HIPAA Compliance in New Jersey: Federal HIPAA + NJ Privacy Laws
New Jersey healthcare providers must comply with federal HIPAA rules alongside the NJ Identity Theft Prevention Act (N.J.S.A. §56:8-161), and as of January 2025, the New Jersey Data Privacy Act (NJDPA). OCR has reached settlements with New Jersey healthcare providers including Virtua Medical Group ($418,000 in 2018) for misconfigured servers exposing PHI. New Jersey's Division of Consumer Affairs within the AG's office actively investigates healthcare data breaches affecting New Jersey residents.
NJ AG enforces Identity Theft Prevention Act and NJDPA; Division of Consumer Affairs investigates breach complaints; NJ DOH oversees healthcare facility licensing
State Penalties: NJ Identity Theft Prevention Act: up to $10,000 first violation, $20,000 per subsequent violation. AG can seek injunctive relief. Private right of action under NJ Consumer Fraud Act.
Federal Penalties: $145–$2,190,294 per violation category per year under HIPAA (2026 adjusted)
How Federal + New Jersey Law Overlap
HIPAA governs PHI as the primary federal framework. New Jersey's Identity Theft Prevention Act and the new NJDPA supplement HIPAA with broader personal information protections. The NJDPA (effective January 2025) applies to commercial entities processing NJ resident data, including healthcare providers for non-PHI personal data.
Additional New Jersey Requirements Beyond Federal Law
- NJ Identity Theft Prevention Act requires breach notification 'in the most expedient time possible without unreasonable delay'
- NJ AG must be notified of all breaches affecting New Jersey residents (no minimum threshold)
- New Jersey Data Privacy Act (NJDPA, effective January 15, 2025) covers personal data of NJ residents broadly
- NJ Mental Health Consumer Confidentiality Act (N.J.S.A. §30:4-24.3) imposes strict protections for psychiatric treatment records
- NJ law requires healthcare providers to honor patient record access requests within 30 days
- NJ Civil Penalty: up to $10,000 per violation of Identity Theft Prevention Act; subsequent violations up to $20,000 per violation
Key Compliance Requirements for New Jersey
- Notify NJ AG of all breaches affecting NJ residents — no minimum threshold, unlike many other states
- Notify affected residents promptly per the NJ Identity Theft Prevention Act
- Apply NJ Mental Health Consumer Confidentiality Act protections for psychiatric records
- Review server configurations and FTP access — the Virtua Medical settlement highlights misconfiguration risks
- Comply with NJ Data Privacy Act (NJDPA, January 2025) for non-PHI personal data of NJ residents
- Conduct annual risk analysis covering all electronic PHI systems
Common Violations in New Jersey
- Misconfigured servers with public access to PHI — the Virtua Medical case is New Jersey's defining OCR enforcement example
- Failure to notify the NJ AG of all breaches (many organizations mistakenly apply state minimum thresholds that don't exist in NJ)
- Psychiatric record disclosures without NJ Mental Health Consumer Confidentiality Act compliance
- Tracking pixel technology on NJ patient portals sharing PHI with ad networks
- Delayed breach discovery from inadequate audit logging and monitoring
Recent HIPAA Enforcement in New Jersey
Check Your HIPAA Readiness in New Jersey
Take our free compliance quiz to see how your organization stacks up against HIPAA requirements in New Jersey.
Take the Free Quiz → Risk Calculator →Frequently Asked Questions
What was the Virtua Medical Group HIPAA settlement?
In 2018, OCR settled with Virtua Medical Group in New Jersey for $418,000. The case involved a misconfigured FTP server that allowed unauthenticated public access to PHI of 1,654 patients, including medical records and test results. OCR found Virtua failed to conduct a thorough risk analysis and implement adequate technical safeguards. The case illustrates the risk of misconfigured servers in medical practices.
Does New Jersey require notifying the AG for all data breaches?
Yes. Unlike many states that set a minimum threshold (e.g., 1,000 residents), New Jersey's Identity Theft Prevention Act requires the AG to be notified for all breaches affecting New Jersey residents, with no minimum number. This is one of the broadest AG notification requirements in the country. The AG can investigate any breach regardless of scale.
What is the New Jersey Data Privacy Act?
The New Jersey Data Privacy Act (NJDPA), effective January 15, 2025, is New Jersey's comprehensive consumer privacy law. It applies to commercial entities processing personal data of 100,000+ NJ consumers annually (or 25,000+ if selling data). Healthcare providers must comply with NJDPA for non-PHI personal data while simultaneously complying with HIPAA for PHI.
Are mental health records treated differently in New Jersey?
Yes. The NJ Mental Health Consumer Confidentiality Act (N.J.S.A. §30:4-24.3) imposes strict confidentiality requirements for psychiatric and mental health treatment records beyond HIPAA. Written patient consent is required for most disclosures. Mental health providers in New Jersey must apply the stricter state standard and cannot rely solely on HIPAA exceptions.
Who enforces HIPAA in New Jersey?
OCR enforces federal HIPAA. The NJ AG's Division of Consumer Affairs enforces the Identity Theft Prevention Act and the new NJDPA. The NJ Department of Health oversees healthcare facility licensing. New Jersey is unique in that AG notification is required for all breaches with no minimum threshold — creating broad investigative authority over any NJ healthcare data incident.
More HIPAA Resources
- Complete HIPAA Framework Guide
- HIPAA Penalty Tiers
- HIPAA Breach Notification Penalties
- HIPAA for Dental Practices
- HIPAA for Mental Health Providers
- Upcoming HIPAA Compliance Deadlines
- Free 5-Minute Compliance Quiz
- Find a HIPAA Compliance Consultant in New Jersey
- Get Weekly Compliance Intelligence Briefs