Any practice (whether medical, dental or orthodontic) that provides patients with the opportunity to log-on to the practice’s website for scheduling, bill payment or other information should note that, as of July 1, 2019, the patient’s login credentials (i.e., username/email address in combination with a password or answer to a security question) will be considered “personal data” under New Jersey law. The new amendment to the definition of “personal data” can be accessed here: Amendment to NJ Personal Data Law
As with other “personal data” of residents in New Jersey (such as social security numbers, driver’s license numbers, or credit card numbers in combination with a security code), any business storing such information has an obligation to inform the affected person when unauthorized access to electronic files containing such information has occurred that would compromise the security, confidentiality or integrity of the information. This obligation to inform also applies in instances where the business reasonably believes that unauthorized access of the information occurred (even if it cannot be confirmed).
In the event of an unauthorized disclosure (or “breach of security”), the business must notify the patient in “the most expedient possible and without unreasonable delay.” [N.J.S.A. 56:8-163(12)(a)].
This new amendment to the law is a reminder that practices should consider the privacy and security of health information and personal information to be a critical component of practice administration. Proper policies and procedures should be in place, staff should be properly trained, and the practice should address the security of its electronic systems and obtain meaningful cybersecurity insurance coverage.
With the rise of cybersecurity threats, it will continue to become more important for practices to properly, thoroughly and actively address the privacy and security of the health and personal data that they collect and store. Seek out experienced legal counsel to guide you and your practice through this process, including, but not limited to, implementing adequate safeguards and plans to limit the unauthorized disclosure of personal information.