consumer health data privacy law

Nevada Strengthens Consumer Health Data Privacy with New Law

June 28, 2023

Nevada has taken a significant step toward safeguarding consumer health data with the enactment of the Consumer Health Data Privacy Law, Senate Bill 370 (SB370). This landmark legislation, signed into law by Governor Joe Lombardo on June 16, 2023, aims to enhance data privacy rights for individuals in Nevada and ensure greater control over their personal health information.

With its comprehensive provisions, SB370 joins a growing number of state-level initiatives focused on consumer privacy. According to the International Association of Privacy Professionals, California, Colorado, Connecticut, Indiana, Iowa, Montana, Tennessee, Texas, Utah, and Virginia have paved the way for strengthening consumer health privacy laws in their states.

nevada new consumer health data privacy law

Nevada’s New Law on Health Data Privacy Strengthens Consumer Rights

SB370 amends existing legislation to impose more stringent requirements on businesses operating in Nevada or collecting consumer health data within the state. It establishes clear guidelines for the collection, sharing, and selling of consumer health data, granting consumers greater transparency, control, and protection over their sensitive health information.

Consumer Rights Under the New Consumer Privacy Law in Nevada Healthcare

The Consumer Health Data Privacy Law protects consumer health data. This means any personal information that is linked or can be linked to a consumer. It is also information that covered businesses can use to identify a consumer’s health status.

According to The National Law Review, consumer data includes information on a consumer’s:

  • health condition, status, disease, or diagnosis,
  • social, psychological, behavioral, or medical interventions
  • surgeries and other health-related procedures
  • use and acquisition of medication,
  • reproductive health care
  • gender-affirming care
  • bodily functions, vital signs, and symptoms

Moreover, consumer data includes biometric or genetic data related to the above information, details about a consumer’s precise geolocation, and any information derived or extrapolated from data that is not considered consumer health data. The latter includes various data generated through algorithms, machine learning, or other means.

The law grants consumers several essential rights regarding their health data. Like the California Consumer Privacy Act, these rights empower individuals and give them more control over their personal information. 

Key provisions include:

  1. Right to confirmation: Consumers have the right to confirm whether a covered business is collecting, sharing, or selling their health data.
  2. Right to access: Consumers can request a comprehensive list of all third parties with whom the business has shared or sold their health data.
  3. Right to opt-out: Consumers possess the right to request that a business stops collecting, sharing, or selling their health data.
  4. Right to deletion: Consumers can request the deletion of their health data from the records and networks of covered businesses.
Nevada Strengthens Consumer Health Data Privacy with New Law

Nevada New Consumer Health Data Privacy Law Compliance: Obligations for Covered Businesses

SB370 places various obligations on covered businesses to ensure compliance with the new health data privacy law. Some key requirements include:

  1. Affirmative consent: Covered businesses must obtain voluntary, affirmative consent from consumers before collecting or sharing their health data, except when necessary to provide requested products or services. They should also stop collecting, sharing, or selling a consumer’s health data upon their request.
  2. Privacy policies: Covered businesses must develop and maintain a privacy policy that clearly outlines the categories of consumer health data collected, the purpose of data usage, sources of data collection, categories of third parties with whom the data is shared, the procedure for submitting a request, how a consumer can review and request changes to their data, how they will notify consumers of any changes to the privacy policy, and the effective date of the privacy policy.
  3. Security measures: Covered businesses are required to establish, implement, and maintain policies and practices for the secure handling and storage of consumer health data, ensuring its protection against unauthorized access or disclosure. Employees and any other entity that processes the data of covered businesses should only access the necessary information to perform the purpose of the data collection or to provide the product or service the consumer has asked for.
  4. Data deletion: Covered businesses must delete consumer data upon request.
  5. Identifying and tracking consumers: Covered businesses may not put up a geofence within 1,750 of any medical facility to track or identify consumers seeking health care.

In addition, covered businesses must respond promptly to requests no later than 45 days after the request is authenticated. The 45-day limit starts as soon as the request is received, not when it is authenticated.

Nevada Strengthens Consumer Health Data Privacy with New Law

Effective Date and Penalties Under SB370 

SB370 is set to become law on March 31, 2024. The law grants enforcement authority to the Nevada Attorney General, who will oversee its implementation and address any violations. It is important to note that there is no private right of action under this law, meaning consumers cannot bring individual lawsuits against non-compliant businesses. However, the Attorney General has the power to impose penalties and take legal action against entities that fail to comply with the law’s provisions.

Nevada New Consumer Health Data Privacy Law’s Impact on Businesses

The Nevada Consumer Health Data Privacy Law imposes significant responsibilities on covered businesses. A careful review of the law is essential to determine if a company falls under the definition of a regulated entity or qualifies for an exemption. 

Businesses affected by SB370 must ensure compliance with its provisions, including obtaining affirmative consent, developing privacy policies, implementing robust security measures, and promptly responding to consumer requests. As data privacy laws continue to evolve, organizations should stay updated on current regulations and prioritize protecting consumer health data.

Kent Cañas

Kent is a content strategist currently specializing in HIPAA-compliant online fax. Her expertise in this field allows her to provide valuable insights to clients seeking a secure and efficient online fax solution.

More great articles
massive phi breach medical facility
Medical Facility Discloses Massive PHI Breach: Over 181,700 Individuals Affected

A massive PHI breach at a medical facility exposed and potentially compromised confidential data belonging to almost 182,000 patients.

Read Story
What Is a HIPAA-Compliant Vendor
Choosing a HIPAA-Compliant Vendor: What You Need to Know

This article provides guidance and insights for organizations seeking to select a HIPAA-compliant vendor to handle their sensitive healthcare data.

Read Story
Guide to Maintaining HIPAA Compliance: Best Practices and Strategies
Guide to Maintaining HIPAA Compliance: Best Practices and Strategies

This article delves into how to maintain HIPAA compliance and the crucial elements needed to ensure the safety and integrity…

Read Story
Subscribe to iFax Newsletter
Get great content to your inbox every week. No spam.

    Only great content, we don’t share your email with third parties.
    Arrow-up