New Jersey Data Privacy Act HIPAA Exemption: Covered Entity Requirements Explained

The New Jersey Data Privacy Act (NJDPA) intersects with federal health privacy rules in ways that matter for hospitals, health plans, and their vendors. This guide clarifies how the HIPAA exemption works, what remains in scope for a HIPAA Covered Entity or Business Associate, and how to operationalize compliance without disrupting care delivery or patient trust.

Below, you’ll learn who the NJDPA applies to, the criteria and limits of the HIPAA exemption, your ongoing obligations for non-PHI, and how to handle consumer requests, consent, enforcement risk, and Data Security Standards.

NJDPA Applicability and Thresholds

Who the law covers

The NJDPA applies to organizations that conduct business in New Jersey or target products or services to New Jersey residents and act as “controllers” or “processors” of personal data. A controller determines the purposes and means of processing; a processor acts on the controller’s behalf.

“Consumer” generally means an individual acting in a personal or household context. Personal data collected in an employment or business-to-business context is typically treated differently from consumer data and may be outside the law’s consumer-rights scope.

How thresholds work in practice

Coverage turns on statutory processing thresholds. In practice, the NJDPA reaches organizations that handle personal data about a substantial number of New Jersey consumers, with lower thresholds where revenue is derived from selling personal data. Small entities below these thresholds may fall outside the law, but growth, marketing campaigns, or data partnerships can quickly change your status.

Common exemptions to know

Key data-specific exemptions include Protected Health Information processed under HIPAA, de-identified data, and publicly available information. These carve-outs are narrowly drawn: they apply to the exempt data itself, not to your organization across the board.

Bottom line: if you process consumer personal data that is not PHI—such as website analytics, event registrations, or ad-tech identifiers—the NJDPA likely applies to that processing even if you are a HIPAA Covered Entity.

HIPAA Exemption Criteria and Scope

A data-level exemption, not an entity-level shield

The NJDPA’s HIPAA exemption is primarily data-focused. Protected Health Information handled by a HIPAA Covered Entity or Business Associate under HIPAA remains outside the NJDPA’s consumer-rights regime. The exemption does not automatically cover all other personal data you process.

Examples of data that usually remain in scope: marketing leads, website cookies, device identifiers, geolocation used for advertising, patient portal usage analytics when processed for marketing, philanthropic outreach lists, and consumer feedback captured outside clinical records.

Mixed datasets and re-use

If PHI is combined with non-PHI or repurposed for activities outside HIPAA (for example, targeted advertising or cross-context behavioral profiling), the NJDPA can attach to the non-PHI portion and to the repurposed processing. Maintain clear boundaries and purpose limitations to preserve the HIPAA exemption where it applies.

Covered Entity Obligations under NJDPA

Separate PHI from consumer data

Map data flows to distinguish PHI from other personal data. For non-PHI, publish a clear, accessible privacy notice that explains the categories of personal data processed, purposes, sharing practices, Targeted Advertising Opt-Out mechanisms, and how consumers can exercise their rights.

Honor Data Subject Rights for non-PHI

• Enable requests to access, correct, delete, and obtain a portable copy of personal data that is in scope.
• Provide a straightforward Targeted Advertising Opt-Out and an opt-out of sales and certain profiling activities.
• Offer an internal appeal process when you decline a request, with instructions and timelines.

Govern processors and contracts

For vendors handling non-PHI consumer data, execute data processing agreements that specify instructions, confidentiality, sub-processor controls, assistance with consumer requests, and secure deletion/return at contract end. Do not assume a Business Associate Agreement alone covers NJDPA duties for non-PHI.

Assess high-risk processing

Conduct and document data protection assessments for sensitive processing—such as targeted advertising, data sales, large-scale profiling, or handling of sensitive personal data outside HIPAA. Record your purposes, alternatives considered, safeguards, and proportionality.

Consumer Rights and Protections

Core rights you must support

• Right to know and access: confirm whether you process a consumer’s personal data and provide access to it.
• Right to correct: fix inaccuracies in non-PHI personal data you control.
• Right to delete: remove personal data you collected from the consumer, subject to lawful retention needs.
• Right to data portability: supply a usable, portable copy where feasible.
• Right to opt out: provide an effective Targeted Advertising Opt-Out, and opt-outs for sales and certain profiling decisions.

