New Jersey Data Privacy Law for Healthcare: What Providers Need to Know

New Jersey Data Privacy Act Overview

Key dates and scope

The New Jersey Data Privacy Act (NJDPA) took effect on January 15, 2025. Beginning six months later—on July 15, 2025—controllers that engage in targeted advertising or sell personal data must honor user-selected universal opt-out mechanisms. Through June 30, 2026, regulators must generally offer a 30‑day cure period before bringing an enforcement action; after July 1, 2026, that cure period is no longer guaranteed. The Office of the Attorney General (via the Division of Consumer Affairs) has exclusive enforcement authority, and the law does not create a private right of action. ([mayerbrown.com](https://www.mayerbrown.com/en/insights/publications/2024/01/new-jersey-enacts-privacy-law?utm_source=openai))

Personal Data Processing Thresholds

The NJDPA applies to controllers that conduct business in New Jersey or target New Jersey residents and, in a calendar year, either process the personal data of at least 100,000 consumers (excluding data processed solely to complete a payment transaction) or process the personal data of at least 25,000 consumers and derive revenue or receive a discount from the sale of personal data. ([pub.njleg.state.nj.us](https://pub.njleg.state.nj.us/Bills/2022/AL23/266_.PDF))

Unlike some state laws, New Jersey does not include a blanket exemption for nonprofit organizations or higher‑education institutions; entities meeting the thresholds are in scope. ([foley.com](https://www.foley.com/insights/publications/2024/01/new-jersey-passes-comprehensive-privacy-law-2024/?utm_source=openai))

Applicability to Healthcare Providers

Who is in scope—and what data counts

“Consumer” means a New Jersey resident acting in an individual or household context (not an employment or commercial context). Many patient interactions fit this definition, but the law carves out protected health information (PHI) collected by HIPAA‑regulated covered entities and business associates. That PHI falls outside the NJDPA, while other non‑PHI consumer data you handle may still be covered if you meet the thresholds. ([pub.njleg.state.nj.us](https://pub.njleg.state.nj.us/Bills/2022/S0500/332_R5.PDF))

A 2026 update affecting providers

As of January 20, 2026, New Jersey amended the NJDPA to also exempt certain non‑PHI when a covered entity or business associate handles the information “like PHI”—that is, uses or discloses it in accordance with HIPAA and affords it HIPAA‑level privacy and security safeguards. This amendment took effect immediately but does not create a blanket entity‑level exemption; scope still depends on how the data is collected and used. ([pub.njleg.state.nj.us](https://pub.njleg.state.nj.us/Bills/2024/A5500/5017_R3.PDF?utm_source=openai))

Consumer Rights Under the Law

What consumers can do

Consumers have the right to: confirm whether you process their personal data and access it; correct inaccuracies; delete personal data; obtain a portable copy; and opt out of processing for targeted advertising, the sale of personal data, and certain profiling with legal or similarly significant effects. Build Consumer Data Rights Management procedures to support these requests end‑to‑end. ([pub.njleg.state.nj.us](https://pub.njleg.state.nj.us/Bills/2022/AL23/266_.PDF))

How you must respond

You must respond to a verified request within 45 days (with one 45‑day extension when reasonably necessary) and provide one response free of charge per consumer in any 12‑month period. If you decline, you must explain why and offer an appeal process. You have 45 days to decide an appeal and must provide a way for consumers to contact the Division of Consumer Affairs if the appeal is denied. ([pub.njleg.state.nj.us](https://pub.njleg.state.nj.us/Bills/2022/AL23/266_.PDF))

Authorized agents and opt-out signals

Consumers may designate an authorized agent (including via browser/device signals) to submit opt‑out requests. As of July 15, 2025, controllers that engage in targeted advertising or sell personal data must honor user‑selected universal opt‑out mechanisms. ([pub.njleg.state.nj.us](https://pub.njleg.state.nj.us/Bills/2022/AL23/266_.PDF))

Handling Sensitive Healthcare Data

What counts as “sensitive data”

Sensitive data includes personal data revealing a mental or physical health condition, treatment, or diagnosis; genetic or biometric identifiers; precise geolocation; a consumer’s sex life or sexual orientation; citizenship or immigration status; certain financial information; status as transgender or non‑binary; and personal data collected from a known child. ([pub.njleg.state.nj.us](https://pub.njleg.state.nj.us/Bills/2022/S0500/332_R5.PDF))

Sensitive Data Opt-In Consent

You may not process sensitive data without first obtaining the consumer’s consent. For known children, you must process in accordance with COPPA, and for teens ages 13–16, opt‑in consent is required before targeted advertising, selling their personal data, or high‑impact profiling. These consent withdrawals must be honored as soon as practicable and no later than 15 days after receipt. ([pub.njleg.state.nj.us](https://pub.njleg.state.nj.us/Bills/2022/AL23/266_.PDF))

Operational practices to protect Healthcare Data Confidentiality

Use clear, granular consent prompts, least‑necessary data collection, short retention, encryption in transit and at rest, and role‑based access. Keep sensitive data segregated from marketing systems and maintain traceability for consent and revocation events.

