Nevada’s New Consumer Health Data Privacy Law: 6 Things to Know

7 minute read | July.13.2023

The Nevada legislature recently passed Senate Bill 370 (“Nevada’s Consumer Health Data Privacy Law”) aiming to impose broad requirements on collecting, using, and selling consumer health information. Nevada joins Washington and Connecticut with its own consumer health data privacy law. Here are six things to know about Nevada’s new law, including next steps for your privacy compliance program.

Who Is Regulated?
Nevada’s Consumer Health Data Privacy Law applies to a “Regulated Entity,” which is any person who:
- Conducts business in Nevada or produces or provides products or services that are targeted to consumers in Nevada and
- Alone or with other persons, determines the purpose and means of processing, sharing, or selling consumer health data.
Similar to Washington’s My Health My Data law, Nevada’s Consumer Data Health Privacy Law does not exempt nonprofits. It does, however, include several entity-level exclusions, including for persons or entities subject to HIPAA and the GLBA.
What Data Is Covered?
Nevada’s Consumer Health Data Privacy Law applies to all “consumer health data.”

Consumer health data is defined as “personally identifiable information that is linked or reasonably capable of being linked to a consumer and that a Regulated Entity uses to identify the past, present, or future health status of the consumer.” This includes:
- Information relating to:
  - Any health condition or status, disease, or diagnosis.
  - Social, psychological, behavioral, or medical interventions.
  - Surgeries or other health-related procedures.
  - The use or acquisition of medication.
  - Bodily functions, vital signs, or symptoms.
  - Reproductive or sexual health care.
  - Gender-affirming care.
- Biometric data or genetic data related to information described above.
- Information related to the precise geolocation information of a consumer that a Regulated Entity uses to indicate an attempt by a consumer to receive health care services or products.
- Any information described above that is derived or extrapolated from information that is not consumer health data, including proxy, derivative, inferred, or emergent data derived through an algorithm, machine learning, or any other means.
Notably, consumer health data does not include information that is:
- Used to provide access to or enable gameplay on a video game platform or
- Used to identify the shopping habits or interests of a consumer, if that information is not used to identify the consumer’s past, present, or future health status.
Additionally, the law exempts certain information, including information governed by FCRA, FERPA, processed by any governmental entity, or information that is collected or shared as expressly authorized by a provision of federal or state law. It also exempts deidentified data.

Lastly, the Nevada law defines “consumer” to include not only residents of Nevada that have requested a product or service from a Regulated Entity, but also individuals whose consumer health data is collected (i.e., bought, rented, accessed, retained, received, acquired, inferred, derived, or otherwise processed in any manner) in Nevada. The law explicitly excludes from the definition of consumer individuals acting in an employment context or as agents of a governmental entity.
What Are the Obligations for Regulated Entities?
- Maintain a Health Data Privacy Policy. The law requires Regulated Entities to develop and maintain a policy concerning the privacy of consumer health data that clearly and conspicuously states:
  - Categories of consumer health data being collected by the Regulated Entity and the manner in which the consumer health data will be used.
  - Categories of sources from which consumer health data is collected.
  - Categories of consumer health data that are shared by the Regulated Entity.
  - Categories of consumer health data that are shared by the Regulated Entity.
  - Categories of third parties and affiliates with whom the Regulated Entity shares consumer health data.
  - The purposes of collecting, using, and sharing consumer health data.
  - The manner in which consumer health data will be processed.
  - How consumers can exercise the rights granted under the law.
  - The process, if any, for a consumer to review and request changes to any of their consumer health data that is collected by the Regulated Entity.
  - The process by which the Regulated Entity will notify consumers of material changes to the privacy policy.
  - Whether a third party may collect consumer health data over time and across different websites or online services when the consumer uses any website or online service of the Regulated Entity.
  - The effective date of the privacy policy.
  A Regulated Entity must post the notice on its website or otherwise provide the policy to consumers in a manner that is clear and conspicuous.
- Acquire Consent to Collect or Share Consumer Health Data in Certain Circumstances. Regulated Entities are required to obtain consumers’ affirmative and voluntary consent before collecting or sharing consumer health data. Importantly, the consent to share consumer health data must be obtained separately from the consent to collect consumer health data and include the prescribed information under the statute. However, Regulated Entities may collect and share consumer health data without consent to the extent necessary to provide their product or service that the consumer has requested from the Regulated Entity. In addition, Regulated Entities may also share consumer health data where otherwise required or authorized by law.
- Acquire Written Authorization to Sell Consumer Health Data. A person must obtain written authorization from the consumer before selling or offering to sell their health data.
- Restrict Access to Consumer Health Data. A Regulated Entity can only authorize the employees and processors of the Regulated Entity to access consumer health data where it is reasonably necessary to:
  - Further the purpose for which the consumer consented to the collection and sharing of their health data.
  - Provide a product or service that the consumer has requested from the Regulated Entity.
- Implement Security Practices. Regulated Entities are required to establish, implement, and maintain policies and practices for the administrative, technical, and physical security of consumer health data.
- Grant Consumer Requests. Upon request, Regulated Entities must:
  - Confirm whether the Regulated Entity collects, shares, or sells consumer health data concerning the consumer.
  - Provide the consumer with a list of third parties with whom the Regulated Entity has shared or to whom the Regulated Entity has sold consumer health data relating to the consumer.
  - Cease collecting, sharing, or selling consumer health data relating to the consumer.
  - Delete consumer health data concerning the consumer.
  Regulated Entities must establish a process to allow consumers to make these requests and appeal denials.
- Written Contract Between Regulated Entity and Processor. Processors may only process consumer health data pursuant to a contract between the processor and a Regulated Entity.
- Prohibit the Use of Geofences. Even with consumer consent, the Nevada law prohibits a person from geofencing within 1,750 feet of any person or entity that provides in-person health care services or products for the following purposes:
  - Identifying or tracking consumers seeking in-person health care services or products.
  - Collecting consumer health data.
  - Sending notifications, messages, or advertisements to consumers related to their consumer health data or health care services or products.
  Unlike Washington’s My Health My Data, there is no early effective date for this prohibition. It goes into effect with all other provisions of Nevada’s Consumer Health Data Privacy Law.
When Does Nevada’s Consumer Health Data Privacy Law Go Into Effect?

