New Jersey Medical Privacy Laws and HIPAA: Full Comparison

New Jersey distributes its medical privacy protections across several statutes rather than a single comprehensive law. For your clinic, that means tracking the Genetic Privacy Act, the Identity Theft Prevention Act, mental health records rules, and the Patient Bill of Rights — each independently enforceable, each stricter than HIPAA in its specific area.

This article compares each of New Jersey’s major medical privacy laws against HIPAA, addresses what the differences mean for clinic operations, and closes with action items.

HIPAA: The Federal Baseline

Every New Jersey clinic transmitting health information electronically in standard transactions is a HIPAA covered entity subject to the Privacy Rule, Security Rule, and Breach Notification Rule. HIPAA’s Privacy Rule governs permissible uses and disclosures of PHI. The Security Rule requires administrative, physical, and technical safeguards for electronic PHI. See HIPAA administrative safeguards for the full administrative safeguard requirements.

HIPAA’s preemption provision at 45 CFR § 160.203 preserves state laws that are more protective of patient rights. New Jersey has several such laws.

NJ Genetic Privacy Act: N.J.S.A. 10:5-45

HIPAA’s approach to genetic information

HIPAA protects genetic information as a subset of PHI. Under the Privacy Rule, genetic information receives the same protections as other PHI — it cannot be disclosed without patient authorization or a recognized exception. Through the Genetic Information Nondiscrimination Act (GINA), HIPAA-covered health plans are prohibited from using genetic information for underwriting purposes.

HIPAA does not require specific consent before conducting genetic testing that is part of clinical care. A clinical genetic test ordered by a physician for diagnostic purposes does not require separate genetic consent under HIPAA — it falls within the treatment exception. HIPAA does not restrict disclosure of genetic test results to employers for employment purposes in most contexts that arise in a medical practice.

What N.J.S.A. 10:5-45 requires

The New Jersey Genetic Privacy Act is significantly stricter. The Act:

Requires written informed consent before genetic testing. Before any healthcare provider or entity may perform or order genetic testing that would identify genetic information about an individual, the provider must obtain specific written informed consent from the individual. The consent must inform the patient of:

• The purpose of the test and what information it will reveal;
• Who will have access to the test results;
• How the results will be stored and for how long;
• Potential uses and implications of the results;
• The patient’s right to revoke consent.

A general clinical treatment consent or a standard HIPAA authorization is insufficient. A separate, genetic-testing-specific informed consent form is required.

Prohibits disclosure of genetic information to employers. The Act prohibits disclosure of genetic information to an employer without the individual’s written consent. This applies even when the employer is paying for healthcare through a self-funded plan and even where HIPAA’s payment exception would otherwise permit information sharing in the claims context.

Creates civil liability for violations. N.J.S.A. 10:5-45 is part of New Jersey’s Law Against Discrimination framework. Violations create civil liability, and affected individuals may bring claims for damages and attorney’s fees.

Practical implications for New Jersey clinics

New Jersey clinics conducting genetic testing — carrier screenings, pharmacogenomics panels, hereditary cancer gene panels, prenatal genetic testing, and other genetic analyses — must:

• Maintain separate written informed consent forms specifically for genetic testing;
• Ensure those forms meet the N.J.S.A. 10:5-45 content requirements;
• Implement access controls to prevent genetic information from being disclosed through standard authorization forms or insurance claim processing;
• Train staff to identify genetic test information in patient records and apply the enhanced authorization framework.

NJ Identity Theft Prevention Act: N.J.S.A. 56:8-163

HIPAA breach notification

HIPAA’s Breach Notification Rule requires covered entities to notify affected individuals, HHS, and (for large breaches) local media within 60 days of discovering a breach of unsecured PHI. The rule provides detailed guidance on what constitutes a breach, what exceptions apply (e.g., encryption, good faith), and what the notification must contain.

New Jersey’s breach notification framework

N.J.S.A. 56:8-163 requires any business that compiles or maintains computerized records that include personal information to provide notice of a breach of security to affected New Jersey residents in the most expedient time possible following discovery of the breach.

New Jersey’s law does not specify a numeric deadline. The AG’s enforcement practice has established approximately 30 days as the practical standard — the “most expedient time possible” is interpreted to mean swift action, not a leisurely 60-day process.

Personal information under the New Jersey statute includes a resident’s first name or initial and last name combined with unencrypted: Social Security number, driver’s license or state ID number, financial account numbers, user name or email address combined with password or security question, or biometric data. Health information is not explicitly listed in the New Jersey statute as a standalone personal information category — unlike some state laws.

However, patient records typically include names combined with Social Security numbers and financial data for billing, which clearly meets the statute’s definition. Clinics should treat any breach of patient records that might include name plus identifier as presumptively triggering both HIPAA and New Jersey notification obligations.

AG and State Police notification. For breaches affecting more than 1,000 New Jersey residents, N.J.S.A. 56:8-163 requires notification to the New Jersey Division of State Police and major consumer reporting agencies. This is in addition to HIPAA’s HHS notification for breaches affecting 500 or more individuals.

Comparison summary

Dimension	HIPAA	N.J.S.A. 56:8-163
Deadline	60 days	Most expedient, ~30 days in practice
Large breach AG notification	HHS for 500+	NJ Division of State Police for 1,000+
Health info as trigger	Yes (PHI)	Indirectly through name + identifier
Enforcement	OCR	NJ AG Division of Consumer Affairs

NJ Mental Health Records: N.J.S.A. 30:4-24.3

HIPAA’s approach to mental health records

HIPAA’s Privacy Rule treats mental health records (other than psychotherapy notes) as PHI subject to the standard treatment/payment/operations exceptions. Psychotherapy notes receive heightened protection under 45 CFR § 164.524(a)(1)(i) — they are excluded from the right of access and require explicit authorization for disclosure. But most mental health treatment records, including diagnostic assessments, progress notes (other than psychotherapy notes), and prescribing records for psychiatric medications, are general PHI subject to the standard HIPAA framework.

