Best Practices: Documenting HIPAA Exemption Under New Jersey Data Privacy Act

Documenting your organization’s HIPAA exemption under the New Jersey Data Privacy Act (NJDPA) is essential to demonstrate lawful processing while preventing scope creep into NJDPA-covered activities. This guide translates the legal carve-out into concrete steps you can implement and audit.

The focus is twofold: clearly defining where protected health information is handled under HIPAA and proving how adjacent, non-PHI processing is governed by NJDPA. The result is a defensible record that streamlines operations and reduces enforcement risk.

NJDPA Exemptions for Covered Entities

Scope of the exemption

In practice, the NJDPA exemption applies to processing of protected health information by HIPAA-covered entities and their business associates when that processing complies with HIPAA. Typical in-scope activities include treatment, payment, and health care operations carried out through systems like EHRs, patient portals, and claims platforms.

What is not exempt

• Non-PHI consumer data (for example, marketing sites, cookies/trackers, or newsletter lists).
• Activities by vendors that are not operating under a valid HIPAA business associate agreement.
• Mixed-use systems where PHI and non-PHI are processed together without segmentation or documented controls.

Your documentation should draw a bright line showing which systems, data flows, and purposes are carved out by HIPAA and which remain subject to NJDPA obligations.

Documentation Requirements for HIPAA Exemption

Core components to include

• Regulatory basis: identify your role (covered entity or business associate) and state that the listed processing is conducted in compliance with HIPAA privacy policies and the Security Rule.
• System and data inventory: catalog applications, repositories, and integrations where PHI resides; specify data elements and processing purposes.
• Scope statement: define precisely which processing is exempt and the criteria used to determine PHI status.
• Segmentation and access controls: describe technical and administrative controls that separate PHI from non-PHI.
• Consumer request triage: outline how NJDPA requests are routed and how exemption determinations are communicated.
• Governance: name the accountable owner, approval path, and review cadence.

Operational evidence to retain

• Signed business associate agreements and vendor due diligence records.
• Policies and procedures supporting the exemption, including incident response and data mapping standards.
• Change logs showing when systems, purposes, or vendors were added, removed, or reclassified.

Record Retention Periods

For record retention compliance, maintain exemption documentation, supporting policies, and related approvals for no less than six years from the date of creation or last effective date, whichever is later. This aligns with HIPAA’s documentation retention expectations and provides a defensible baseline across audits and investigations.

Apply the same timeline to artifacts tied to the exemption, including business associate agreements, PHI system inventories, access control attestations, and exemption decisions on consumer requests. If your broader corporate schedule or other legal obligations require longer retention, adopt the longer period and note it in your retention policy.

De-Identification Standards for PHI

Two recognized methods

• Expert Determination: a qualified expert certifies that the risk of re-identification is very small, with documented methods and assumptions.
• Safe Harbor: specified identifiers are removed and no actual knowledge of re-identification exists.

Safe Harbor de-identification criteria (key identifiers to remove)

• Names and all geographic subdivisions smaller than a state.
• All elements of dates (except year) related to an individual; ages over 89 aggregated.
• Telephone, fax, and email addresses; URLs and IP addresses.
• Social Security, medical record, and health plan beneficiary numbers.
• Account, certificate/license, vehicle, and device identifiers.
• Biometric identifiers (for example, fingerprints, voiceprints).
• Full-face photographs and comparable images.
• Any other unique identifying number, characteristic, or code.

Treat de-identified data as a distinct data class with written controls: prohibit re-identification, govern code keys separately, and ensure vendor contracts mirror these obligations.

Business Partner and Vendor Agreements

For PHI: business associate agreements

Ensure business associate agreements clearly define permitted uses and disclosures, require safeguards, mandate breach reporting, and flow down restrictions to subcontractors. Tie each BAA to the specific systems and data flows listed in your exemption record.

For non-PHI: NJDPA-aligned processor terms

• Purpose limitation, confidentiality, and security requirements appropriate to the data.
• Subprocessor approval and oversight, including due diligence and contractual flow-downs.
• Assistance with consumer rights requests, data return/deletion at termination, and audit or assessment rights.
• Explicit prohibitions on re-identification where de-identified data is processed.

Where a vendor handles both PHI and non-PHI, use dual exhibits (BAA + NJDPA data processing addendum) to avoid ambiguity and to keep obligations aligned with each regime.

Data Protection Assessments and Compliance

Conduct data processing risk assessments for non-PHI activities that present elevated privacy risks (for example, analytics, targeted outreach, profiling, or data sharing). The assessment should document purposes, benefits, risks, mitigations, and residual risk acceptance with leadership sign-off.

• Leverage your HIPAA risk analysis by adding privacy-specific factors such as data minimization, secondary use, transparency, and consumer rights impacts.
• Maintain an assessments registry, version control, and evidence of remediation tracking.
• Establish triggers for reassessment, such as new data sources, vendors, tools, or material purpose changes.

This integrated approach demonstrates continuous compliance and provides artifacts that can be produced during inquiries or Office of Civil Rights enforcement activity.

Employee Training and Education on Privacy

Deliver role-based training that differentiates HIPAA-covered PHI processing from NJDPA-covered non-PHI processing. Include scenario-based exercises on request triage, de-identification handling, and escalation paths, and reference your HIPAA privacy policies throughout.

• Track completions, knowledge checks, and refresher intervals; retain rosters and curricula as part of your evidence plan.
• Brief high-risk teams (marketing, analytics, product) on segmentation controls and vendor management expectations.
• Provide quick-reference playbooks for frontline staff to route consumer requests and apply the exemption consistently.

Together, clear documentation, disciplined vendor governance, robust data processing risk assessments, and targeted training create a cohesive compliance posture that withstands regulatory scrutiny while enabling responsible data use.

FAQs

What PHI is exempt under the New Jersey Data Privacy Act?

PHI collected, used, or disclosed by a HIPAA-covered entity or its business associate in accordance with HIPAA is generally exempt when processed for treatment, payment, or health care operations. Non-PHI consumer data handled by the same organization remains subject to NJDPA requirements.

How long must HIPAA exemption documentation be retained?

Retain the exemption record, supporting policies, approvals, and related evidence for at least six years from creation or last effective date, aligning with record retention compliance best practices. If other laws or your corporate schedule require longer retention, follow the longer period.

What are the key elements excluded in PHI de-identification?

Under Safe Harbor de-identification criteria, remove names; small-area geographies; most date elements (except year) and ages over 89; phone, fax, email, URLs, and IPs; Social Security, medical record, plan beneficiary, account, license, vehicle, and device identifiers; biometric identifiers; full-face images; and any other unique identifying code or characteristic.

How should business partner agreements address data privacy obligations?

Use business associate agreements for PHI to define permissible uses, safeguards, breach reporting, and subcontractor controls. For non-PHI subject to NJDPA, add processor terms that cover purpose limitation, confidentiality, security, subprocessor management, consumer rights assistance, deletion/return, audit rights, and re-identification prohibitions.