On June 16, 2023, Nevada’s Governor signed Senate Bill (SB) 370, which enacts certain protections for consumer health data.

The law is similar to Washington’s My Health, My Data Act, which was passed in April. The Future of Privacy Forum prepared a useful chart comparing the Washington and Nevada laws.

Nevada’s law becomes operative on March 31, 2024.

To what entities does the law apply?

SB 370 applies to any person that:

  • Conducts business in Nevada or produces or provides products or services that are targeted at consumers in Nevada; and,
  • Alone or with other persons, determines the purpose and means of processing, sharing, or selling consumer health data.

The law includes a long list of exceptions, including exclusions for:

  • any person or entity subject to the Health Insurance Portability and Accountability Act (HIPAA), and
  • a financial institution or affiliate that is subject to the provisions of the Gramm-Leach-Bliley Act.

Who is protected by the law?

SB 370 protects “consumers” – natural persons who have requested a product or service from a regulated business and who reside in the state of Nevada or whose health information is collected in Nevada. The law does not extend to natural persons acting in an employment context or as an agent of a governmental entity.

What data is protected by the law?

Consumer health data is protected under the law. This is defined as personal information that is linked or reasonably capable of being linked to a consumer which the covered business uses to identify the past, present, or future health status of the consumer. Consumer health data includes:

  • Any health condition or status, disease, or diagnosis
  • Social psychological, behavioral, or medical intervention
  • Surgeries or health-related procedures
  • The use or acquisition of medication
  • Bodily functions, vital signs, or symptoms
  • Reproductive or sexual health care
  • Gender-affirming care
  • Biometric or genetic data

The law does not cover information used for certain research, public health, or health data shared pursuant to federal or state law.

What are the rights of consumers?

Similar to the California Consumer Privacy Act and the growing array of consumer privacy laws enacted in several states, consumers have certain rights under SB 370 concerning their consumer health information, such as:

  • The right to confirm whether a covered business is collecting, sharing, or selling their health data.
  • The right to access a list of all third parties with whom the business has shared or sold the consumer’s health data.
  • The right to request the business stop collection, sharing, or selling of the consumer’s health data.
  • The right to delete their health data.

What obligations do businesses have?

Below is a non-exhaustive list of obligations covered businesses have under SB 370.

Covered businesses must obtain affirmative voluntary consent when collecting and sharing consumer health data, except to the extent it is necessary to provide a product or service that the consumer has requested from the business. The covered business also may share consumer health information without consent when required by law.

Covered businesses shall upon request by a consumer:

  • Confirm whether the regulated entity is collecting, sharing, or selling the consumer’s health data.
  • Provide the consumer with a list of all third parties with whom the business has shared or sold the consumer’s health data.
  • Cease collection, sharing, or selling of the consumer’s health data.
  • Delete the consumer’s health data.

Responses to requests must be made without undue delay but no later than 45 days after the business authenticates the request. Note that under some other laws, such as Washington’s My Health, My Data Act, and the CCPA, the 45-day clock starts to run from the date the request is received, not when it is authenticated.

Covered businesses also are required to develop and maintain a policy concerning the privacy of consumer health data that clearly and conspicuously establishes:

  • The categories of consumer health data being collected and the manner in which it will be used.
  • The categories of sources from which the health data is collected
  • The categories of third parties and affiliates with whom the covered business shares health data.
  • The manner in which health data will be processed.
  • The procedure for submitting a request
  • The process by which a consumer can review and request changes to their health data
  • The way the business will notify consumers of changes to its privacy policy
  • Whether a third party may collect health data from the business
  • The effective date of the privacy policy

The business must conspicuously post a link to its policy on its main internet website or otherwise provide the policy to consumers in a manner that is clear and conspicuous. These website policy requirements across several states and countries are adding significant complexity to the compliance obligations of covered businesses.

Employees and processors of the covered business may be permitted to access consumer health information only where reasonably necessary (i) to further the purpose for which the consumer consented to the collection or sharing of the information, or (ii) to provide a product or service that the consumer requested.

Covered businesses also are required to establish, implement and maintain policies and practices for the administrative, technical, and physical security of consumer health data.

