How New Jersey’s HIPAA-based Exemptions Impact Privacy Compliance 

On January 20, 2026, New Jersey enacted Assembly Bill A5017, amending the New Jersey Data Protection Act (NJDPA). The amendment, effective immediately, clarifies that certain non-protected health information (non-PHI) is exempt from the NJDPA when collected, used, or disclosed by covered entities or business associates and when treated in accordance with HIPAA’s privacy and security requirements. 

New Jersey joins Colorado, Oregon, and Minnesota in adopting a data-level approach to HIPAA-based exemptions within comprehensive privacy laws. These laws do not provide blanket entity-wide exemptions for covered entities and business associates. Instead, exemptions apply only to specific data that meets defined criteria. 

NJDPA HIPAA Exemption for Non-PHI: What Qualifies 

Under the NJDPA amendment, non-PHI may be exempt if it is treated as protected health information (PHI) and, when used or disclosed, affords all applicable HIPAA privacy protections and security safeguards. This may include website technical data, analytics, or mobile application data that is not integrated into clinical care workflows, provided it is handled in accordance with HIPAA standards. The amendment also expands exclusions for insurance support organizations, certain human-subjects research data, and national securities associations. 

The amendment, however, does not give businesses with separate entity designations, such as hybrid entities, or those in which only a fraction of the core business is subject to HIPAA, carte blanche to do as they please. Companies should carefully assess their business models and lines of business to determine whether and to what extent data-level HIPAA exemptions apply, because state comprehensive privacy laws may still govern certain data and activities. 

What New Jersey Healthcare Organizations Should Do 

• Conduct a data inventory to identify non-PHI data across digital platforms and operational systems, and determine whether it qualifies for exemption under the amended NJDPA. 
• Assess whether non-PHI is consistently safeguarded in accordance with HIPAA privacy and security requirements, particularly within hybrid entities or mixed business lines. 
• Document exemption determinations and update policies, procedures, and training to reflect how non-PHI is classified and protected. 

Why Organizations in Other States Should Take Notice 

Although the amendment applies directly to New Jersey, it reflects a broader regulatory pattern affecting healthcare IT vendors and provider organizations nationwide. 

• States are increasingly adopting data-level HIPAA exemptions rather than blanket entity-wide exemptions, requiring analysis of how specific data categories are handled. 
• Website analytics, marketing technologies, mobile applications, and consumer-facing tools may remain subject to state privacy laws if not treated in accordance with HIPAA safeguards. 
• Multi-state organizations should review how HIPAA-based exemptions are structured in each jurisdiction and confirm that their data governance framework supports consistent compliance. 
• Applying HIPAA-grade privacy and security controls more broadly may support compliance in states with similar exemption models. 

While the NJDPA amendment directly changes obligations in New Jersey, it also illustrates how states are refining the relationship between HIPAA and comprehensive privacy laws. Healthcare organizations should evaluate their data classification, governance, and compliance practices to determine how state-specific privacy obligations apply to both PHI and non-PHI across jurisdictions. 

FAQs

1. What does the New Jersey law address?
   New Jersey amended its Data Protection Act (NJDPA) to exempt certain healthcare organizations from state privacy requirements if they manage specific data in compliance with HIPAA. 
2. Who does this apply to?
   This law applies to HIPAA-covered entities, such as hospitals, insurers, and healthcare providers, as well as their business associates, including vendors and contractors who handle health data on their behalf. 
3. What is PHI?
   Under the HIPAA Privacy and Security Rule, Protected Health Information (PHI) refers to any data related to a patient’s health, treatment, or payment that is collected in a clinical setting, such as medical records or billing information. 
4. What safeguards does HIPAA require for Protected Health Information?
   HIPAA requires covered entities and their business associates to implement appropriate safeguards to protect PHI and strictly limits its use or disclosure without a patient’s written authorization. 
5. What rights do patients have over their own health information?
   Patients have the right to access and review their health records, obtain copies, and request corrections if the information is inaccurate. 
6. What is non-PHI?
   Non-PHI includes data collected by healthcare organizations that is not clinical in nature, such as website analytics, mobile app usage data, or technical data unrelated to patient care. This type of information is typically not covered by HIPAA. 
7. What are Hybrid Entities?
   A hybrid entity is an organization that performs both functions covered by HIPAA and functions not covered by HIPAA. For example, a large university might operate a hospital (which is subject to HIPAA) alongside other departments like human resources or admissions (which are not subject to HIPAA). In such cases, only the healthcare component of the organization must comply with HIPAA rules; the rest of the organization is not required to follow HIPAA.