Are HIPAA Covered Entities Exempt Under the New Jersey Data Privacy Act?
Short answer: no—HIPAA covered entities are not categorically exempt from the New Jersey Data Privacy Act (NJDPA). The statute creates a data-level carve‑out for Protected Health Information (PHI) collected by a covered entity or business associate under HIPAA, but it does not provide a blanket, entity‑level exemption. Non‑PHI personal data remains in scope if your organization meets the NJDPA’s thresholds. ([law.justia.com](https://law.justia.com/codes/new-jersey/title-56/section-56-8-166-13/?utm_source=openai))
Overview of New Jersey Data Privacy Act
The NJDPA took effect on January 15, 2025. It applies to controllers that conduct business in New Jersey or target New Jersey residents and, in a calendar year, either: (1) control or process personal data of at least 100,000 consumers (excluding data processed solely to complete a payment transaction), or (2) control or process personal data of at least 25,000 consumers and derive revenue or receive a discount from the sale of personal data. A “consumer” is a New Jersey resident acting in an individual or household context (not in an employment or commercial context). ([goodwinlaw.com](https://www.goodwinlaw.com/en/insights/blogs/2024/01/new-jersey-privacy-law-helps-expand-us-consumer-privacy-system?utm_source=openai))
Consumers have defined Data Subject Rights: to confirm processing and access their data, correct inaccuracies, delete personal data, obtain portability, and opt out of targeted advertising, sale of personal data, and certain profiling. Controllers must respond to verified requests within 45 days (with a possible 45‑day extension when reasonably necessary). ([law.justia.com](https://law.justia.com/codes/new-jersey/title-56/section-56-8-166-10/?utm_source=openai))
The law requires opt‑in consent to process “sensitive data,” and it places additional restrictions on processing for teens ages 13–16 (consent needed for targeted ads, sale, and certain profiling when the controller has actual knowledge or willfully disregards the age). Sensitive data includes financial account access credentials, precise geolocation, genetic/biometric identifiers, health data, sexual orientation, citizenship/immigration status, and status as transgender or non‑binary. ([law.justia.com](https://law.justia.com/codes/new-jersey/title-56/section-56-8-166-12/?utm_source=openai))
HIPAA Covered Entities and PHI Exemptions
The NJDPA expressly exempts PHI that is collected by a HIPAA “covered entity” or “business associate” and subject to HIPAA’s privacy, security, and breach notification rules. This is a data‑level exemption: it applies to PHI itself—not to all data handled by a covered entity. In practice, HIPAA continues to govern PHI, while the NJDPA can apply to other personal data your organization processes. ([law.justia.com](https://law.justia.com/codes/new-jersey/title-56/section-56-8-166-13/?utm_source=openai))
Note that the NJDPA’s definition of “consumer” excludes people acting in an employment or commercial context, so employee and B2B‑context data generally fall outside the Act’s scope regardless of HIPAA status. Publicly available and de‑identified data are also outside the definition of “personal data.” ([law.justia.com](https://law.justia.com/codes/new-jersey/title-56/section-56-8-166-4/))
Scope of Exemption for Business Associates
Business associates are not fully exempt. Like covered entities, they benefit from the PHI‑only carve‑out; personal data that is not PHI (for example, website analytics, event registrations, or marketing leads tied to New Jersey consumers) may still trigger NJDPA obligations if thresholds are met. ([law.justia.com](https://law.justia.com/codes/new-jersey/title-56/section-56-8-166-13/?utm_source=openai))
A Business Associate Agreement governs PHI under HIPAA, but it does not replace NJDPA requirements for non‑PHI. Where you process non‑PHI on behalf of a controller, you will need NJDPA‑compliant processor terms (e.g., instructions, confidentiality, security, audit rights, and deletion/return on termination). ([law.justia.com](https://law.justia.com/codes/new-jersey/title-56/section-56-8-166-16/?utm_source=openai))
Ready to simplify HIPAA compliance?
Join thousands of organizations that trust Accountable to manage their compliance needs.
