The governor of Nevada recently signed a new consumer health data privacy bill into law that strengthens consumer health data privacy and gives Nevada residents new rights over their health data. Senate Bill (SB) 370 was modeled on Washington’s recently enacted “My Health, My Data (MHMD) bill, although is less comprehensive in scope. The new law applies to entities that conduct business in Nevada or produce or provide products or services that are targeted at consumers in Nevada and, either alone or with others, determine the purpose and means of processing, sharing, or selling consumer health data. Exceptions include law enforcement agencies and their contractors, and entities covered by the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (BLBA).
The new law applies to consumer health data, which is defined as personally identifiable information that is linked to or reasonably capable of being linked to a consumer that a regulated entity uses to identify the past, present, or future health status of a consumer, but excludes information for certain research purposes, public health purposes, FERPA-covered data, and health data collected and shared as authorized by other state or federal laws, and certain other purposes.
Consumer health data includes information about any health condition or status, disease, or diagnosis; social psychological, behavioral, or medical intervention; surgeries or health-related procedures; use or acquisition of medication; bodily functions, vital signs, or symptoms; reproductive or sexual health care; gender-affirming care; biometric/genetic data; precise geolocation information and health information derived or inferred from non-health data.
The new law gives consumers new rights over their health information, including the right to confirm if a covered business is collecting, sharing, or selling their health data, obtain a list of all third parties that their health data has been sold to or shared with, the right to stop a business from processing, sharing, or selling their health data, and the right to have their health data deleted. In the case of the latter, covered businesses have to delete data and notify affiliates, processors, and contractors of the deletion request within 30 days. Responses to consumer requests are required without undue delay and no later than 45 days after the request is authenticated.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Covered businesses must obtain affirmative, voluntary consent for the collection and sharing of consumer health data and obtain written, signed authorization before the sale of consumer health data is permitted. Covered businesses are required to maintain a consumer health data privacy policy, restrict access to consumer health data to employees and processors that need access to the data, maintain reasonable security practices, and establish a consumer appeals process. A privacy policy must be clearly posted on a covered business’s main Internet site that clearly explains how consumer health data is collected and used, the categories of entities with whom the information will be shared, and clearly explain consumer rights, such as the process for reviewing, requesting changes, and deleting consumer health data. Covered businesses are prohibited from geofencing healthcare facilities (within 1,750 ft) for the purpose of identifying/tracking consumers receiving or seeking healthcare, collecting health data from consumers, or sending health data or healthcare-related notifications, messages, or advertisements to consumers.
The new law takes effect on March 31, 2024, after which date the state Attorney General can impose financial penalties for noncompliance; however, there is no private cause of action, so consumers are unable to take legal action against entities that have violated their privacy through noncompliance with the law.