What Medical Providers Should Know About Medical Records Breaches And NJAAA
Over 5 million data records are lost or stolen every day. Hackers are indiscriminate, targeting financial institutions, credit reporting agencies, law firms, and, of course, healthcare providers. In New Jersey, when a healthcare provider has its medical records stolen, the consequences extend beyond the familiar terrain of self-reporting; fines from federal and state agencies; and invasion of privacy lawsuits. New Jersey provides a statutory cause of action under the New Jersey AIDS Assistance Act (NJAAA), N.J.S.A. 26:5C-1 et seq.
The NJAAA was enacted in 1984 and arose from the New Jersey Legislature’s declaration that “it is imperative” to create and implement programs “for diagnosing and treating persons who have been exposed to AIDS, referring AIDS victims and their families to sources of treatment and counseling, and providing an educational program to health care professionals to heighten their awareness of the latest diagnostic procedures and treatment.” N.J.S.A. § 26:5C-2. Aware that the effective diagnosis and treatment of AIDS demands confidentiality, the NJAAA contains strict confidentiality provisions, backed by a robust enforcement mechanism.
The NJAA protects from unauthorized disclosure any record “which contains identifying information about a person who has or is suspected of having AIDS or HIV infection.” N.J.S.A. § 26:5C-7. Such AIDS-related protected health information (“A-PHI”) must be confidentially maintained. Id. What constitutes a person “suspected of” having AIDS is undefined. Arguably, a generic questionnaire asking the patient to check off a box if he has AIDS or an HIV infection would trigger confidentiality obligations under the NJAAA.
The Act does not only apply to health care providers who maintain A-PHI, but also the New Jersey Department of Health; local health departments; laboratories; blood banks; third-party payors and, if that enumerated list isn’t exhaustive enough to capture the universe of A-PHI record keepers, the Act has a catch-all: “any other institution or person” who maintains A-PHI. Id. In addition, where A-PHI is lawfully disclosed to a third-party, that third-party becomes subject to the NJAAA. N.J.S.A. § 26:5C-11.
Private Right of Action for Violations
Unlike the Health Insurance Portability and Accountability Act, the NJAAA permits a private cause of action by any person aggrieved by the wrongful disclosure of A-PHI. Recovery may include “actual damages, equitable relief and reasonable attorney’s fees and court costs.” N.J.S.A. § 26:5C-14. In addition, “[p]unitive damages may be awarded when the violation evidences wantonly reckless or intentionally malicious conduct by the person or institution who committed the violation.” Id. Each disclosure is a separate and actionable offense.
While the Legislature did not include in the law a statute of limitations, a recent Appellate Division decision held that the two-year limitations period for personal injury actions applies. Smith v. Datla, 164 A.3d 1110 (App. Div. 2017). Keep in mind, however, that each disclosure is a separate and actionable offense. N.J.S.A. § 26:5C-14. Because hackers generally extract data over a period of time (sometimes over weeks or even months), identifying the date the plaintiff’s records were stolen may be critical in NJAAA litigation.
Why NJAAA Litigation May Explode in Coming Years
Despite being enacted over 30 years ago, there are few reported cases concerning the NJAAA. These cases generally involve a single patient bringing an NJAAA claim against a healthcare provider. Doe v. Div. of Youth & Family Servs., 148 F. Supp. 2d 462 (D.N.J. 2001)(plaintiff alleged hospital and doctors tested her blood for HIV without her consent and then disclosed the results to the Dep’t of Health and her family); C.W. v. Cooper Health Sys., 388 N.J. Super. 42 (App. Div. 2006)(where healthcare provider failed to notify patient of the results of his positive HIV test, court held provider was liable to patient’s sexual partner and their child who contracted the virus from the patient); Smith, 164 A.3d 1110 (finding NJAAA violation where doctor told plaintiff of his HIV status in the presence of a third-party).
Going forward, healthcare providers should expect that NJAAA litigation will involve thousands of plaintiffs, and be brought as a class action or be consolidated into a multicounty litigation. That is because today’s breaches are not merely confined to a doctor or nurse with loose lips or a penchant for leaving patient charts in publicly-accessible areas. Rather, today’s breaches involve the large-scale theft of electronic medical records, thereby impacting tens of thousands of patients. And because the NJAAA covers not only those with AIDS/HIV but also those “suspected of” having the virus—whatever that means—arguably every patient whose records were stolen could bring a NJAAA claim. Add up the actual damages, punitive damages (at least for those providers with primitive cyber security), and attorney fees (which are not available under common law theories, such as negligence and invasion of privacy), and the financial devastation becomes obvious. But even more importantly, healthcare providers face a steep climb in trying to regain the trust of their patients when it comes to their most sensitive health information.