Compliance Obligations Beyond PHI
- Update privacy notices and disclosures so consumers can understand categories of personal data processed, purposes, third‑party disclosures, opt‑out options, and how you will notify them of material notice changes. ([pub.njleg.state.nj.us](https://pub.njleg.state.nj.us/Bills/2022/PL23/266_.HTM?utm_source=openai))
- Stand up a rights‑request workflow (intake, verification, routing, logging) that can meet the 45‑day response clock and supports appeals and authorized agents where required. ([law.justia.com](https://law.justia.com/codes/new-jersey/title-56/section-56-8-166-7/?utm_source=openai))
- Gate “sensitive data” behind explicit, opt‑in consent; obtain teen (13–16) consent before targeted ads, sale, or qualifying profiling; and process known children’s data consistent with COPPA. ([law.justia.com](https://law.justia.com/codes/new-jersey/title-56/section-56-8-166-12/?utm_source=openai))
- Conduct data protection assessments before high‑risk processing, including targeted advertising, selling personal data, processing sensitive data, or certain profiling. ([pub.njleg.state.nj.us](https://pub.njleg.state.nj.us/Bills/2022/PL23/266_.HTM?utm_source=openai))
- Harden security by implementing reasonable administrative, technical, and physical measures appropriate to your data and risks. ([law.justia.com](https://law.justia.com/codes/new-jersey/title-56/section-56-8-166-12/?utm_source=openai))
- Paper the controller‑processor relationship with required NJDPA contract clauses (instructions, duration, data types, confidentiality, sub‑processing flow‑downs, deletion/return, information for compliance, and audits). ([law.justia.com](https://law.justia.com/codes/new-jersey/title-56/section-56-8-166-16/?utm_source=openai))
Data Categories Subject to NJDPA
“Personal data” covers any information linked or reasonably linkable to an identified or identifiable person; it excludes de‑identified and publicly available information. Examples include identifiers and contact details, online/device IDs, IP addresses, precise geolocation, and inferences—when they are linkable to a person. ([law.justia.com](https://law.justia.com/codes/new-jersey/title-56/section-56-8-166-4/))
“Sensitive data” (consent required) includes: racial or ethnic origin; religious beliefs; mental or physical health condition, treatment, or diagnosis; sex life or sexual orientation; citizenship or immigration status; status as transgender or non‑binary; genetic or biometric data used for unique identification; personal data of a known child; precise geolocation; and financial information such as account and login credentials. ([law.justia.com](https://law.justia.com/codes/new-jersey/title-56/section-56-8-166-4/))
Personal Data Exemptions include PHI under HIPAA, financial institutions/data subject to GLBA, certain insurance entities, FCRA‑governed consumer reporting data, DPPA‑permitted motor vehicle data sales, and research‑related data, among others specified in the statute. ([pub.njleg.state.nj.us](https://pub.njleg.state.nj.us/Bills/2022/PL23/266_.HTM?utm_source=openai))
Impact of NJDPA on Healthcare Providers
For hospitals, health plans, physician groups, and digital health companies, NJDPA compliance hinges on cleanly separating PHI from other personal data. Build inventories that label data elements as PHI vs. non‑PHI and map processing purposes, so you can route each through the correct compliance regime. ([law.justia.com](https://law.justia.com/codes/new-jersey/title-56/section-56-8-166-13/?utm_source=openai))
Expect NJDPA obligations around consumer‑facing websites, patient portals, apps, and marketing operations—especially for tracking technologies, event forms, and loyalty or education programs that collect non‑PHI personal data from New Jersey consumers. If you target teens, institute opt‑in controls for targeted ads/sale/profiling. ([whitecase.com](https://www.whitecase.com/insight-alert/new-jersey-enacts-comprehensive-data-privacy-law?utm_source=openai))
Refresh vendor management: many vendors are both HIPAA business associates for PHI and NJDPA processors for non‑PHI. Ensure your Business Associate Agreements coexist with NJDPA processor contracts and that vendors can support rights requests, security, and assessment obligations. ([law.justia.com](https://law.justia.com/codes/new-jersey/title-56/section-56-8-166-16/?utm_source=openai))
Enforcement and Penalties under NJDPA
Enforcement sits with the New Jersey Attorney General, with rulemaking by the Division of Consumer Affairs. There is no private right of action. For the first 18 months after the effective date, the Division must offer a 30‑day opportunity to cure where a cure is deemed possible—through July 1, 2026 (the first day of the 18th month following January 15, 2025). ([arnoldporter.com](https://www.arnoldporter.com/en/perspectives/blogs/enforcement-edge/2025/01/new-jersey-data-privacy-law-faqs-released?utm_source=openai))
Penalties are tied to the New Jersey Consumer Fraud Act: up to $10,000 for an initial violation and up to $20,000 for subsequent violations, in addition to other remedies. ([mintz.com](https://www.mintz.com/insights-center/viewpoints/2826/2024-04-15-new-jersey-adopts-comprehensive-data-privacy-law?utm_source=openai))
FAQs
What types of data does the NJDPA exempt for HIPAA entities?
Only PHI collected by a HIPAA covered entity or business associate—subject to HIPAA’s privacy, security, and breach notification rules—is exempt. Other personal data handled by the same organization (for example, website analytics or marketing leads) is not automatically exempt. ([law.justia.com](https://law.justia.com/codes/new-jersey/title-56/section-56-8-166-13/?utm_source=openai))
Does the NJDPA override HIPAA regulations?
No. For PHI, HIPAA continues to control and the NJDPA defers. For non‑PHI personal data, the NJDPA can apply alongside HIPAA, so you should comply with both frameworks as applicable. ([law.justia.com](https://law.justia.com/codes/new-jersey/title-56/section-56-8-166-13/?utm_source=openai))
Are business associates fully exempt under the NJDPA?
No. Business associates benefit from the same PHI‑only carve‑out, but they are not exempt entities. When a business associate processes non‑PHI personal data about New Jersey consumers and meets the thresholds, NJDPA duties apply. ([privacymatters.dlapiper.com](https://privacymatters.dlapiper.com/2024/02/us-new-jersey-enacts-comprehensive-state-privacy-law/?utm_source=openai))
How should covered entities handle non-PHI data under NJDPA?
Segment PHI from non‑PHI; update privacy notices; enable rights‑request handling with a 45‑day response window; gate sensitive data with opt‑in consent (and teen consent where applicable); conduct data protection assessments for high‑risk processing; implement reasonable security; and ensure processor contracts contain the NJDPA’s required terms. ([law.justia.com](https://law.justia.com/codes/new-jersey/title-56/section-56-8-166-7/?utm_source=openai))
Ready to simplify HIPAA compliance?
Join thousands of organizations that trust Accountable to manage their compliance needs.
