How the New Jersey Data Privacy Act Treats HIPAA Covered Entities

NJDPA Exemptions for HIPAA-Covered Entities

The New Jersey Data Privacy Act (NJDPA) recognizes that health privacy is already governed by HIPAA. As a result, the statute generally carves out protected health information (PHI) and processing activities undertaken by HIPAA-covered entities and their business associates to the extent those activities are subject to HIPAA. Practically, this means your day‑to‑day clinical treatment, payment, and health care operations data are excluded from NJDPA oversight.

That exemption is not a blanket, entity‑wide pass. It is scoped to the data and processing covered by HIPAA. When you operate outside HIPAA’s lane, NJDPA can still apply. The act also aligns with federal privacy exemptions more broadly, acknowledging that when specific federal regimes regulate a dataset, state privacy law steps back to avoid conflict.

Key points you can rely on include the exclusion of protected health information PHI, recognition that HIPAA de‑identified data falls outside NJDPA, and acknowledgement that a business associate’s HIPAA‑regulated processing is covered by the same carve‑out. Always confirm whether a given activity truly falls “under HIPAA” before treating it as exempt.

Applicability to Non-HIPAA Data

NJDPA applies to personal data you collect or use that is not regulated by HIPAA. Examples include consumer‑facing website analytics, cookies used for targeted advertising, mobile app telemetry, marketing databases, event registrations, and customer service recordings that do not constitute PHI. If you meet NJDPA’s applicability thresholds, these datasets trigger obligations even when you are a hospital, plan, or health tech company.

For this non‑HIPAA data, you must provide clear notices that specify the categories of personal data collected, purposes for processing, personal data classifications (including any sensitive data), and how consumers can exercise their rights. You also need mechanisms to honor opt‑outs of targeted advertising, the sale of personal data, and certain automated profiling uses where applicable.

Expect to authenticate and fulfill consumer requests to access, correct, delete, and port eligible personal data within statutory timelines, maintain an internal appeals process for request denials, and document your decisioning for accountability. None of these duties alter your HIPAA obligations; they operate in parallel for data outside HIPAA.

Exemptions for Other Entities

NJDPA recognizes additional federal privacy exemptions. Data subject to Gramm‑Leach‑Bliley Act (GLBA) rules is typically excluded, meaning GLBA compliance governs that financial data, while your non‑GLBA datasets (for example, general marketing lists) may still be covered by NJDPA. Similar carve‑outs exist for data regulated by other federal frameworks, reflecting a policy of deferring to sector‑specific laws.

In practice, this means a multi‑regulated organization may manage parallel compliance tracks: HIPAA for PHI, GLBA compliance for financial data, and NJDPA for broader consumer data not captured by those federal regimes. Map your data flows carefully so you apply the correct rule to each dataset rather than assuming one framework covers everything.

Exemptions for Specific Data Types

• Protected health information (PHI) processed by HIPAA‑covered entities and business associates to the extent regulated by HIPAA.
• HIPAA de‑identified data (e.g., data meeting de‑identification standards) and aggregated data that cannot reasonably be linked to an individual.
• Publicly available information lawfully made available from government records or widely distributed media.
• Data sets expressly covered by other federal privacy exemptions, such as certain financial records or records protected by specialized federal health privacy rules.
• Limited research data processed under appropriate oversight, to the extent a federal regime governs the handling and makes the dataset out of scope for NJDPA.

Compliance Requirements for Covered Entities

When NJDPA applies to your non‑HIPAA data, you should implement a program that complements existing HIPAA controls without conflating them. Start with an accurate data inventory, including personal data classifications, processing purposes, recipients, retention periods, and locations. Maintain a consumer‑facing privacy notice that is specific, concise, and updated as practices change.

