If you’re a healthcare organization working in New Jersey, you are likely wondering, what is HIPAA New Jersey state law? While some states have their own privacy laws, some of which impose stricter requirements than HIPAA, New Jersey is not one of those states. Find out more about New Jersey HIPAA laws here.
To meet the requirements of HIPAA regulations, healthcare organizations (healthcare providers, healthcare vendors, and MSPs) must implement a HIPAA compliance program. Federal HIPAA requirements apply at the state level in New Jersey as well.
To be HIPAA compliant, it is crucial to identify where your deficiencies lie. To do so, healthcare organizations must conduct six self-audits annually. These self-audits uncover weaknesses and vulnerabilities in your security practices. To ensure that your organization meets HIPAA safeguard requirements, you must create remediation plans. Remediation plans list your identified deficiencies and how you plan to address them, including actions and a timeline.
To ensure that you meet HIPAA Privacy, Security, and Breach Notification requirements, you must implement written policies and procedures . These policies and procedures must be customized for your practice’s specific needs, applying directly to how your business operates. To account for any changes in your business practices, you must review your policies and procedures annually and make amendments where appropriate.
HIPAA imposes employee training requirements that are the same regardless of the state the healthcare organization operates in. New Jersey HIPAA training must be provided to each employee that has the potential to access PHI. HIPAA training must be provided annually, in which employees must legally attest that they understand and agree to adhere to the training material.
Business associate agreements must be signed with each of your business associate vendors. HIPAA defines a business associate as any entity that performs a service for your practice that gives them the potential to access PHI. Common examples of business associates include electronic health records platforms, email service providers, online appointment scheduling software, and cloud storage providers.
You cannot use any vendor and be HIPAA compliant. They need to be willing and able to sign a business associate agreement (BAA). A BAA is a legal contract that requires each signing party to be HIPAA compliant and be responsible for maintaining their compliance. When a vendor doesn’t sign a BAA, it cannot be used for business associate services.
To comply with the HIPAA Breach Notification Rule, you must have a system to detect, respond to, and report breaches. Employees must also have the means to report incidents anonymously and be aware of what to do if they suspect a breach has occurred.
We can help you meet federal and state HIPAA requirements.
A HIPAA release form in New Jersey is required under certain circumstances. HIPAA regulations outline the uses and disclosures of PHI that require authorization to be obtained from a patient/plan member before that person’s PHI can be shared or used.
A HIPAA authorization to release medical information form in New Jersey is required before:
The law requires that a HIPAA release form in New Jersey contain specific “core elements” to be valid.
These elements include:
New Jersey data breach notification law requires organizations that are breached, compromising personal information, to report the incident. Entities that are subject to HIPAA and report incidents following HIPAA standards, also meet the requirements of the New Jersey data breach notification law.
The HIPAA Breach Notification Rule requires healthcare organizations to report breaches that compromise the confidentiality, integrity, or availability of protected health information.
Incidents that are considered reportable breaches include:
When a patient’s PHI is potentially affected by one of these incidents, the affected patient must be informed within 60 days of discovery. Breach notification letters must be mailed to affected patients. If ten or more patients cannot be reached by mail, a substitute notice must be available on the organization’s website. If the incident affected 500 or more patients, the breached organization must notify media outlets to ensure that all affected patients are aware of the incident.
Breach notification requirements to the Department of Health and Human Services (HHS) differ depending on how many patients are affected by the incident.
Under the New Jersey data breach notification law, Identity Theft Protection Act, there are additional reporting requirements you must consider. If you store computerized personal information, ePHI, you must notify individuals if unauthorized access to unencrypted or unsecured personal information occurs. In addition to individuals potentially affected by the breach, you must report the incident to the Division of State Police in the Department of Law and Public Safety so that they can conduct an investigation. If the incident affected more than 1,000 individuals, you must also notify all consumer reporting agencies.
What is a New Jersey HIPAA violation? While many HIPAA violations occur due to breaches, it is not the breach itself that would conclude that a healthcare organization violated HIPAA. Most HIPAA violations occur when healthcare organizations fail to conduct accurate and thorough risk assessments, provide patients timely access to their medical records, have signed business associate agreements, or report breaches promptly.