These Data Subject Rights apply to NJDPA-covered personal data, not to HIPAA-regulated PHI. Avoid discriminatory treatment for exercising rights and clearly communicate any lawful limitations.

Data Processing and Consent Requirements

Sensitive data and teens

Obtain opt-in consent before processing sensitive data categories outside HIPAA, such as precise geolocation, biometric identifiers for identification, or non-PHI health information in consumer contexts. For children’s data, ensure verifiable parental consent and heightened protections; apply careful review for teen data and advertising-related processing.

Consent quality and records

Consent must be freely given, specific, informed, and unambiguous—no dark patterns. Present equal choices, log consent (and withdrawals), and make withdrawal as easy as giving consent. Align your consent flows with your notices and actual practices.

Purpose limitation

Collect and use only what you need for declared purposes. If you plan a materially different use of non-PHI personal data, obtain fresh consent or provide a clear opportunity to opt out, as applicable under the NJDPA.

Compliance Deadlines and Enforcement

Planning toward the effective date

Build your program backward from the NJDPA’s effective date, allowing time for data mapping, notice updates, opt-out tooling, and vendor contracting. A practical approach is to finalize key controls several weeks before the law takes effect to test request-handling and opt-outs at scale.

Enforcement model and penalties

The New Jersey Attorney General enforces the NJDPA. Expect investigatory powers, injunctive relief, and civil Enforcement Penalties for violations. Some cure opportunities may be available depending on timing and circumstance, but you should not rely on a cure period as a compliance strategy.

Documentation expectations

Maintain records of processing for non-PHI, data protection assessments for high-risk activities, training logs, and vendor due diligence artifacts. Strong documentation can mitigate exposure during inquiries and demonstrates accountability.

Data Minimization and Security Measures

Minimize collection and retention

Adopt a “need-to-know” approach: collect the least amount of non-PHI personal data necessary and set retention periods aligned to legal, clinical, and business requirements. Use deletion or irreversible de-identification at end of need.

Implement pragmatic safeguards

• Access controls and least-privilege for marketing, analytics, and vendor teams handling consumer data.
• Encryption in transit and at rest, key management hygiene, and secure configuration baselines.
• Continuous vulnerability management, multi-factor authentication, and phishing-resistant credentials.
• Vendor risk management with security questionnaires, contractual controls, and periodic audits.
• Incident response playbooks that distinguish PHI from non-PHI impacts and include notification decisioning.

These measures align with widely recognized Data Security Standards and help you demonstrate reasonable safeguards under the NJDPA.

Conclusion

The NJDPA’s HIPAA exemption protects PHI processed under HIPAA, but it does not shield all other consumer data your organization touches. By separating PHI from non-PHI, honoring Data Subject Rights, enabling a Targeted Advertising Opt-Out, tightening processor contracts, and applying strong security and minimization, a HIPAA Covered Entity or Business Associate can meet NJDPA expectations with confidence.

FAQs.

What constitutes a HIPAA covered entity under the NJDPA?

It is the same as under federal law: health plans, most healthcare providers that conduct standard electronic transactions, and healthcare clearinghouses. Under the NJDPA, being a HIPAA Covered Entity matters because PHI you process under HIPAA is generally exempt; however, your non-PHI consumer data remains subject to the NJDPA.

Does the NJDPA exempt all healthcare providers?

No. The exemption is data-based. It covers Protected Health Information handled under HIPAA, not every data activity by a healthcare provider. Marketing databases, website analytics, donor lists, or other non-PHI consumer data may be governed by the NJDPA.

How does the NJDPA affect data sales involving protected health information?

Sales of PHI are governed by HIPAA and require specific authorization or must meet limited exceptions. If the data is PHI, NJDPA’s sale provisions generally do not apply; if the data is non-PHI consumer data, NJDPA’s sale rules and opt-out rights do apply.

What enforcement actions apply to non-compliance with the HIPAA exemption under NJDPA?

The New Jersey Attorney General can investigate and pursue injunctive relief and civil Enforcement Penalties for NJDPA violations involving non-PHI consumer data. Proper data mapping, notices, opt-outs, and security controls materially reduce enforcement risk.