On June 16, 2023, Nevada’s Governor signed Senate Bill (SB) 370, which enacts certain protections for consumer health data.
Nevada’s law becomes operative on March 31, 2024.
To what entities does the law apply?
SB 370 applies to any person that:
- Conducts business in Nevada or produces or provides products or services that are targeted at consumers in Nevada; and,
- Alone or with other persons, determines the purpose and means of processing, sharing, or selling consumer health data.
The law includes a long list of exceptions, including exclusions for:
- any person or entity subject to the Health Insurance Portability and Accountability Act (HIPAA), and
- a financial institution or affiliate that is subject to the provisions of the Gramm-Leach-Bliley Act.
Who is protected by the law?
SB 370 protects “consumers” – natural persons who have requested a product or service from a regulated business and who reside in the state of Nevada or whose health information is collected in Nevada. The law does not extend to natural persons acting in an employment context or as an agent of a governmental entity.
What data is protected by the law?
Consumer health data is protected under the law. This is defined as personal information that is linked or reasonably capable of being linked to a consumer which the covered business uses to identify the past, present, or future health status of the consumer. Consumer health data includes:
- Any health condition or status, disease, or diagnosis
- Social psychological, behavioral, or medical intervention
- Surgeries or health-related procedures
- The use or acquisition of medication
- Bodily functions, vital signs, or symptoms
- Reproductive or sexual health care
- Gender-affirming care
- Biometric or genetic data
The law does not cover information used for certain research, public health, or health data shared pursuant to federal or state law.
What are the rights of consumers?
Similar to the California Consumer Privacy Act and the growing array of consumer privacy laws enacted in several states, consumers have certain rights under SB 370 concerning their consumer health information, such as:
- The right to confirm whether a covered business is collecting, sharing, or selling their health data.
- The right to access a list of all third parties with whom the business has shared or sold the consumer’s health data.
- The right to request the business stop collection, sharing, or selling of the consumer’s health data.
- The right to delete their health data.
What obligations do businesses have?
Below is a non-exhaustive list of obligations covered businesses have under SB 370.
Covered businesses must obtain affirmative voluntary consent when collecting and sharing consumer health data, except to the extent it is necessary to provide a product or service that the consumer has requested from the business. The covered business also may share consumer health information without consent when required by law.
Covered businesses shall upon request by a consumer:
- Confirm whether the regulated entity is collecting, sharing, or selling the consumer’s health data.
- Provide the consumer with a list of all third parties with whom the business has shared or sold the consumer’s health data.
- Cease collection, sharing, or selling of the consumer’s health data.
- Delete the consumer’s health data.
Responses to requests must be made without undue delay but no later than 45 days after the business authenticates the request. Note that under some other laws, such as Washington’s My Health, My Data Act, and the CCPA, the 45-day clock starts to run from the date the request is received, not when it is authenticated.
Covered businesses also are required to develop and maintain a policy concerning the privacy of consumer health data that clearly and conspicuously establishes:
- The categories of consumer health data being collected and the manner in which it will be used.
- The categories of sources from which the health data is collected
- The categories of third parties and affiliates with whom the covered business shares health data.
- The manner in which health data will be processed.
- The procedure for submitting a request
- The process by which a consumer can review and request changes to their health data
- Whether a third party may collect health data from the business
The business must conspicuously post a link to its policy on its main internet website or otherwise provide the policy to consumers in a manner that is clear and conspicuous. These website policy requirements across several states and countries are adding significant complexity to the compliance obligations of covered businesses.
Employees and processors of the covered business may be permitted to access consumer health information only where reasonably necessary (i) to further the purpose for which the consumer consented to the collection or sharing of the information, or (ii) to provide a product or service that the consumer requested.
Covered businesses also are required to establish, implement and maintain policies and practices for the administrative, technical, and physical security of consumer health data.
In addition, covered businesses may not establish a geofence within 1,750 feet of any medical facility for the purposes of identifying or tracking consumers seeking in-person health care, collecting health data, and sending notifications.
How is the law enforced?
The new law provides for enforcement by the Nevada Attorney General. There is no private right of action.
For additional information on Nevada’s new privacy statute and other data privacy laws and regulations, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.