ADCG Explainer: Nevada’s New Health Data Privacy Law
Last month, the Nevada state legislature passed an amended version of Senate Bill 370, a health data privacy bill which, if signed into law by Nevada Governor, Joe Lombardo, would impose requirements on the collection, use, and sale of consumer health data. Here’s how to navigate the pending law:
Applicability
SB 370 applies to regulated entities— any organization that conducts business in Nevada, or produces/provides products or services targeted to consumers in Nevada.
A consumer under the Bill is any “natural person who has requested a product or service from a regulated entity and who resides in [Nevada] or whose consumer health data is collected in [Nevada].” Notably, the definition of consumer excludes any person who is “acting in an employment context or as an agent of a governmental entity.”
Consumer health data is defined under the Bill as “personally identifiable information that is linked or reasonably capable of being linked to a consumer and that a regulated entity uses to identify the past, present or future health status of the consumer.” This includes information that relates to:
Any health condition or status, disease or diagnosis
Social, psychological, behavioral or medical interventions
Surgeries or other health-related procedures
The use or acquisition of medication
Bodily functions, vital signs or symptoms
Reproductive or sexual health care
Gender-affirming care
Geolocation data that a regulated entity would use to determine whether a consumer has attempted to obtain goods and services
Biometric data or genetic data
Health-related information that is derived from non-health data, including data derived through an algorithm, machine learning or any other means
The definition of consumer health data does not, however, include information that is used to:
“Provide access to or enable gameplay by a person on a video game platform”
“Identify the shopping habits or interests of a consumer, if that information is not used to identify the specific past, present or future health status of the consumer.”
This definition of consumer health data is comparable to that contained in the Washington My Health My Data Act. Similar to Nevada’s SB 370, the My Health My Data Act only applies to data which “identifies the consumer’s past, present, or future physical or mental health status. However, SB 370 focuses on data which “a regulated entity uses to identify the past, present or future health status of the consumer” (emphasis added).
Regulated Entity Requirements
SB 370 requires regulated entities to develop and maintain a privacy policy governing consumer health data that “clearly and conspicuously” establishes:
The categories of:
Consumer health data that they will collect and the way it will be used
Sources from which consumer health data is collected
Consumer health data that they will share
Third parties and affiliates who will receive the consumer health data
The purpose for “collecting, using and sharing” the consumer health data
The processing manner
The procedure for submitting a consumer request under SB 370
The process, if established by the organization, for a consumer to review and request changes to consumer health data maintained by the Regulated Entity
The notification process for material changes to the privacy policy
If “a third party may collect consumer health data over time and across different Internet websites or online services when the consumer uses any Internet website or online service of the regulated entity”
The effective date of the privacy policy
Importantly, a regulated entity may not collect or share a consumer’s consumer health data without first receiving “affirmative, voluntary consent” from the consumer, unless the collection or sharing is necessary to provide the consumer with the product or service requested. Additionally, consent for collection and sharing must be “separate and distinct” for each processing activity.
Further, upon a request from a consumer, a regulated entity may be required to:
Confirm whether they’re “collecting, sharing or selling” the consumer’s consumer health data
Provide the consumer with a list of all third-parties who have received the consumer’s consumer health data
Stop “collecting, sharing or selling” the consumer’s consumer health data
Delete a consumer’s consumer health data
Regulated entities are also required to implement various protections to protect a consumer’s consumer health data, such as:
Limiting which persons in the organization can access the data by those who are necessary to provide the requested product or service
Implementing complying “policies and practices for the administrative, technical and physical security of consumer health data”
Limiting data processor access to those who have entered into a contract with the regulated entity
Refusing to implement a “geofence” near healthcare-related facilities to identify or track “consumers seeking in-person health care services or products,” to identify or track consumers, collect consumer health data, or send notifications, messages, or advertisements to consumers
Enforcement
Violations of SB 370 will be deemed a “deceptive trade practice” under Nevada law. Unlike the My Health My Data Act, there is no private right of action given to consumers under SB 370.
If signed into law, SB 370 will go into effect on March 31, 2024, which is also the effective date of many of the provisions of the My Health My Data Act. As such, organizations who would be covered under SB 370 should begin reviewing their privacy policies and considering necessary steps to achieve compliance with the bill.
* * * * * * *
To read our news alerts discussing the EU-U.S. Data Privacy Framework, the Ireland DPA’s new powers, stronger GDPR Enforcement rules, and a lawsuit against OpenAI, click here.
This week’s breach report covers the following organizations: NYC Department of Education, UCLA, The Department of Health and Human Services, and the U.S. Patents and Trademarks Office. Click here to find out more.
Jody Westby hosts our podcast, ADCG on Privacy & Cybersecurity, bringing together leaders in the privacy and cybersecurity arenas to discuss a wide range of issues ranging from the proposed federal and state regulations to best practices and standards for compliance. Episodes can be enjoyed on many platforms including Spotify and Apple Podcasts. Don’t forget to subscribe!
Our most recently released episodes:
92 | Interview With Tom Kemp, Silicon Valley Privacy Advocate and Author of Containing Big Tech
91 | Managed Detection & Response; The Path Forward (with Guest Sam DeNormandie, Silver Sky Security)
90 | AdTech Meets Privacy Laws (with Guest Susan Israel)
To browse our previously published articles and news alerts, please visit our website, and don’t forget to subscribe to receive free weekly Data and Cyber Governance news and Breach Reports directly to your email.