On January 20, 2026, the New Jersey Governor signed Assembly Bill A5017 (“Amendment”), amending the New Jersey Data Protection Act (“NJDPA”). The Amendment exempts data that is not protected health information (“non-PHI”) from the NJDPA when it is handled by covered entities or business associates in accordance with the privacy and security requirements of the Health Insurance Portability and Accountability Act (“HIPAA”). Examples of “non-PHI” may include website technical and analytics data or mobile application data that is not integrated into clinical care workflows.
The Amendment takes effect immediately. In addition to the HIPAA-related exemption, it expands existing exclusions for insurance support organizations and for personal data processed in connection with certain human subjects research, and it adds a new exemption for national securities associations.
Aligning With Other State Laws
With this Amendment, New Jersey joins Colorado, Oregon, and Minnesota, as states with comprehensive privacy laws that do not provide blanket, entity-level exemptions for covered entities and business associates, but instead exempt some non-PHI collected by certain healthcare entities, provided such non-PHI is treated as PHI, or “intermingled so as to be indistinguishable from” PHI.
In practical terms, the Amendment means that covered entities and certain business associates in New Jersey may exclude non-PHI from New Jersey privacy law obligations, so long as non-PHI is “treated like protected health information…when the information is used or disclosed in accordance with HIPAA and the information is afforded all the privacy protections and security safeguards of the federal laws and implementing regulations under HIPAA.” However, businesses that have separate entity designations, such as hybrid entities, or businesses where only a fraction of the core business is subject to HIPAA, should not see this Amendment or other similar state laws as a “get out of jail free” card. Companies should carefully assess their business models and lines of business to determine whether, and the extent, data-level HIPAA exemptions apply, as state comprehensive privacy laws may still govern certain data and activities.
Key Takeaways for Healthcare Organizations
• HIPAA compliance can extend beyond PHI. In New Jersey and a few other states, non-PHI collected by covered entities and business associates may fall outside state comprehensive privacy laws if it is treated as if it were PHI.
• The exemption is data-specific, not entity-wide. Covered entities and business associates are not fully exempt from the NJDPA; the exemption depends on how non-PHI is collected and handled.
• This is not a “Get Out of Jail Free” Card. This Amendment’s exemption may not cover businesses whose handling of PHI is incidental rather than central to their operations. Organizations should review their core business activities to determine which non-PHI may be exempt, and which may not.
• State law requirements continue to vary. Healthcare organizations operating across multiple states should reassess how HIPAA-based exemptions apply under each applicable privacy law.
For more information on privacy and cybersecurity obligations affecting healthcare organizations, please contact Alston & Bird’s Privacy, Cyber, and Data Strategy Team or Health Care Team, and sign up for alerts at AlstonPrivacy.com.