The NJAAA seeks to create a safe, private environment in which patients and their healthcare providers can discuss the diagnosis and treatment of the AIDS virus. The burden for creating this environment falls upon the healthcare provider. In the digital era, that burden is heavier than ever and the consequences of failing are catastrophic for the healthcare provider and patient. To mitigate the consequences, healthcare providers should adopt and implement effective cybersecurity programs, as well as ensure that their insurance policies provide coverage for electronic data breaches.
Do you have any questions? Would you like to discuss the matter further? If so, please contact me, Roshan Shah, at 201-806-3364.
Does Your Homeowners Insurance Provide Adequate Coverage?
Your home is likely your greatest asset, which is why it is so important to adequately protect it. Homeowners insurance protects you from the financial costs of unforeseen losses, such as theft, fire, and natural disasters, by helping you rebuild and replace possessions that were lost While the definition of “adequate” coverage depends upon a […]
Understanding the Importance of a Non-Contingent Offer
Making a non-contingent offer can dramatically increase your chances of securing a real estate transaction, particularly in competitive markets like New York City. However, buyers should understand that waiving contingencies, including those related to financing, or appraisals, also comes with significant risks. Determining your best strategy requires careful analysis of the property, the market, and […]
Fred D. Zemel Appointed Chair of Strategic Planning at Scarinci & Hollenbeck, LLC
Business Transactional Attorney Zemel to Spearhead Strategic Initiatives for Continued Growth and Innovation Little Falls, NJ – February 21, 2025 – Scarinci & Hollenbeck, LLC is pleased to announce that Partner Fred D. Zemel has been named Chair of the firm’s Strategic Planning Committee. In this role, Mr. Zemel will lead the committee in identifying, […]
Novation Agreement Process: Step-by-Step Guide for Businesses
Big changes sometimes occur during the life cycle of a contract. Cancelling a contract outright can be bad for your reputation and your bottom line. Businesses need to know how to best address a change in circumstances, while also protecting their legal rights. One option is to transfer the “benefits and the burdens” of a […]
What Is a Trade Secret? Key Elements and Legal Protections Explained
What is a trade secret and why you you protect them? Technology has made trade secret theft even easier and more prevalent. In fact, businesses lose billions of dollars every year due to trade secret theft committed by employees, competitors, and even foreign governments. But what is a trade secret? And how do you protect […]
What Is Title Insurance? Safeguarding Against Title Defects
If you are considering the purchase of a property, you may wonder — what is title insurance, do I need it, and why do I need it? Even seasoned property owners may question if the added expense and extra paperwork is really necessary, especially considering that people and entities insured by title insurance make fewer […]
No Aspect of the advertisement has been approved by the Supreme Court. Results may vary depending on your particular facts and legal circumstances.
Sign up to get the latest from our attorneys!
Explore What Matters Most to You.
Consider subscribing to our Firm Insights mailing list by clicking the button below so you can keep up to date with the firm`s latest articles covering various legal topics.
Stay informed and inspired with the latest updates, insights, and events from Scarinci Hollenbeck. Our resource library provides valuable content across a range of categories to keep you connected and ahead of the curve.
What New Jersey Medical Providers Should Know About NJAAA
Author: Scarinci Hollenbeck, LLC
What Medical Providers Should Know About Medical Records Breaches And NJAAA
Over 5 million data records are lost or stolen every day. Hackers are indiscriminate, targeting financial institutions, credit reporting agencies, law firms, and, of course, healthcare providers. In New Jersey, when a healthcare provider has its medical records stolen, the consequences extend beyond the familiar terrain of self-reporting; fines from federal and state agencies; and invasion of privacy lawsuits. New Jersey provides a statutory cause of action under the New Jersey AIDS Assistance Act (NJAAA), N.J.S.A. 26:5C-1 et seq.
The NJAAA was enacted in 1984 and arose from the New Jersey Legislature’s declaration that “it is imperative” to create and implement programs “for diagnosing and treating persons who have been exposed to AIDS, referring AIDS victims and their families to sources of treatment and counseling, and providing an educational program to health care professionals to heighten their awareness of the latest diagnostic procedures and treatment.” N.J.S.A. § 26:5C-2. Aware that the effective diagnosis and treatment of AIDS demands confidentiality, the NJAAA contains strict confidentiality provisions, backed by a robust enforcement mechanism.
