Just a few months back I brought you news of Washington enacting the first bill of its kind specific to consumer health data called My Health MY Data Act. Earlier this month Nevada’s Governor signed into law SB370 on June 16th, which amends the current law to include more comprehensive health data privacy requirements for businesses operating or consumer health data collected in Nevada. The new law goes into effect on March 31st, 2024. Here is what you need to know.
Few key definitions in the act:
“Collect” means to buy, rent, access, retain, receive, acquire, infer, derive, or otherwise process consumer health data in any manner.
“Consumer” means a natural person who has requested a product or service from a regulated entity and who resides in this State or whose consumer health data is collected in this State. The term does not include a natural person acting in an employment context or as an agent of a governmental entity.
“Consumer health data” means personally identifiable information that is linked or reasonably capable of being linked to a consumer and that a regulated entity uses to identify the past, present, or future health status of the consumer. The term:
-
Includes, without limitation:
(a) Information relating to:
(1) Any health condition or status, disease or diagnosis;
(2) Social, psychological, behavioral, or medical interventions;
(3) Surgeries or other health-related procedures;
(4) The use or acquisition of medication;
(5) Bodily functions, vital signs or symptoms;
(6) Reproductive or sexual health care; and
(7) Gender-affirming care;
(b) Biometric data or genetic data related to information described in paragraph (a);
(c) Information related to the precise geolocation information of a consumer that a regulated entity uses to indicate an attempt by a consumer to receive health care services or products; and
(d) Any information described in paragraphs (a), (b), or (c) that is derived or extrapolated from information that is not consumer health data, including, without limitation, proxy, derivative, inferred, or emergent data derived through an algorithm, machine learning or any other means.
-
Does not include information that is used to:
(a) Provide access to or enable gameplay by a person on a video game platform; or
(b) Identify the shopping habits or interests of a consumer, if that information is not used to identify the specific past, present, or future health status of the consumer.
Regulated entities must develop and maintain a policy specific to the privacy of consumer health data that clearly and conspicuously outlines the following categories:
-
Consumer health data collected and how it will be used
-
Sources from which the consumer health data was collected
-
Consumer health data that is shared by the regulated entity
-
Third parties and affiliates with whom the regulated entity shares consumer health data with
-
The purpose of collecting, using, and sharing Consumer health data
-
How the consumer health data will be processed
-
Procedure for exercising consumer’s rights around consumer health data
-
The process, if there is one, for a consumer to review and request changes to consumer health data that is collected by the regulated entity
-
Process for notifying consumers about changes to the Privacy policy
-
If a third party may collect consumer health data over time and across different Internet websites or online services when the consumer uses any Internet website or online service of the regulated entity
-
Effective date of the Privacy Policy
-
Hyperlink to the Privacy Policy must be conspicuously displayed on the main page of a website or provided to a consumer that is clear and conspicuous
Regulated entities cannot collect, use, or share consumer health data except for the categories and purposes outlined in the policy unless they disclose additional use and obtain the consumer’s voluntary consent. This also includes the sharing of consumer health data with additional third parties or affiliates that are not listed in the Privacy Policy.
Consent must be obtained prior to the collection or sharing of consumer health data and must also include the categories, purpose, if the data will be shared and who with, and how a consumer can withdraw consent.
Regulated entities shall not collect consumer health data unless:
-
Affirmative, voluntary consent
-
Only when necessary to provide a d product or service
Regulated entity cannot share consumer health data unless:
-
Obtained an affirmative, voluntary consent from the consumer separate from their consent to collect
-
Only when necessary to provide a d product or service
-
Where required or authorized by a provision of law
Through reliable and safe means regulated entities must be able to authenticate and act on the following consumer rights:
-
Know if a regulated entity is collecting, sharing, or selling consumer health data
-
Obtain a list of all third parties with whom the regulated entity has shared or sold consumer health data to
-
Stop the collection, sharing, or selling of consumer health data
-
Delete consumer health data concerning the consumer
Similar to consumer data privacy laws we see spreading through the states like wildfire when it comes to the time frame a regulated entity has to act on these consumer health data rights entities have 45 days from the request and may take up to an additional 45 days if reasonably necessary and must provide the consumer with notice and reason of the extension. If unable to authenticate the request after reasonable efforts entities are not required to comply with the request and may request the consumer provide additional reasonable information to authenticate. The information shall be free of charge and provided twice yearly as requested and additional requests that are not manifestly unfounded, excessive, or repetitive. A reasonable fee may be associated with requests that are found to be manifestly unfounded, excessive, or repetitive.
Deletion requests must be acted on within 30 days of authenticating a consumer request the regulated entity must:
-
Delete all consumer health data from records and network
-
Notify each affiliate, processor, contractor, or other third party of consumer health data deletion request
-
Within 30 days of notification consumer health data must be deleted from the records and networks for all affiliate, processor, contractor, or other third party
-
-
If the consumer health data is stored or archived on a backup system regulated entity or an affiliate, processor, contractor, or other third party may delay the deletion of the data for not more than 2 years after the request is authenticated, as necessary to restore the archived or backup system.
A regulated entity must establish a consumer appeal process for the denial of a request:
-
Conspicuously available on the website
-
Similar to the process of making a request to exercise consumer health data rights
Within 45 days of receiving an appeal the regulated entity must inform the consumer of:
-
Any action taken in response to the appeal or any decision not to take such action;
-
The reasons for any such action or decision; and
-
If the regulated entity decided not to take the action requested in the appeal, the contact information for the Office of the Attorney General.
There are extensive requirements that must be met around the selling of consumer health data. Along with a ban on placing geofence within 1,750 feet of any medical facility, a facility for the dependent or in-person health care services to identify or track consumers, collect consumer health data, or for sending notifications, messages, or advertisements to consumers.
Be sure to review to see if your company is considered a regulated entity under Nevada state law or if you fall within the exempt category. If this new act affects your business, it is critically important that the new requirements are on your roadmap and that your business is ready to comply by March 31st of next year.
BTW–now that Nevada has joined Florida along with Indiana, Tennessee, Montana, and Washington in passing major privacy bills THIS YEAR ALONE!