Following in the footsteps of Washington State’s My Health My Data Act, Nevada SB 370 and Connecticut SB 3 were both recently approved by their respective governors. As detailed below, the laws impose a number of new requirements on the processing of consumer health data. Nevada SB 370 will go into effect on March 31, 2024, while the consumer health data-related provisions of Connecticut SB 3 that amend the Connecticut Data Privacy Act (CTDPA) will take effect on July 1, 2023.
IN DEPTH
NEVADA
Applicability
SB 370 will apply to a “regulated entity,” which is any person who (1) conducts business in Nevada or produces or provides products or services that are targeted to consumers in Nevada and (2) alone or with other persons, determines the purpose and means of processing, sharing or selling consumer health data. This could include nonprofits. For purposes of SB 370, a “consumer” is a natural person who has requested a product or service from a regulated entity and who resides in Nevada or whose consumer health data is collected in Nevada. A “consumer” does not include a natural person acting in an employment context or as an agent of a governmental entity. Notably, this definition of “consumer” would potentially also cover non-Nevada residents, which is a broader applicability than other state privacy laws.
What Is “Consumer Health Data”?
SB 370 defines “consumer health data” as personally identifiable information that is linked or reasonably capable of being linked to a consumer and that a regulated entity uses to identify the past, present or future health status of the consumer. Consumer health data includes, without limitation:
-
Information relating to:
-
Any health condition or status, disease or diagnosis
-
Social, psychological, behavioral or medical interventions
-
Surgeries or other health-related procedures
-
The use or acquisition of medication
-
Bodily functions, vital signs or symptoms
-
Reproductive or sexual health care
-
Gender-affirming care
-
-
Biometric data or genetic data related to the information described in the above bullet points
-
Information related to the precise geolocation information of a consumer that a regulated entity uses to indicate an attempt by a consumer to receive healthcare services or products
-
Any information described in the above bullet points that is derived or extrapolated from information that is not consumer health data, including (without limitation) proxy, derivative, inferred or emergent data derived through an algorithm, machine learning or any other means.
Consumer health data does not include information that is used to:
-
Provide access to or enable gameplay by a person on a video game platform, or
-
Identify the shopping habits or interests of a consumer if that information is not used to identify the specific past, present or future health status of the consumer.
Exemptions
As with other state consumer privacy laws, SB 370 contains a number of entity- and data-level exemptions. For example, SB 370 will not apply to:
-
Any person or entity subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and health records governed by or created pursuant to other healthcare-related laws (e.g., 42 CFR Part 2, regulations regarding human subject research, public health reporting requirements, patient safety and other healthcare quality improvement activities).
-
Financial institutions or financial institution affiliates that are subject to the Gramm-Leach-Bliley Act (GLBA) or any personally identifiable information regulated by the GLBA that is collected, maintained or sold as provided in the GLBA.
-
Personally identifiable information regulated by the Administrative Simplification provisions of the Social Security Act, Fair Credit Reporting Act or Family Educational Rights and Privacy Act.
-
Information processed by or for any governmental or tribal entity for civic or governmental purposes and operations or related services and operations.
-
Any person who holds a nonrestricted license (meaning a state gaming license for: 16 or more slot machines; any number of slot machines together with any other game, gaming device, race book or sports pool at one establishment; or a slot machine route), or an affiliate.
-
Law enforcement agencies, contractors of law enforcement agencies and law enforcement activities.
Data Controller Obligations
SB 370 will require regulated entities to include additional privacy disclosures on their websites and take additional steps to, for example, obtain consent from customers when handling their consumer health data. Specifically, SB 370 will require regulated entities to:
-
Develop and maintain a consumer health data privacy policy.
-
Obtain a consumer’s affirmative, voluntary consent before collecting or sharing consumer health data (subject to certain exceptions).
-
Establish, implement and maintain policies and practices for the administrative, technical and physical security of consumer health data.
-
Enter into a contract with data processors related to their processing of consumer health data.
While the addition of more disclosures into already lengthy privacy policies is likely frustrating to some, the remaining requirements above closely mirror those of the majority of new state consumer privacy laws.
Consumer Rights
Regulated entities must also provide a number of consumer rights, which likely look and feel standard to companies at this point:
-
Confirming whether the regulated entity is collecting, sharing or selling consumer health data relating to the consumer.
-
Providing the consumer with a list of all third parties with whom the regulated entity has shared consumer health data relating to the consumer or to whom the regulated entity has sold such consumer health data.
-
Ceasing the collection, sharing or selling of consumer health data relating to the consumer.
-
Deleting consumer health data concerning the consumer.
A regulated entity must also establish a process by which a consumer may appeal the regulated entity’s refusal to act on a consumer request.
Other Key Restrictions
SB 370 will prohibit any person from selling or offering to sell consumer health data (1) without the written authorization of the consumer to whom the data pertains or (2) if the consumer provides such written authorization, in a manner that is outside the scope of or inconsistent with the written authorization.
SB 370 will also prohibit any person from implementing a geofence within 1,750 feet of any medical facility, facility for the dependent or any other person or entity that provides in-person healthcare services or products for the purpose of (1) identifying or tracking consumers seeking in-person healthcare services or products, (2) collecting consumer health data, or (3) sending notifications, messages or advertisements to consumers related to their consumer health data or healthcare services or products.
No Private Right of Action
Unlike the Washington State health law on which SB 370 is modeled, there is no private right of action in SB 370.
CONNECTICUT
Connecticut SB 3, in part, amends the CTDPA to impose new limitations on the processing and sale of consumer health data and revises the CTDPA’s definition of “sensitive data” to explicitly include consumer health data. SB 3 defines “consumer health data” as any personal data that a controller uses to identify a consumer’s physical or mental health condition or diagnosis and includes, but is not limited to, gender-affirming health data and reproductive or sexual health data. New restrictions include prohibitions against (1) providing employees or contractors with access to consumer health data unless they are subject to a contractual or statutory duty of confidentiality; (2) using a geofence to establish a virtual boundary that is within 1,750 feet of any mental health facility or reproductive or sexual health facility for the purpose of identifying, tracking, collecting data from or sending any notification to a consumer regarding the consumer’s consumer health data; or (3) selling, or offering to sell, consumer health data without first obtaining the consumer’s consent.
***
Creating a successful, effective, comprehensive privacy program for your organization requires a thorough understanding of both the relevant legal obligations and the personal information subject to compliance. Setting up a program that is prepared to respond to various state privacy laws as they come into effect will save organizations time in the long run, especially as many of these laws reflect one another.