Data Protection Assessments Requirements

When Data Protection Impact Assessments are required

You must conduct and document a data protection assessment (DPA) before processing that presents a “heightened risk,” including targeted advertising or risk‑laden profiling, selling personal data, or processing sensitive data. Treat these as Data Protection Impact Assessments and complete them before launch and upon material changes. ([pub.njleg.state.nj.us](https://pub.njleg.state.nj.us/Bills/2022/S0500/332_R5.PDF))

What a DPA should cover

DPAs must weigh processing benefits against privacy risks to consumers, account for safeguards, de‑identification opportunities, reasonable consumer expectations, processing context, and your relationship with the consumer. Keep DPAs available for the Division of Consumer Affairs upon request; they are confidential and not subject to public inspection. ([pub.njleg.state.nj.us](https://pub.njleg.state.nj.us/Bills/2022/S0500/332_R5.PDF))

HIPAA Compliance Integration

How the NJDPA aligns with the HIPAA Privacy Rule

PHI collected by HIPAA‑regulated covered entities and business associates is exempt from the NJDPA. HIPAA continues to govern how PHI is created, received, maintained, used, and disclosed, including patients’ rights under the HIPAA Privacy Rule. ([pub.njleg.state.nj.us](https://pub.njleg.state.nj.us/Bills/2022/S0500/332_R5.PDF))

The 2026 “treated like PHI” expansion

Effective January 20, 2026, New Jersey also exempts certain non‑PHI when covered entities or business associates use or disclose it in accordance with HIPAA and apply HIPAA‑level safeguards. This is a data‑level exemption: non‑PHI outside those conditions can still be subject to the NJDPA. ([pub.njleg.state.nj.us](https://pub.njleg.state.nj.us/Bills/2024/A5500/5017_R3.PDF?utm_source=openai))

Breach Notification Procedures

For PHI incidents (HIPAA)

After discovering a breach of unsecured PHI, notify affected individuals without unreasonable delay and no later than 60 days; for incidents affecting 500 or more residents of a state or jurisdiction, also notify prominent media. All breaches must be reported to HHS (timing depends on incident size). ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html?utm_source=openai))

For non‑PHI personal information (New Jersey law)

For breaches involving personal information under New Jersey’s Identity Theft Prevention Act, you must first report the breach to the Division of State Police before notifying affected residents. Consumer notices must be provided in the most expedient time possible and without unreasonable delay, consistent with law‑enforcement needs; additional steps apply when more than 1,000 people are affected. ([njconsumeraffairs.gov](https://www.njconsumeraffairs.gov/Statutes/Identity-Theft-Prevention-Act.pdf))

Coordinating with vendors

Under the NJDPA, processors must support controllers with security obligations and provide information needed for breach response and required assessments. Ensure business associate and data‑processing agreements delineate these duties. ([pub.njleg.state.nj.us](https://pub.njleg.state.nj.us/Bills/2022/S0500/332_R5.PDF))

Conclusion

In practice, the NJDPA leaves HIPAA squarely in charge of PHI while pulling in non‑PHI consumer data when thresholds are met—now with an added carve‑out for non‑PHI handled “like PHI.” Solidify consent and opt‑out flows, maintain rigorous DPAs, and align breach playbooks with both HIPAA and New Jersey’s state‑level Breach Notification Requirements.

FAQs

What defines sensitive data under New Jersey law?

Sensitive data includes information revealing a mental or physical health condition, treatment, or diagnosis; genetic or biometric identifiers; precise geolocation; a consumer’s sex life or sexual orientation; certain financial credentials; citizenship or immigration status; status as transgender or non‑binary; and data collected from a known child. ([pub.njleg.state.nj.us](https://pub.njleg.state.nj.us/Bills/2022/S0500/332_R5.PDF))

How do healthcare providers conduct data protection assessments?

Complete a documented Data Protection Impact Assessment before high‑risk processing (targeted advertising with meaningful risk, sale of personal data, or processing sensitive data). Evaluate benefits versus risks, applicable safeguards, de‑identification options, consumer expectations, and context. Keep assessments on file and ready for confidential review by the Division of Consumer Affairs. ([pub.njleg.state.nj.us](https://pub.njleg.state.nj.us/Bills/2022/S0500/332_R5.PDF))

What are consumer rights under the New Jersey Data Privacy Act?

Consumers can access, correct, delete, and port their data—and opt out of targeted advertising, sales, and certain profiling. You must answer a verified request within 45 days (extendable once by 45 days), provide an appeal process with a 45‑day decision window, and, as of July 15, 2025, honor universal opt‑out signals for targeted advertising and data sales. ([pub.njleg.state.nj.us](https://pub.njleg.state.nj.us/Bills/2022/AL23/266_.PDF))

How does the law affect HIPAA compliance for providers?

HIPAA remains the controlling framework for PHI. The NJDPA exempts PHI and—since January 20, 2026—also exempts certain non‑PHI when a covered entity or business associate treats it like PHI in accordance with HIPAA. For PHI breaches, follow HIPAA’s 60‑day timelines to notify individuals, HHS, and sometimes the media; for non‑PHI personal information, follow New Jersey’s requirement to notify the State Police before consumer notice. ([pub.njleg.state.nj.us](https://pub.njleg.state.nj.us/Bills/2022/S0500/332_R5.PDF))