In addition, covered businesses may not establish a geofence within 1,750 feet of any medical facility for the purposes of identifying or tracking consumers seeking in-person health care, collecting health data, and sending notifications. 

How is the law enforced?

The new law provides for enforcement by the Nevada Attorney General. There is no private right of action.

For additional information on Nevada’s new privacy statute and other data privacy laws and regulations, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Joseph J. Lazzarotti Joseph J. Lazzarotti

Joseph J. Lazzarotti is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP)…

Joseph J. Lazzarotti is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals. Trained as an employee benefits lawyer, focused on compliance, Joe also is a member of the firm’s Employee Benefits practice group.

In short, his practice focuses on the matrix of laws governing the privacy, security, and management of data, as well as the impact and regulation of social media. He also counsels companies on compliance, fiduciary, taxation, and administrative matters with respect to employee benefit plans.

Privacy and cybersecurity experience – Joe counsels multinational, national and regional companies in all industries on the broad array of laws, regulations, best practices, and preventive safeguards. The following are examples of areas of focus in his practice:

  • Advising health care providers, business associates, and group health plan sponsors concerning HIPAA/HITECH compliance, including risk assessments, policies and procedures, incident response plan development, vendor assessment and management programs, and training.
  • Coached hundreds of companies through the investigation, remediation, notification, and overall response to data breaches of all kinds – PHI, PII, payment card, etc.
  • Helping organizations address questions about the application, implementation, and overall compliance with European Union’s General Data Protection Regulation (GDPR) and, in particular, its implications in the U.S., together with preparing for the California Consumer Privacy Act.
  • Working with organizations to develop and implement video, audio, and data-driven monitoring and surveillance programs. For instance, in the transportation and related industries, Joe has worked with numerous clients on fleet management programs involving the use of telematics, dash-cams, event data recorders (EDR), and related technologies. He also has advised many clients in the use of biometrics including with regard to consent, data security, and retention issues under BIPA and other laws.
  • Assisting clients with growing state data security mandates to safeguard personal information, including steering clients through detailed risk assessments and converting those assessments into practical “best practice” risk management solutions, including written information security programs (WISPs). Related work includes compliance advice concerning FTC Act, Regulation S-P, GLBA, and New York Reg. 500.
  • Advising clients about best practices for electronic communications, including in social media, as well as when communicating under a “bring your own device” (BYOD) or “company owned personally enabled device” (COPE) environment.
  • Conducting various levels of privacy and data security training for executives and employees
  • Supports organizations through mergers, acquisitions, and reorganizations with regard to the handling of employee and customer data, and the safeguarding of that data during the transaction.
  • Representing organizations in matters involving inquiries into privacy and data security compliance before federal and state agencies including the HHS Office of Civil Rights, Federal Trade Commission, and various state Attorneys General.

Benefits counseling experience – Joe’s work in the benefits counseling area covers many areas of employee benefits law. Below are some examples of that work:

  • As part of the Firm’s Health Care Reform Team, he advises employers and plan sponsors regarding the establishment, administration and operation of fully insured and self-funded health and welfare plans to comply with ERISA, IRC, ACA/PPACA, HIPAA, COBRA, ADA, GINA, and other related laws.
  • Guiding clients through the selection of plan service providers, along with negotiating service agreements with vendors to address plan compliance and operations, while leveraging data security experience to ensure plan data is safeguarded.
  • Counsels plan sponsors on day-to-day compliance and administrative issues affecting plans.
  • Assists in the design and drafting of benefit plan documents, including severance and fringe benefit plans.
  • Advises plan sponsors concerning employee benefit plan operation, administration and correcting errors in operation.

Joe speaks and writes regularly on current employee benefits and data privacy and cybersecurity topics and his work has been published in leading business and legal journals and media outlets, such as The Washington Post, Inside Counsel, Bloomberg, The National Law Journal, Financial Times, Business Insurance, HR Magazine and NPR, as well as the ABA Journal, The American Lawyer, Law360, Bender’s Labor and Employment Bulletin, the Australian Privacy Law Bulletin and the Privacy, and Data Security Law Journal.

Joe served as a judicial law clerk for the Honorable Laura Denvir Stith on the Missouri Court of Appeals.