• Consumer rights: Deploy processes to intake, authenticate, fulfill, and log access, correction, deletion, and portability requests; provide an appeals channel for denials.
• Opt‑outs: Honor consumer opt‑outs of targeted advertising, the sale of personal data, and certain profiling; recognize user‑enabled universal opt‑out mechanisms where required.
• Purpose limitation and minimization: Collect only what you need for specified purposes and retain it no longer than necessary.
• Security: Implement reasonable administrative, technical, and physical safeguards commensurate with the sensitivity of the data and your risk profile.
• Sensitive data: Obtain appropriate consent or apply stricter safeguards for sensitive categories (e.g., precise geolocation, biometrics) when processed outside HIPAA.
• Assessments: Conduct data protection assessments for high‑risk processing, such as targeted advertising or profiling with significant effects.

Data Processing Obligations

NJDPA adopts a controller/processor model for vendor governance. For non‑HIPAA personal data, your business associates may function as processors, and your HIPAA business associate agreements do not automatically satisfy NJDPA. You need data processing agreements tailored to NJDPA’s requirements in addition to, or integrated with, BAAs.

• Data processing agreements should include processing instructions; limits on purpose and use; confidentiality obligations; security requirements; subprocessor controls and notice; assistance with consumer requests and assessments; return or deletion of data at termination; and audit or attestation mechanisms.
• Controllers must vet processors, ensure appropriate safeguards, maintain records of processing, and monitor adherence to instructions.
• Processors must process only on documented instructions, maintain confidentiality, implement security, assist with consumer requests routed by the controller, and flow down obligations to subprocessors.
• Operationalize technical signals by configuring consent/opt‑out tools and honoring recognized universal opt‑out mechanisms in your adtech stack.

Interaction Between NJDPA and HIPAA

HIPAA and NJDPA protect different but sometimes adjacent spheres of privacy. HIPAA applies to PHI in the hands of HIPAA‑covered entities and business associates for defined purposes. NJDPA applies broadly to consumer personal data not otherwise governed by a federal regime. Both require transparency and security, but NJDPA adds consumer opt‑outs and broader individual rights for non‑PHI data.

For efficient compliance, align your governance so the right rule applies to the right data. Use your HIPAA data map as a foundation, then extend it to capture non‑HIPAA data flows across marketing, web properties, mobile apps, and third‑party tools. Distinguish PHI from non‑PHI at collection, and tag datasets so staff and vendors know which legal track to follow.

Unify processes where possible: route all individual requests through one intake, triage them by dataset, and fulfill under HIPAA or NJDPA as appropriate. Likewise, coordinate vendor contracting so BAAs and NJDPA data processing agreements coexist without gaps or contradictions.

Bottom line: NJDPA does not replace HIPAA; it closes gaps around non‑HIPAA personal data. When you separate datasets clearly, maintain strong notices and rights workflows, and align contracts, you can meet NJDPA’s expectations while preserving HIPAA’s stringent protections.

FAQs

What does the NJDPA exempt for HIPAA-covered entities?

NJDPA generally exempts protected health information (PHI) and HIPAA‑regulated processing performed by HIPAA‑covered entities and their business associates. The carve‑out is data‑specific, so it applies only to activities actually governed by HIPAA rather than everything a covered entity does.

How does NJDPA apply to non-PHI personal data?

Non‑PHI personal data—such as website analytics, advertising identifiers, or consumer contact information—can be in scope if you meet NJDPA’s applicability thresholds. For that data, you must provide clear notices, honor consumer rights and opt‑outs, implement security, and complete assessments for high‑risk uses.

Are business associates subject to NJDPA?

Yes, when a business associate processes non‑HIPAA personal data, it typically functions as a processor under NJDPA and must follow controller instructions, implement safeguards, and sign compliant data processing agreements. For HIPAA‑regulated PHI, the HIPAA framework controls and is generally exempt from NJDPA.

What federal laws influence NJDPA exemptions?

NJDPA recognizes federal privacy exemptions, most notably HIPAA for PHI and GLBA for financial data. Where those regimes govern a dataset, NJDPA defers; for data outside those federal laws, NJDPA’s requirements apply.