Complying with New Jersey Bill 332 holds three major requirements. First, affected healthcare companies must notify their patients about the types of data being processed, the purpose for processing, and their rights. Secondly, they must give patients the ability to opt-out of any targeted advertising or legal profiling. Lastly, they must give consumers a way to verify, correct, delete, or obtain a copy of their data.
Ensuring Compliance with New Jersey Bill 332
A platform that notifies users, allows them to opt-out of data processing, and enables them to manage their data
Regulatory compliance with New Jersey Bill 332 and enhanced patient privacy
In order to comply with Bill 332 in New Jersey, organization need a way to:
Let's address how we solve each of these requirements with Salesforce.
We can easily notify patients using a multi-channel, single-send journey in Marketing Cloud. This journey is simple yet versatile, giving us the option to reach patients through email and direct mail, depending on their communication preference. Additionally, the direct mail option serves as a fallback for patients that don't have an email address on file.
We've leveraged third-party add-ons for this functionality, such as PFL or JourneyMail. These ISV vendors integrate into Marketing Cloud to provide on-demand print and mail triggers.
In both channels, we include five essential components in the message:
If these components need to vary for each patient, don't worry. Our Dynamic Content feature in Marketing Cloud allows you to customize individual messages at scale, making sure each patient receives the right information.
To ensure compliance, configure reports that demonstrate proper patient notification. Let us handle the technical side so you can focus on keeping your patients informed and satisfied.
Opt-out is essentially a preference center use case. At the very least, most healthcare companies already have an email unsubscribe page. The idea behind Bill 332 is that patients must also have the ability to opt-out of the (1) sale or (2) processing of personal data.
We achieve this by adding two additional fields to our preference page. We want to provide multiple options – if you only include one opt-out option, you could force patients to opt out of everything, including impactful email marketing campaigns. The two fields we need to add are:
We can then add a link to this updated preference page on the notification email we created in the step above.
The third compliance requirement, which allows patient's the means to edit, delete, or update their data, could be the most complex.
In a perfect world, you could create an automation that would export a patient's data on request, and send it via a secure channel. However, the reality is that these requests have historically been rare even under similar laws like CPRA. Additionally, Bill 332 gives organizations a 45 day window to fulfill consumer requests, so it's very reasonable to do it manually.
For this use case, we recommend creating a form with an email address field and multi-select field the contains four options:
Form fills then trigger a task or case in Salesforce Health Cloud or Salesforce Sales Cloud, so that your operations team can work directly with the patient to fulfill their request within the 45-day deadline.