As of March 31, 2024, Nevada’s state consumer health data law, Senate Bill No. 370 (SB 370), enters the state-level consumer health data privacy fray. Similar to Washington’s My Health My Data Act (MHMDA), SB 370 focuses on enhancing privacy rights and data protection for consumer health data that may not otherwise be covered by existing federal or state legislation.
For a refresh on Washington’s MHMDA, please review our previous alert. Below, we turn our attention to SB 370, outlining its applicability, a few noteworthy requirements for regulated entities, and highlighting several key differences from MHMDA.
Applicability Considerations – Which Entities and Categories of Data are Covered?
Regulated Entities
Nevada’s SB 370, like MHMDA, foregoes the processing volume and monetary applicability thresholds that we are accustomed to seeing in many state data privacy laws. Most state-level consumer privacy laws to date only apply to entities that process a certain volume of personal information and/or that reach certain annual revenue thresholds.
Instead, SB 370 regulates entities that interact with a specific category of data (defined as “consumer health data”) regardless of how much consumer health data might be collected and/or shared or whether an entity reaches a certain monetary threshold. SB 370’s “regulated entities” include any persons or entities who do both of the following:
- Conduct business in Nevada or produce or provide products or services that are targeted to Nevada consumers.
- Alone or with others, determine the purpose and means of processing, sharing, or selling consumer health data (g., wellness and fitness companies, medical device companies, health and life science companies, and even grocery and convenience stores).
Note that geofencing prohibitions, discussed below, apply to any person (not just regulated entities).
Consumer Health Data
“Consumer health data” protected by SB 370 includes personal information that is linked or is reasonably linkable to a consumer and that the regulated entity uses to identify the past, present, or future health status of the consumer. The term “consumer” generally refers to a person residing in Nevada or whose consumer health data is collected in Nevada. This term does not include employees or agents of governmental entities.
MHMDA applies more broadly in that it covers personal information that identifies the consumer’s past, present, or future health status and, thus, potentially encompasses a vast array of information capable of association with a consumer’s health in any way. As an example, SB 370’s definition of consumer health data includes precise geolocation information of a consumer, but only if such information is used by the regulated entity to indicate an attempt to receive healthcare services or products. Under MHMDA, precise geolocation information can be considered consumer health data if it could reasonably indicate an attempt to acquire or receive health services or supplies, regardless of whether it is actually collected by the regulated entity to do so.
As a result, while MHMDA may pull in non-health data if it could be used to infer health status, SB 370 does not appear to extend to such data so long as it is not used in practice to assess a consumer’s health status.
Exemptions
SB 370 exempts certain categories of data and categories of entities. SB 370 generally does not apply to persons, entities, and data whose collection and disclosure of data is already regulated by federal law. These exemptions include:
- Financial institutions or affiliates of financial institutions subject to Gramm-Leach-Bliley Act (GLBA) or any information otherwise subject to GLBA.
- Personal information used or shared as part of research studies that are otherwise regulated.
- Information de-identified pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
- Personal information otherwise governed by and collected, used, or disclosed pursuant to Title IX of the Social Security Act, the Fair Credit Reporting Act (FCRA), and the Family Educational Rights and Privacy Act (FERPA).
SB 370 also includes an entity-level exemption for any persons or entities subject to HIPAA. MHMDA, by contrast, only carves out Protected Health Information (PHI) under HIPAA.
SB 370 also exempts certain government collection and use of consumer health data, including information processed by law enforcement agencies or for law enforcement activities.
Consumer Notice
A regulated entity under SB 370 must post a conspicuous link on its main internet website to a consumer health privacy policy that discloses certain information. The required notice must include all of the following:
- Categories of consumer health data collected and the source(s) from which consumer health data is collected.
- Categories of consumer health data shared and the categories of recipients of such consumer health data.
- Description of the manner in which consumer health data will be used and processed by the regulated entity and the purposes of any collection, use, and sharing of consumer health data.
- Outline of the process for a consumer to submit a rights request.
- Description of the process for notifying consumers of material changes to the policy.
- Summary of the extent to which third parties may collect consumer health data across different internet websites or online services.
- The effective date of the policy.
