the computer system in a manner to produce a desired result.
“Computer software” means a set of computer programs, data, procedures, and associated documentation concerning the operation of a computer system.
“Computer system” means a set of interconnected computer equipment intended to operate as a cohesive system.
“Computerized record” means any record, recorded or preserved on any computer, computer equipment, computer network, computer program, computer software, or computer system.
“End user computer system” means any computer system that is designed to allow end users to access computerized information, computer software, computer programs, or computer networks. End user computer system includes, but is not limited to, desktop computers, laptop computers, tablets or other mobile devices, or removable media.
"Health benefits plan" means a benefits plan which pays or provides hospital and medical expense benefits for covered services, and is delivered or issued for delivery in this State by or through a carrier. Health benefits plan includes, but is not limited to, Medicare supplement coverage and risk contracts to the extent not otherwise prohibited by federal law. For the purposes of this act, health benefits plan shall not include the following plans, policies, or contracts: accident only, credit, disability, long-term care, TRICARE supplement coverage, coverage arising out of a workers' compensation or similar law, automobile medical payment insurance, personal injury protection insurance issued pursuant to P.L.1972, c.70 (C.39:6A-1 et seq.), or hospital confinement indemnity coverage.
“Health insurance carrier” means an insurance company, health service corporation, hospital service corporation, medical service corporation, or health maintenance organization authorized to issue health benefits plans in this State.
“Identifiable health information” means individually identifiable health information as defined in 45 C.F.R. s.160.103.
"Personal information" means an individual's first name or first initial and last name linked with any one or more of the following data elements: (1) Social Security number; (2) driver's license number or State identification card number; (3) address; or (4) identifiable health information. Dissociated data that, if linked, would constitute personal information is personal information if the means to link the dissociated data were accessed in connection with access to the dissociated data.
“Public network” means a network to which anyone, including the general public, has access and through which a person can connect to other networks or the Internet.
"Record" means any material, regardless of the physical form, on which information is recorded or preserved by any means, including written or spoken words, graphically depicted, printed, or electromagnetically transmitted. Record does not include publicly available directories containing information an individual has voluntarily consented to have publicly disseminated or listed.
C.56:8-197 Restrictions for health insurance carrier relative to certain computerized records.
2. a. A health insurance carrier shall not compile or maintain computerized records that include personal information, unless that information is secured by encryption or by any other method or technology rendering the information unreadable, undecipherable, or otherwise unusable by an unauthorized person. Compliance with this section shall require more than the use of a password protection computer program, if that program only prevents general unauthorized access to the personal information, but does not render the information itself unreadable, undecipherable, or otherwise unusable by an unauthorized person operating, altering, deleting, or bypassing the password protection computer program.
b. This section shall only apply to end user computer systems and computerized records transmitted across public networks.
C.56:8-198 Violation, unlawful practice.
3. It shall be an unlawful practice and a violation of P.L.1960, c.39 (C.56:8-1 et seq.) to violate the provisions of this act.
4. This act shall take effect on the first day of the seventh month next following enactment.
Approved January 9, 2015.