You may have heard of Washington’s My Health, My Data Act (MHMD), but what about Nevada’s health privacy law (Senate Bill 370)? Although Washington’s law has been getting the majority of press coverage, on June 16, 2023, Nevada enacted a health privacy law that may have implications for businesses operating within the state. While there are important differences between the two laws, both protect consumer health data and can impose restrictions on a business operating within the state regardless of revenue thresholds or the number of consumers’ data it processes.1 If your business works with health data in Nevada, there are important steps you may need to take to ensure compliance.
Scope and Applicability
Nevada’s health privacy law goes into effect on March 31, 2024.2 The law generally covers consumer health data, which is defined as “personally identifiable information that is linked or reasonably capable of being linked to a consumer and that a regulated entity uses to identify the past, present or future health status of the consumer.”3
Importantly, the definition requires that the data be used to identify the health status of the consumer, which gives it a much narrower scope compared to Washington’s law.4 Additionally, some organizations as a whole fall outside of the reach of the law, including any person or entity subject to HIPAA or the GLBA. As is the case with Washington’s law, nonprofits are generally not exempt.
If an organization: (1) conducts business or targets consumers in Nevada; and (2) alone or with others determines the purpose and means of processing, sharing, or selling consumer health data, the organization is considered a “regulated entity” under the law.5 Among other obligations, regulated entities are required to provide a consumer health data privacy notice with specific disclosures, limit their use of consumer health data, and honor certain consumer rights.
Section 21 of the Nevada health privacy law mandates that regulated entities publish a consumer health data privacy notice, which must include:
- a description of processing, including the purposes of processing;
- how to submit a request to exercise consumer rights;
- the effective date of the notice and how consumers will be notified of material changes;
- the categories of: (1) consumer health data being collected, (2) sources of the data, (3) data that will be shared with third parties, and (4) third parties that will receive the data;
- a description of the process, if one exists, for a consumer to review and request changes to their data; and
- whether third parties collect consumer health data over time and across different websites or services when the consumer uses the website or service of the regulated entity.6
If your company is already working on a privacy notice for the MHMD, you will meet most of these requirements. However, the disclosure regarding whether third parties collect consumer health data over time and across different services is unique to Nevada’s law.
Use of Consumer Health Data
There are only two potential bases for a company to collect consumer health data under the law: (1) where the consumer has consented; or (2) when necessary to provide a product or service that the consumer requested.7
If regulated entities want to share or sell consumer health data, additional requirements apply under Sections 22(2) and 30, respectively. A regulated entity can only share consumer health data: (1) if the consumer has consented (separately from consent for collection); (2) when necessary to provide a product or service that the consumer requested; or (3) if otherwise required or permitted by law. Selling or offering to sell consumer health data brings in another layer—a written authorization from the consumer is required. The written authorization has additional specific requirements above basic consent, can be withdrawn at any time, expires after one year, and must be retained for six years.
The Nevada health privacy law also includes provisions that most companies are familiar with from navigating U.S. state privacy laws and the GDPR, including obligations to enter into contracts with processors, limit access to data, and maintain appropriate security measures.
Data Subject Rights
Nevada’s health privacy law includes specific rights for consumers. Upon request from a consumer, a regulated entity must:
(1) confirm whether they are collecting, sharing, or selling the consumer’s health data;
(2) provide a list of all third parties with whom the consumer’s health data has been shared or sold to;
(3) stop collecting, sharing, or selling the consumer’s health data; and
(4) delete the consumer’s health data.8
It’s noteworthy that, in contrast to Washington’s MHMD, Nevada’s legislation does not grant consumers the right to access their data. However, if an entity allows the consumer to review or request changes to their data, the process must be described in the privacy notice.
As is common in the growing field of U.S. state privacy laws, companies generally have 45 days to respond to requests from data subjects to exercise their rights.9 However, for deletion requests, a regulated entity must delete data and notify any third parties that have received data that is subject to the request within 30 days of authenticating the request.10 The law helps to ease a common issue with deletion requests by explicitly addressing data that is contained in backups—deletion can be delayed for up to two years.11
In addition to the above, regulated entities must also create and provide information regarding the right to appeal a denial of a request.12
If a company breaches the terms of Nevada’s health privacy law, it will constitute a deceptive trade practice, which can bring fines, restitution, and injunctive relief.13 Because violations constitute deceptive trade practices, the law will be enforced by the Nevada Attorney General.14
In contrast to Washington’s MHMD, there is no private right of action, i.e., consumers can’t directly sue a regulated entity for violating the law.15
It is important to understand all of the data your company may be using and carefully consider whether the Nevada health privacy law applies. If it does, your company will need to take the steps outlined above to ensure compliance before the law goes into effect in 2024.
Compliance takes time and effort, but doing so ensures your company builds consumer trust, reduces risk, and protects its reputation. VeraSafe’s team of experienced privacy and data protection advisors can help you navigate the complex network of privacy laws to reach these goals, whether your needs are limited to Nevada, the United States, or span continents. Contact us today at [email protected] to schedule a free consultation.
Many comprehensive U.S. state privacy laws only apply if a business meets certain revenue requirements or is processing the personal data of a certain number of people within the state. For more information on recent U.S. state privacy laws, see VeraSafe’s blog post “U.S. Privacy Laws Coming Into Effect in 2023.”
SB370 Sec. 36
SB370 Sec. 8. The full text of the definition in the law also provides a non-exhaustive list of such data, including, but not limited to, medical information, biometric data, geolocation data indicating an attempt to receive health care services or products, and any of the above that is derived or extrapolated from information that on its own does not constitute consumer health data.
If data is not used to identify the health status of a consumer, then it appears to be outside the scope of the law. However, no details regarding the boundaries of what constitutes “use to identify the health status of the consumer” are provided, so a more conservative approach is to treat borderline situations as subject to the law.
SB370 Sec. 15. Despite this broad definition, the law does not apply to certain types of organizations, like entities regulated under HIPAA, financial institutions regulated under the Gramm-Leach-Bliley Act, and law enforcement agencies, or information regulated under other laws, such as the Fair Credit Reporting Act or the Family Educational Rights and Privacy Act. SB370 Sec. 20.
SB370 Sec. 22.
SB370 Sec. 24.
SB370 Sec. 25.
SB370 Sec. 26
SB370 Sec. 26
SB370 Sec. 27.
SB370 Sec. 34; Nev. Rev. Stat. Ch. 598 (regulating deceptive trade practices).
SB370 Sec. 34; Nev. Rev. Stat. Ch. 598.
SB370 Sec. 34.