The Nevada legislature recently passed Senate Bill 370 (“Nevada’s Consumer Health Data Privacy Law”) aiming to impose broad requirements on collecting, using, and selling consumer health information. Nevada joins Washington and Connecticut with its own consumer health data privacy law. Here are six things to know about Nevada’s new law, including next steps for your privacy compliance program.
- Who Is Regulated?
Nevada’s Consumer Health Data Privacy Law applies to a “Regulated Entity,” which is any person who:
- Conducts business in Nevada or produces or provides products or services that are targeted to consumers in Nevada and
- Alone or with other persons, determines the purpose and means of processing, sharing, or selling consumer health data.
Similar to Washington’s My Health My Data law, Nevada’s Consumer Data Health Privacy Law does not exempt nonprofits. It does, however, include several entity-level exclusions, including for persons or entities subject to HIPAA and the GLBA.
- What Data Is Covered?
Nevada’s Consumer Health Data Privacy Law applies to all “consumer health data.”
Consumer health data is defined as “personally identifiable information that is linked or reasonably capable of being linked to a consumer and that a Regulated Entity uses to identify the past, present, or future health status of the consumer.” This includes:
- Information relating to:
- Any health condition or status, disease, or diagnosis.
- Social, psychological, behavioral, or medical interventions.
- Surgeries or other health-related procedures.
- The use or acquisition of medication.
- Bodily functions, vital signs, or symptoms.
- Reproductive or sexual health care.
- Gender-affirming care.
- Biometric data or genetic data related to information described above.
- Information related to the precise geolocation information of a consumer that a Regulated Entity uses to indicate an attempt by a consumer to receive health care services or products.
- Any information described above that is derived or extrapolated from information that is not consumer health data, including proxy, derivative, inferred, or emergent data derived through an algorithm, machine learning, or any other means.
Notably, consumer health data does not include information that is:
- Used to provide access to or enable gameplay on a video game platform or
- Used to identify the shopping habits or interests of a consumer, if that information is not used to identify the consumer’s past, present, or future health status.
Additionally, the law exempts certain information, including information governed by FCRA, FERPA, processed by any governmental entity, or information that is collected or shared as expressly authorized by a provision of federal or state law. It also exempts deidentified data.
Lastly, the Nevada law defines “consumer” to include not only residents of Nevada, but also individuals whose consumer health data is collected (i.e., bought, rented, accessed, retained, received, acquired, inferred, derived, or otherwise processed in any manner) in Nevada. The law explicitly excludes from the definition of consumer individuals acting in an employment context or as agents of a governmental entity.
- What Are the Obligations for Regulated Entities?
- Maintain a Health Data Privacy Policy. The law requires Regulated Entities to develop and maintain a policy concerning the privacy of consumer health data that clearly and conspicuously states:
- Categories of consumer health data being collected by the Regulated Entity and the manner in which the consumer health data will be used.
- Categories of sources from which consumer health data is collected.
- Categories of consumer health data that are shared by the Regulated Entity.
- Categories of consumer health data that are shared by the Regulated Entity.
- Categories of third parties and affiliates with whom the Regulated Entity shares consumer health data.
- The purposes of collecting, using, and sharing consumer health data.
- The manner in which consumer health data will be processed.
- How consumers can exercise the rights granted under the law.
- The process, if any, for a consumer to review and request changes to any of their consumer health data that is collected by the Regulated Entity.
- The process by which the Regulated Entity will notify consumers of material changes to the privacy policy.
- Whether a third party may collect consumer health data over time and across different websites or online services when the consumer uses any website or online service of the Regulated Entity.
- The effective date of the privacy policy.
A Regulated Entity must post the notice on its website or otherwise provide the policy to consumers in a manner that is clear and conspicuous.
- Acquire Consent to Collect or Share Consumer Health Data in Certain Circumstances. Regulated Entities are required to obtain consumers’ affirmative and voluntary consent before collecting or sharing consumer health data. Importantly, the consent to share consumer health data must be obtained separately from the consent to collect consumer health data and include the prescribed information under the statute. However, Regulated Entities may collect and share consumer health data without consent to the extent necessary to provide their product or service that the consumer has requested from the Regulated Entity. In addition, Regulated Entities may also share consumer health data where otherwise required or authorized by law.
- Acquire Written Authorization to Sell Consumer Health Data. A person must obtain written authorization from the consumer before selling or offering to sell their health data.
- Restrict Access to Consumer Health Data. A Regulated Entity can only authorize the employees and processors of the Regulated Entity to access consumer health data where it is reasonably necessary to:
- Further the purpose for which the consumer consented to the collection and sharing of their health data.
- Provide a product or service that the consumer has requested from the Regulated Entity.
- Implement Security Practices. Regulated Entities are required to establish, implement, and maintain policies and practices for the administrative, technical, and physical security of consumer health data.
- Grant Consumer Requests. Upon request, Regulated Entities must:
- Confirm whether the Regulated Entity collects, shares, or sells consumer health data concerning the consumer.
- Provide the consumer with a list of third parties with whom the Regulated Entity has shared or to whom the Regulated Entity has sold consumer health data relating to the consumer.
- Cease collecting, sharing, or selling consumer health data relating to the consumer.
- Delete consumer health data concerning the consumer.
Regulated Entities must establish a process to allow consumers to make these requests and appeal denials.
- Written Contract Between Regulated Entity and Processor. Processors may only process consumer health data pursuant to a contract between the processor and a Regulated Entity.
- Prohibit the Use of Geofences. Even with consumer consent, the Nevada law prohibits a person from geofencing within 1,750 feet of any person or entity that provides in-person health care services or products for the following purposes:
- Identifying or tracking consumers seeking in-person health care services or products.
- Collecting consumer health data.
- Sending notifications, messages, or advertisements to consumers related to their consumer health data or health care services or products.
Unlike Washington’s My Health My Data, there is no early effective date for this prohibition. It goes into effect with all other provisions of Nevada’s Consumer Health Data Privacy Law.
- When Does Nevada’s Consumer Health Data Privacy Law Go Into Effect?
The law will go into effect on March 31, 2024. Unlike Washington’s My Health My Data, there is no delayed effective date for small businesses.
- How Will Nevada’s Consumer Health Data Privacy Law Be Enforced?
Importantly, the law does not create a private right of action. Except in narrow circumstances applicable to processors, violations constitute a deceptive trade practice under the Nevada Consumer Protection Act (“NCPA”). Nevada’s Attorney General may seek injunctive relief and monetary damages for violations of the law.
- What Should Companies Consider Doing?
- Determine whether you are within the scope of the law. Companies should understand the full extent of their activities and know whether they fall within the scope of the law.
- Identify whether you are collecting consumer health data. Because the term “consumer health data” is expansive, many businesses that are not traditionally health care focused or considered health care companies may be collecting covered data.
- Stop using geofences. Companies should assess and be ready to terminate their use of geofencing where applicable on the law’s effective date.
- Build a compliance program. Begin addressing the obligations by:
- Developing and maintaining a health data privacy policy.
- Implementing necessary just-in-time notices and prior opt-in consent to certain collection and sharing of consumer health data.
- Updating any third-party agreements (including data processing agreements) where necessary.
- Building up internal processes to respond to and grant consumer privacy rights requests.