On June 16, 2023, Nevada enacted Senate Bill 370 (“SB 370”), which imposes broad restrictions on the collection, use, and sale of consumer health data. This law is set to go into effect on March 31, 2024.
SB 370 is the third state law of its kind, aimed at regulating consumer health data and entities not covered by the Health Insurance Portability and Accountability Act (“HIPAA”) or other sector specific federal laws. In May 2023, Washington state enacted the My Health My Data Act; and in June 2023, Connecticut amended its recently-enacted Data Privacy Act to govern “consumer health data” with respect to consent, contracting and geofencing requirements. Each of these state laws imposes specific requirements on entities with respect to the consumer health data they collect, process, store, and maintain outside of traditional health care settings.
These state laws share a number of similarities, including prohibitions on the collection and sharing of consumer health data without notice and consumer consent, as well as prohibitions on the sale of consumer health data absent written authorization from consumers. However, SB 370 differs from the analog Washington and Connecticut laws in some important respects.
Key Provisions of SB 370
SB 370 applies to “regulated entities,” a term defined as meaning any person who: (1) conducts business in Nevada or produces or provides products or services that are targeted to consumers in Nevada; and (2) alone or with another person(s), determines the purpose and means of processing, sharing, or selling consumer health data. Exempted entities and information types include entities subject to HIPAA; certain data collected for research, entities, and information subject to the Gramm-Leach-Bliley Act; information governed by the Fair Credit Reporting Act; information governed by the Family Educational Rights and Privacy Act; information processed by a governmental or tribal entity; and law enforcement agencies.
Regulated entities are subject to the following provisions:
- SB 370 does not create a private right of action. Rather, violations of SB 370 will be deemed deceptive trade practices enforceable by the state Attorney General.
- Similar to the requirements of California’s California Consumer Privacy Act (“CCPA”) (which we previously discussed here), SB 370 requires regulated entities publish consumer health data privacy policies that describe a number of elements, including but not limited to:
- Categories of consumer health data collected;
- Manner in which collected consumer health data will be used;
- Categories of sources from which the consumer health data is collected;
- Categories of consumer health data shared with other entities;
- Categories of entities with which the consumer health data is shared;
- Purposes for collecting, using, and sharing consumer health data; how consumers may exercise their consumer health data rights;
- The process for which a consumer can review and request changes to their health data that is collected by the regulated entity;
- The process by which the regulated entity notifies consumers whose health data is collected by the regulated entity of material changes to the appliable privacy policy; and
- Whether third parties “may collect consumer health data over time and across different Internet websites or online services when the consumer uses any Internet website or online service of the regulated entity[.]”
- Before collecting consumer health data, regulated entities must either: (1) obtain affirmative, voluntary consent from consumers, or (2) collection must be necessary to provide a product or service the consumer has requested.
- Similarly, before sharing consumer health data, regulated entities must satisfy either of the following: (1) obtain affirmative, voluntary consent from consumers, (2) collect such data as necessary to provide a product or service the consumer has requested, or (3) collect such data as is otherwise authorized by law. Note that consents obtained for collection and sharing must be “separate and distinct.”
- No person may sell or offer to sell consumer health data without the relevant consumer’s written authorization. Authorizations for sale must include, but are not limited to, a description of the consumer health data to be sold, a description of the purpose of the sale, the name and contact information of the persons selling and purchasing the data, and the expiration date of the authorization. Consumers must also be afforded a revocation right.
- Similar to requirements under the HIPAA Security Rule, entities regulated under SB 370 must implement and maintain policies and practices for the administrative, technical, and physical security of consumer health data. These policies must: (1) satisfy the standard of care in the industry in which the regulated entity operates to protect the confidentiality, integrity, and accessibility of consumer health data; (2) comply with the provisions of Nevada’s Data Security and Breach statutes, where applicable; and (3) be reasonable, taking into account the volume and nature of the consumer health data at issue.
- Entities subject to CCPA will also recognize the obligations that SB 370 places on “processors” (defined as “a person who processes consumer health data on behalf of a regulate entity”) to only process consumer health data pursuant to a contract between the processor and regulated entity.
It should also be noted that SB 370 appears to contemplate future preemption by stating that the law would not apply to “[t]he collection or sharing of consumer health data where expressly authorized by any provision of federal or state law.”