What N.J.S.A. 30:4-24.3 requires

N.J.S.A. 30:4-24.3 establishes confidentiality for records of persons who are or have been under the care of any institution or program operated or licensed by the New Jersey Department of Human Services for psychiatric care. These records:

• Are confidential and may not be used in any court proceedings without patient consent except in specific circumstances;
• May be disclosed only with patient written consent or under specific statutory exceptions;
• May not be disclosed to employers, educational institutions, insurance companies, or other third parties without specific written consent.

The exceptions to the consent requirement are narrower than HIPAA’s treatment/payment/operations framework. For example, insurance claims processing for mental health services — clearly within HIPAA’s payment exception — requires specific written consent under the New Jersey statute for records covered by N.J.S.A. 30:4-24.3. A general HIPAA-compliant authorization is not sufficient.

Scope of the statute

The statute applies to records of institutions and programs operated or licensed by the Department of Human Services. For outpatient clinics providing mental health services that are not licensed DHS facilities, the statute may not apply directly — but it informs the broader framework of mental health record confidentiality that New Jersey courts apply.

New Jersey clinics providing outpatient mental health services should consult New Jersey counsel on whether their authorization forms and disclosure procedures satisfy the applicable standards for their facility type.

NJ Patient Bill of Rights: N.J.S.A. 26:2H-12.8

What the Patient Bill of Rights covers

The New Jersey Patient Bill of Rights, codified at N.J.S.A. 26:2H-12.8, applies to healthcare facilities licensed by the New Jersey Department of Health. It establishes comprehensive patient rights that operate alongside HIPAA:

Privacy and confidentiality. Every patient at a licensed facility has the right to privacy in treatment and in handling of medical records. Records may not be disclosed without patient authorization except as required by law or for treatment and payment purposes.

Right of access to records. Patients have the right to access and obtain a copy of their own medical records. Facilities must respond to access requests within a reasonable time and may charge reasonable fees.

Informed consent. Patients have the right to receive information about their condition, proposed treatment, risks, and alternatives — and to give informed consent before treatment proceeds.

Dignity and non-discrimination. Patients have the right to receive respectful care without discrimination based on race, religion, sex, national origin, disability, or source of payment.

Right to know identity of providers. Patients have the right to know the names and roles of personnel involved in their care.

Comparison with HIPAA

HIPAA’s Notice of Privacy Practices (NPP) and access provisions cover some of the same ground as the Patient Bill of Rights. However, the Patient Bill of Rights creates enforceable rights for patients in licensed facilities that go beyond HIPAA’s NPP requirements — including the right to information about their condition and treatment options, which is not a HIPAA right per se.

Licensed New Jersey healthcare facilities must satisfy both the Patient Bill of Rights and HIPAA’s patient rights provisions. In practice, this means:

• The facility’s patient rights documentation must include both the HIPAA Notice of Privacy Practices and the New Jersey Patient Bill of Rights;
• Access request procedures must meet both sets of standards;
• Informed consent procedures must satisfy New Jersey’s requirements as well as HIPAA’s authorization requirements.

Key Differences: New Jersey vs. HIPAA

Area	HIPAA	New Jersey Law
Genetic testing consent	Not required	Required (N.J.S.A. 10:5-45)
Genetic info to employers	Limited restriction	Prohibited without consent
Breach notification deadline	60 days	~30 days (AG practice)
Mental health records	Standard PHI exceptions	Narrower consent requirements
Patient Bill of Rights	NPP + access rights	Additional facility rights
Private right of action	None	Genetic Privacy Act creates one

Action Items for New Jersey Clinics

1. Audit your genetic testing consent procedures. If your clinic conducts any genetic testing, review your informed consent forms against N.J.S.A. 10:5-45 requirements. Create a separate, statute-compliant consent form for genetic testing. Ensure genetic information is isolated in your records system from general records released through standard authorization forms.

2. Calibrate breach response to 30 days. Update your incident response procedure to target notification within 30 days for any breach affecting New Jersey residents. Add a trigger for Division of State Police notification when a breach affects more than 1,000 residents. Use the HIPAA breach notification templates as a starting point.

3. Review mental health records disclosure procedures. Audit your authorization forms and billing workflows for mental health services. Ensure that records covered by N.J.S.A. 30:4-24.3 are subject to specific written consent for disclosures — including insurance claims — rather than the general HIPAA payment exception.

4. Post and implement the NJ Patient Bill of Rights. If your clinic is a licensed New Jersey healthcare facility, verify that you post the Patient Bill of Rights, train staff on patient rights, and implement access request procedures consistent with both the Bill of Rights and HIPAA. Document compliance with both frameworks.

5. Document your risk analysis with New Jersey-specific inputs. Use the HIPAA risk analysis worksheet and add New Jersey-specific risks: genetic information handling, mental health records disclosure, and the distinct enforcement mechanisms of each state law.

PHIGuard supports New Jersey clinics with HIPAA compliance management, policy documentation, vendor BAA tracking, and incident response — with current plan and BAA details published on the pricing page. Visit PHIGuard HIPAA or review pricing.