The NJAA protects from unauthorized disclosure any record “which contains identifying information about a person who has or is suspected of having AIDS or HIV infection.” N.J.S.A. § 26:5C-7. Such AIDS-related protected health information (“A-PHI”) must be confidentially maintained. Id. What constitutes a person “suspected of” having AIDS is undefined. Arguably, a generic questionnaire asking the patient to check off a box if he has AIDS or an HIV infection would trigger confidentiality obligations under the NJAAA.
The Act does not only apply to health care providers who maintain A-PHI, but also the New Jersey Department of Health; local health departments; laboratories; blood banks; third-party payors and, if that enumerated list isn’t exhaustive enough to capture the universe of A-PHI record keepers, the Act has a catch-all: “any other institution or person” who maintains A-PHI. Id. In addition, where A-PHI is lawfully disclosed to a third-party, that third-party becomes subject to the NJAAA. N.J.S.A. § 26:5C-11.
Private Right of Action for Violations
Unlike the Health Insurance Portability and Accountability Act, the NJAAA permits a private cause of action by any person aggrieved by the wrongful disclosure of A-PHI. Recovery may include “actual damages, equitable relief and reasonable attorney’s fees and court costs.” N.J.S.A. § 26:5C-14. In addition, “[p]unitive damages may be awarded when the violation evidences wantonly reckless or intentionally malicious conduct by the person or institution who committed the violation.” Id. Each disclosure is a separate and actionable offense.
While the Legislature did not include in the law a statute of limitations, a recent Appellate Division decision held that the two-year limitations period for personal injury actions applies. Smith v. Datla, 164 A.3d 1110 (App. Div. 2017). Keep in mind, however, that each disclosure is a separate and actionable offense. N.J.S.A. § 26:5C-14. Because hackers generally extract data over a period of time (sometimes over weeks or even months), identifying the date the plaintiff’s records were stolen may be critical in NJAAA litigation.
Why NJAAA Litigation May Explode in Coming Years
Despite being enacted over 30 years ago, there are few reported cases concerning the NJAAA. These cases generally involve a single patient bringing an NJAAA claim against a healthcare provider. Doe v. Div. of Youth & Family Servs., 148 F. Supp. 2d 462 (D.N.J. 2001)(plaintiff alleged hospital and doctors tested her blood for HIV without her consent and then disclosed the results to the Dep’t of Health and her family); C.W. v. Cooper Health Sys., 388 N.J. Super. 42 (App. Div. 2006)(where healthcare provider failed to notify patient of the results of his positive HIV test, court held provider was liable to patient’s sexual partner and their child who contracted the virus from the patient); Smith, 164 A.3d 1110 (finding NJAAA violation where doctor told plaintiff of his HIV status in the presence of a third-party).
Going forward, healthcare providers should expect that NJAAA litigation will involve thousands of plaintiffs, and be brought as a class action or be consolidated into a multicounty litigation. That is because today’s breaches are not merely confined to a doctor or nurse with loose lips or a penchant for leaving patient charts in publicly-accessible areas. Rather, today’s breaches involve the large-scale theft of electronic medical records, thereby impacting tens of thousands of patients. And because the NJAAA covers not only those with AIDS/HIV but also those “suspected of” having the virus—whatever that means—arguably every patient whose records were stolen could bring a NJAAA claim. Add up the actual damages, punitive damages (at least for those providers with primitive cyber security), and attorney fees (which are not available under common law theories, such as negligence and invasion of privacy), and the financial devastation becomes obvious. But even more importantly, healthcare providers face a steep climb in trying to regain the trust of their patients when it comes to their most sensitive health information.
The NJAAA seeks to create a safe, private environment in which patients and their healthcare providers can discuss the diagnosis and treatment of the AIDS virus. The burden for creating this environment falls upon the healthcare provider. In the digital era, that burden is heavier than ever and the consequences of failing are catastrophic for the healthcare provider and patient. To mitigate the consequences, healthcare providers should adopt and implement effective cybersecurity programs, as well as ensure that their insurance policies provide coverage for electronic data breaches.
Do you have any questions? Would you like to discuss the matter further? If so, please contact me, Roshan Shah, at 201-806-3364.
Let`s get in touch!
Sign up to get the latest from the Scarinci Hollenbeck, LLC attorneys!