SB 370 forbids regulated entities from collecting, using, or sharing consumer health data other than in the manner set forth in the notice; any changes will require notice and additional consent(s) (as applicable) from each impacted consumer. Thus, regulated entities should be as thorough as possible in developing the required notice.
Consent
SB370 requires a consumer’s prior affirmative consent to the collection, sharing, and selling of their consumer health data.
Under SB 370, “share” means to release, disseminate, divulge, make available, provide access to, license, or otherwise communicate consumer health data (whether orally or in writing or by electronic means).
Collection and Sharing
Regulated entities cannot collect or share consumer health data, except in any of the following circumstances:
- With a consumer’s affirmative, voluntary consent.
- To the extent necessary to provide a requested product or service.
- To the extent required or authorized by another provision of law.
Where consent is the basis for any collection or sharing of consumer health data, the consent must be given prior to the collection or sharing. The request for consent must disclose all of the following:
- Categories of consumer health data to be collected or shared.
- Purposes for collecting or sharing the consumer health data (including the manner in which the consumer health data will be used).
- If shared, the categories of recipients.
- How the consumer may withdraw consent.
The consent request requirements are the same under both SB 370 and MHMDA.
Selling
SB 370 prohibits any person (not just regulated entities) from selling or offering to sell consumer health data without the prior written consent of the consumer. The consumer’s consent to the sale of their consumer health data (which SB 370 refers to as an “authorization”) must include certain information beyond the standard request for consent to collection or sharing, including all of the following:
- Name and contact information of the seller and the purchaser.
- Description of the consumer health data to be sold.
- Description of the purpose of the sale and the intended use of the consumer health data.
- Statement that the person’s provision of any goods/services is not conditioned on the sale of a consumer’s consumer health data.
- Statement of the consumer’s right to revoke.
- Statement that once sold, a consumer’s consumer health data may be disclosed again, and at that point, it might not be subject to the protections of SB 370.
- Date the authorization expires (authorizations expire one year after the date given).
- The consumer’s signature.
Regulated entities must provide copies of any such authorization to both the impacted consumer and the purchaser of the consumer health data. Both the regulated entity and the purchaser must maintain copies of the consumer’s authorization for six years.
Consumer Rights
Similar to other state data privacy legislation, SB 370 also provides consumers with certain rights regarding their consumer health data. Consumer rights under SB 370 include:
- The right to know if the regulated entity is collecting, sharing, or selling a consumer’s consumer health data.
- The right to receive (or “access”) a list of all third parties with whom the regulated entity has shared or sold a consumer’s consumer health data and to receive a copy of any written authorization for any sale of consumer health data.
- The right to request deletion of a consumer’s consumer health data.
- The right to withdraw consent/authorization and request the regulated entity cease collecting, sharing, or selling a consumer’s consumer health data.
- The right to appeal a regulated entity’s refusal to take action on a request.
Don’t Gamble on Geofencing
Like MHMDA, SB 370 also prohibits any person (not just regulated entities) from implementing geofence technology to track when consumers are within a particular virtual boundary around a medical or healthcare facility for any of the following purposes:
- Identifying or tracking those consumers that are seeking in-person health services or products.
- Collecting consumer health data.
- Sending notifications, messages, or advertisements to consumers related to their consumer health data.
This prohibition applies even with a consumer’s consent.
Enforcement
In a significant deviation from MHMDA, SB 370 is not enforceable via a private right of action. Rather, violations of SB 370 constitute deceptive trade practices under Nevada state law, which are investigated and enforced primarily by the Commissioner of Consumer Affairs and/or the Attorney General of Nevada under Nevada State law (except in a few limited circumstances).
Next Steps
In preparation for SB 370 and for MHMDA, potentially subject entities should first determine whether any data that they collect or receive might be defined as consumer health data under either SB 370 or MHMDA. Because the term “consumer health data” is expansive, many businesses that are not traditionally healthcare-focused or considered healthcare companies may be collecting covered data. Steps to comply with SB 370 and/or MHMDA may include updating internal and external policies, revising agreements with certain third parties or affiliates, implementing appropriate security safeguards, operationalizing consumer consents and consumer rights requests, and evaluating what other business practices may require adjustment.
Our team will continue to monitor SB 370. If you have any questions about SB 370, MHMDA, or any other state privacy laws and how they could impact your business, please contact the authors.