The law will go into effect on March 31, 2024. Unlike Washington’s My Health My Data, there is no delayed effective date for small businesses.
How Will Nevada’s Consumer Health Data Privacy Law Be Enforced?

Importantly, the law does not create a private right of action. Except in narrow circumstances applicable to processors, violations constitute a deceptive trade practice under the Nevada Consumer Protection Act (“NCPA”). Nevada’s Attorney General may seek injunctive relief and monetary damages for violations of the law.
What Should Companies Consider Doing?
- Determine whether you are within the scope of the law. Companies should understand the full extent of their activities and know whether they fall within the scope of the law.
- Identify whether you are collecting consumer health data. Because the term “consumer health data” is expansive, many businesses that are not traditionally health care focused or considered health care companies may be collecting covered data.
- Stop using geofences. Companies should assess and be ready to terminate their use of geofencing where applicable on the law’s effective date.
- Build a compliance program. Begin addressing the obligations by:
  - Developing and maintaining a health data privacy policy.
  - Implementing necessary just-in-time notices and prior opt-in consent to certain collection and sharing of consumer health data.
  - Updating any third-party agreements (including data processing agreements) where necessary.
  - Building up internal processes to respond to and grant consumer privacy rights requests.

Authors

Thora Johnson Partner, Life Sciences & HealthTech, Cyber, Privacy & Data Innovation

Washington, D.C.

See my bio

Practice:

Technology & Innovation Sector
Life Sciences & HealthTech
Cyber, Privacy & Data Innovation
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Thora Johnson Partner

Washington, D.C.

Thora works with medical device, pharmaceutical, biotech and digital health companies, helping them navigate the increasingly complex patchwork of state and federal health privacy laws. One client described her to the Legal 500 as a “very practical” advisor providing “exceptional guidance” on health information privacy and HIPAA compliance matters.

Her breadth and depth of experience enable Thora to assist clients in harnessing the power of artificial intelligence and executing data-sharing arrangements, all while protecting health data. As a result, Thora spends much of her time counseling pioneering startups and high-growth companies on responsible innovation in healthcare and life sciences.

Thora brings extensive experience counseling clients, including Fortune 500 companies and brick and mortar providers, on the Health Insurance Portability and Accountability Act (HIPAA) and other state and federal health privacy and regulatory compliance regimes including:

Office of the National Coordinator for Health Information Technology’s interoperability and information blocking regulations
Centers for Medicare & Medicaid Service’s (CMS’s) interoperability and patient access regulations
Part 2 confidentiality requirements applicable to substance abuse records
State health information privacy laws
State consumer privacy laws with special controls for health data
Medicare/Medicaid compliance
Mental Health Parity and Addiction Equity Act (MHPAEA)
Genetic Information Nondiscrimination Act (GINA)
Affordable Care Act (ACA) compliance
Regulatory requirements of the Employer Retirement Income Security Act (ERISA), the Internal Revenue Code, HIPAA, and the ACA as they apply to employer health and wellness plans

Thora routinely helps companies and large employers prepare for and respond to privacy and security incidents involving health information. She also defends clients in government investigations initiated by the OCR, OIG, DOJ, FTC and State AGs, among others.

Alyssa Wolfington Managing Associate, Cyber, Privacy & Data Innovation, Strategic Advisory & Government Enforcement (SAGE)

New York

See my bio

D:+1 212 506 5000
E: [email protected]

Practice:

Cyber, Privacy & Data Innovation
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Alyssa Wolfington Managing Associate

New York

Alyssa navigates clients through privacy programs and policy creation, and provides guidance on compliance with federal, state and international laws and regulations, including the U.S. state privacy laws in California, Colorado, Connecticut, Utah, Virginia and other states, the General Data Protection Regulation (GDPR), the Federal Trade Commission Act (FTC Act), the Health Insurance Portability and Accountability Act (HIPAA) and state data breach notification laws. She advises clients on security incident response and federal and state investigations related to privacy and data security. She also provides assessments of privacy and security practices for companies carrying out due diligence in the context of corporate transactions.

Michaela Frai Associate, Cyber, Privacy & Data Innovation, Strategic Advisory & Government Enforcement (SAGE)

New York

See my bio

D:+1 617 880 2248
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Michaela Frai Associate

New York

Michaela helps clients build global privacy programs and advises on United States (U.S.) state and federal consumer privacy laws, including the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (VCDPA), and the Colorado Privacy Act. Her work also includes counseling on compliance with the General Data Protection Regulation (GDPR).