Update applicable to:
The new law applies to any entity that conducts business in Nevada or produces or provides products or services targeted to consumers in Nevada and, alone or with another, determines the purpose and means of processing, sharing, or selling consumer health data. All entities doing business in or directed at Nevadans are subject to the law, no matter how small they are.
On June 22, Nevada Governor Joe Lombardo signed SB 370 (“SB 370” or the “Act”), a privacy law concerning consumer health data that closely resembles Washington State’s “My Health, My Data” (“MHMD”) Act. The Nevada law will go into effect on March 31, 2024.
What are the details?
The bill is modeled off the Washington My Health My Data Act but with important differences, including that it does not have a private right of action and contains a narrower definition of consumer health data.
SB 370 does, however, have some data-based exemptions, including data regulated by the federal Gramm-Leach-Bliley Act, Fair Credit Reporting Act, Administrative Simplification provisions of the Social Security Act, Family Educational Rights and Privacy Act, and Health Care Quality Improvement Act. Additionally, there are exemptions for specific data collected for clinical research, deidentified data, and Personal Health Information (“PHI”) governed by HIPAA.
“Consumer health data” means personally identifiable information that is linked or reasonably capable of being linked to a consumer and that a regulated entity uses to identify the past, present, or future health status of the consumer. The term includes, without limitation:
- Information relating to:
- Any health condition or status, disease or diagnosis
- Social, psychological, behavioral, or medical interventions
- Surgeries or other health-related procedures
- The use or acquisition of medication
- Bodily functions, vital signs or symptoms
- Reproductive or sexual health care
- Gender-affirming care
- Biometric data or genetic data related to information described in paragraph (a)
- Information related to the precise geolocation information of a consumer that a regulated entity uses to indicate an attempt by a consumer to receive health care services or products
- Any information described in paragraphs (a), (b), or (c) that is derived or extrapolated from information that is not consumer health data, including, without limitation, proxy, derivative, inferred, or emergent data derived through an algorithm, machine learning or any other means
Does not include information that is used to:
- Provide access to or enable gameplay by a person on a video game platform.
- Identify the shopping habits or interests of a consumer, if that information is not used to identify the specific past, present, or future health status of the consumer
Regulated entities must develop and maintain a policy specific to the privacy of consumer health data that clearly and conspicuously outlines a number of categories.
Consent must be obtained prior to the collection or sharing of consumer health data and must also include the categories, purpose, if the data will be shared and who with, and how a consumer can withdraw consent. Deletion requests must be acted on within 30 days of authenticating a consumer request.
A regulated entity must establish a consumer appeal process for the denial of a request:
- Conspicuously available on the website
- Similar to the process of making a request to exercise consumer health data rights
Within 45 days of receiving an appeal the regulated entity must inform the consumer of:
- Any action taken in response to the appeal or any decision not to take such action.
- The reasons for any such action or decision.
- If the regulated entity decided not to take the action requested in the appeal, the contact information for the Office of the Attorney General.
For more information, please see the links below:
What do employers need to do?
Nearly all entities of any size that do business in or directed at Nevada or Washington will be in dramatic new consumer health data privacy requirements in 2024. Unless a company is an explicitly exempted entity (like a casino), it should thoroughly review its data handling practices, privacy policies, consent requirements, data selling and sharing practices, and corporate policies. While the Nevada law does not include a private right of action, it signals an intense focus on the privacy of consumer health data. Employers that do any business in the health or wellness space should expect to undertake a significant overhaul of their privacy practices and should therefore consult with their employment attorney to ensure compliance with the law.
Need help understanding how changes to employment laws will affect your business?
Learn more about how Vensure's Nevada PEO services can help you navigate complex employment laws and keep your business compliant.
This communication is intended solely for the purpose of conveying information. The present post might incorporate hyperlinks directing readers to websites managed by third-party entities. The inclusion of any links within this communication is meant to serve as points of reference and could encompass opinion articles from various law firms, articles from HR associations, official websites, news releases, and documents of government agencies, and other relevant third-party sources. Vensure has no authority over these external websites and bears no responsibility for their content. Furthermore, Vensure does not endorse the materials present on these websites. The contents of this communication should not be interpreted as legal advice or as a legal standpoint concerning specific facts or scenarios. Nor should it be deemed an exhaustive compilation of facts potentially pertinent to federal, state, or local laws. It is strongly advised that employers solicit legal guidance from an employment attorney when undertaking actions in response to any legal updates provided. This is due to the possibility of future alterations occurring in federal, state, and local laws, regulations, as well as the directives and guidelines issued by governing agencies. These changes may transpire at any given time, potentially rendering certain portions of the content within this update void or inaccurate.