Since federal privacy laws went into effect in 1996 and 2003, New Jersey has followed and sometimes even surpassed national standards for protecting individual health information. Statutes, judge-made law and decisions by executive agencies over time have gradually interpreted the broad mandates of the Health Insurance Portability and Accountability Act (HIPAA) that apply to the state’s “covered entities,” defined in the act as any public or private entity that maintains and distributes health information electronically. These interpretations have provided the legal foundation for New Jersey’s covered entities to comply with HIPAA and state privacy laws.
Notices of Privacy Practices
New Jersey requires covered entities to prepare written notices confirming they are committed to protecting patient information and explaining their procedures for doing so. Often the notices are posted in offices in plain view of patients and on the Internet. Notices by local health departments specify which disclosures of information require patient authorization and which do not. Website postings by major insurers reassure consumers that information they gather comes only from trusted sources and that patients can place restrictions on its use.
Though its HIPAA regulations do not exist in one sweeping law, New Jersey has addressed these regulations in separate statutes. Those statutes group privacy laws according to the type of facility, provider, information and government program. For example, facility-specific codes restrict an acute-care hospital’s disclosure of information and require ambulatory care centers to find ways to prevent medical data from getting lost. Provider-specific codes permit doctors, under special circumstances, to disclose confidential information even without a patient’s approval.
Once the federal law went into effect, New Jersey warned health-care providers that it would strictly enforce HIPAA privacy regulations. State courts and executive agencies have sometimes adopted more stringent standards than the national government suggests. For example, New Jersey enforces stricter limits on a grand jury’s right to access an accused individual’s records without his consent. Also, appellate judges have expanded a hospital’s right to sue third parties who use illegal means to secure patient data.
New Jersey’s covered entities use authorization forms permitting them access to patient health information. By signing the forms, an individual gives her consent for a health insurer, state agency, lawyer or health-care provider to use and disclose confidential data under restricted conditions. The forms often specify which documents constitute protected health information (PHI). Some allow the signer to revoke authorization. Any covered entity that uses and discloses confidential health information without an executed authorization can be found in violation of HIPAA and New Jersey privacy laws.
In addition to state agencies that enforce HIPAA, covered entities designate privacy officers with oversight authority in their respective businesses. In general, these individuals develop privacy practices, respond to complaints about suspected violations and take remedial action when necessary. Notices of privacy practices often provide contact information for the facility’s privacy officer.