New Jersey PIPA, IT, and Healthcare: The Impact in Healthcare
The New Jersey Personal Information and Privacy Protection Act was signed into law on July 21, 2017, and it went into effect on November 1, 2017.
Personal Information Protection Act
Under PIPA, security and data breach requirements are enacted on all businesses and organizations, including those in healthcare that are responsible for maintaining personal information about New Jersey residents. PIPA places restrictions on the way businesses and organizations are able to collect and use electronic personal information that is stored in identification cards. PIPA was created to address previous concerns about how the information was being used.
There is often confusion surrounding PIPA for a variety of reasons, but one of the main areas of confusion arises when PIPA and HIPAA are discussed. Many health care organizations believe that all or some of the requirements under PIPA do not apply to their organization. It is important for healthcare organizations to understand all laws regarding healthcare organizations. Organizations that have a clear understanding of these laws will be able to take action to ensure they are abiding by the requirements.
PIPA is a balancing act. On one side, an individual has the right to control access and the use of personal information. On the other side is the healthcare organization that needs to collect and use personal information for legitimate purposes. Businesses and organizations serving New Jersey residents should always be aware of privacy and protection laws and take the necessary action to achieve compliance.
What is Personal Information?
Personal information ”is defined as “an individual’s first name or first initial and last name linked with any one or more of the following data elements”
- Social Security numbers, driver’s license numbers, or state identification card number
- Account numbers and credit/debit card numbers
If a healthcare organization is already complying with data protection laws or consumer privacy laws, New Jersey authorities may consider your organization to comply with PIPA. The chances are high that many New Jersey healthcare organizations are already complying with New Jersey’s data privacy laws. Complying with PIPA will generally consist of healthcare organizations implementing the proper level of security to ensure everyone’s personal information is protected. This will require a healthcare organization to take the proper actions to ensure unauthorized access to personal information is prevented.
Your Health Care Organization and PIPA
Healthcare organizations should plan and adopt proper measures to meet the requirements that have been established under PIPA. Healthcare organizations should only use personal information if the right conditions have been fulfilled conditions are fulfilled, such as the following:
- The individuals have given consent
- The use of personal information is necessary
- The personal information must be used lawfully and fairly
Healthcare organizations must also comply with other obligations, such as ensuring the proper safeguards are implemented to protect information against risks and vulnerabilities and that individuals are given a privacy notice outlining the organization’s policies on personal information.
PIPA, IT Security, and the Health Care System
PIPA compliance and IT will always be connected. With the right level of security protection in place, your healthcare organization can prevent a small or large data breach. How can you stay protected?
Privacy and security in the health care system must balance a variety of factors, such as the following:
- Access and share information that is needed to provide a better quality of care
- Implement the appropriate measures that will effectively protect personal information
Effectively balancing these benefits present a variety of challenges that can be met, but through a variety of measures, including(but not limited to) the following:
- Employee training
- Implementing better security policies
- Utilizing confidentiality agreements
- Data encryption
- Multi-Factor Authentication
Implementing these measures, and more will allow healthcare organizations to establish a foundation that maintains public trust and confidence in the privacy and security of personal health information. Properly securing personal health information is not an easy task, especially given the context of regulations and requirements of the following:
- Privacy legislation
- Information technologies
- Information sharing
- Communication and collaboration
- Arrangements with service providers
However, none of the above factors will change the responsibilities of healthcare organizations. Healthcare organizations will still be required to adequately protect personal information. These measures also do not eliminate any vulnerabilities or risks that may exist when personal health information must be accessed or stored.
Strong and effective IT infrastructure and management for healthcare organizations are crucial to running a smooth organization. High-quality IT services allow a healthcare organization to run efficiently and effectively, while also creating a positive patient experience. When working with multiple devices across multiple networks, healthcare organizations will need to partner with a company that understands what it takes to fully comply with PIPA.
One of the biggest challenges healthcare organizations face is effectively monitoring PIPA regulations, among others. How will you know if your healthcare organization is following PIPA compliance as it relates to cyberattacks and data breaches?
A data breach is defined as the ”unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a data collector.” A breach ”does not include good faith acquisitions of personal information by an employee or agent of the data collector for a legitimate purpose of the data collector”.
One main area of concern for healthcare organizations is how personal information can be processed when there is no consent. Under PIPA, two types of consent are recognized: informed and implied. Individuals also have the right to opt-out of consent. What will this mean for New Jersey healthcare organizations?
If you are not fully aware of PIPA and you have not completed an overview of your resources and systems, individuals could have opted out of consent and you could be collecting data without knowing. If you are collecting data that has not been consented to, that collected data could be placed at risk if you are not complying with the regulations.
Complying with PIPA regulations is possible when you have the right services and solutions. Mathe provides cloud-based technologies through IT Fortress to ensure that NJ Healthcare organizations meet and exceed PIPA requirements.
For more information on our services and technologies, please do not hesitate to schedule your free consultation with us.
With over 35 years in the business of supporting and implementing technology for the SME market, and 6 years previously in Corporate IT and Voice. I have seen a great deal of change. The only common thread is I have always focused on the Business Wise application of Technology. We always try to look 5 years ahead of the current technology to make sure our clients are on the right track to meet current and future needs.