Nevada’s New Consumer Health Data Privacy Law: 6 Things to Know

7 minute read | July.13.2023

The Nevada legislature recently passed Senate Bill 370 (“Nevada’s Consumer Health Data Privacy Law”) aiming to impose broad requirements on collecting, using, and selling consumer health information. Nevada joins Washington and Connecticut with its own consumer health data privacy law. Here are six things to know about Nevada’s new law, including next steps for your privacy compliance program.

Who Is Regulated?
Nevada’s Consumer Health Data Privacy Law applies to a “Regulated Entity,” which is any person who:
- Conducts business in Nevada or produces or provides products or services that are targeted to consumers in Nevada and
- Alone or with other persons, determines the purpose and means of processing, sharing, or selling consumer health data.
Similar to Washington’s My Health My Data law, Nevada’s Consumer Data Health Privacy Law does not exempt nonprofits. It does, however, include several entity-level exclusions, including for persons or entities subject to HIPAA and the GLBA.
What Data Is Covered?
Nevada’s Consumer Health Data Privacy Law applies to all “consumer health data.”

Consumer health data is defined as “personally identifiable information that is linked or reasonably capable of being linked to a consumer and that a Regulated Entity uses to identify the past, present, or future health status of the consumer.” This includes:
- Information relating to:
  - Any health condition or status, disease, or diagnosis.
  - Social, psychological, behavioral, or medical interventions.
  - Surgeries or other health-related procedures.
  - The use or acquisition of medication.
  - Bodily functions, vital signs, or symptoms.
  - Reproductive or sexual health care.
  - Gender-affirming care.
- Biometric data or genetic data related to information described above.
- Information related to the precise geolocation information of a consumer that a Regulated Entity uses to indicate an attempt by a consumer to receive health care services or products.
- Any information described above that is derived or extrapolated from information that is not consumer health data, including proxy, derivative, inferred, or emergent data derived through an algorithm, machine learning, or any other means.
Notably, consumer health data does not include information that is:
- Used to provide access to or enable gameplay on a video game platform or
- Used to identify the shopping habits or interests of a consumer, if that information is not used to identify the consumer’s past, present, or future health status.
Additionally, the law exempts certain information, including information governed by FCRA, FERPA, processed by any governmental entity, or information that is collected or shared as expressly authorized by a provision of federal or state law. It also exempts deidentified data.

Lastly, the Nevada law defines “consumer” to include not only residents of Nevada that have requested a product or service from a Regulated Entity, but also individuals whose consumer health data is collected (i.e., bought, rented, accessed, retained, received, acquired, inferred, derived, or otherwise processed in any manner) in Nevada. The law explicitly excludes from the definition of consumer individuals acting in an employment context or as agents of a governmental entity.
What Are the Obligations for Regulated Entities?
- Maintain a Health Data Privacy Policy. The law requires Regulated Entities to develop and maintain a policy concerning the privacy of consumer health data that clearly and conspicuously states:
  - Categories of consumer health data being collected by the Regulated Entity and the manner in which the consumer health data will be used.
  - Categories of sources from which consumer health data is collected.
  - Categories of consumer health data that are shared by the Regulated Entity.
  - Categories of consumer health data that are shared by the Regulated Entity.
  - Categories of third parties and affiliates with whom the Regulated Entity shares consumer health data.
  - The purposes of collecting, using, and sharing consumer health data.
  - The manner in which consumer health data will be processed.
  - How consumers can exercise the rights granted under the law.
  - The process, if any, for a consumer to review and request changes to any of their consumer health data that is collected by the Regulated Entity.
  - The process by which the Regulated Entity will notify consumers of material changes to the privacy policy.
  - Whether a third party may collect consumer health data over time and across different websites or online services when the consumer uses any website or online service of the Regulated Entity.
  - The effective date of the privacy policy.
  A Regulated Entity must post the notice on its website or otherwise provide the policy to consumers in a manner that is clear and conspicuous.
- Acquire Consent to Collect or Share Consumer Health Data in Certain Circumstances. Regulated Entities are required to obtain consumers’ affirmative and voluntary consent before collecting or sharing consumer health data. Importantly, the consent to share consumer health data must be obtained separately from the consent to collect consumer health data and include the prescribed information under the statute. However, Regulated Entities may collect and share consumer health data without consent to the extent necessary to provide their product or service that the consumer has requested from the Regulated Entity. In addition, Regulated Entities may also share consumer health data where otherwise required or authorized by law.
- Acquire Written Authorization to Sell Consumer Health Data. A person must obtain written authorization from the consumer before selling or offering to sell their health data.
- Restrict Access to Consumer Health Data. A Regulated Entity can only authorize the employees and processors of the Regulated Entity to access consumer health data where it is reasonably necessary to:
  - Further the purpose for which the consumer consented to the collection and sharing of their health data.
  - Provide a product or service that the consumer has requested from the Regulated Entity.
- Implement Security Practices. Regulated Entities are required to establish, implement, and maintain policies and practices for the administrative, technical, and physical security of consumer health data.
- Grant Consumer Requests. Upon request, Regulated Entities must:
  - Confirm whether the Regulated Entity collects, shares, or sells consumer health data concerning the consumer.
  - Provide the consumer with a list of third parties with whom the Regulated Entity has shared or to whom the Regulated Entity has sold consumer health data relating to the consumer.
  - Cease collecting, sharing, or selling consumer health data relating to the consumer.
  - Delete consumer health data concerning the consumer.
  Regulated Entities must establish a process to allow consumers to make these requests and appeal denials.
- Written Contract Between Regulated Entity and Processor. Processors may only process consumer health data pursuant to a contract between the processor and a Regulated Entity.
- Prohibit the Use of Geofences. Even with consumer consent, the Nevada law prohibits a person from geofencing within 1,750 feet of any person or entity that provides in-person health care services or products for the following purposes:
  - Identifying or tracking consumers seeking in-person health care services or products.
  - Collecting consumer health data.
  - Sending notifications, messages, or advertisements to consumers related to their consumer health data or health care services or products.
  Unlike Washington’s My Health My Data, there is no early effective date for this prohibition. It goes into effect with all other provisions of Nevada’s Consumer Health Data Privacy Law.
When Does Nevada’s Consumer Health Data Privacy Law Go Into Effect?

The law will go into effect on March 31, 2024. Unlike Washington’s My Health My Data, there is no delayed effective date for small businesses.
How Will Nevada’s Consumer Health Data Privacy Law Be Enforced?

Importantly, the law does not create a private right of action. Except in narrow circumstances applicable to processors, violations constitute a deceptive trade practice under the Nevada Consumer Protection Act (“NCPA”). Nevada’s Attorney General may seek injunctive relief and monetary damages for violations of the law.
What Should Companies Consider Doing?
- Determine whether you are within the scope of the law. Companies should understand the full extent of their activities and know whether they fall within the scope of the law.
- Identify whether you are collecting consumer health data. Because the term “consumer health data” is expansive, many businesses that are not traditionally health care focused or considered health care companies may be collecting covered data.
- Stop using geofences. Companies should assess and be ready to terminate their use of geofencing where applicable on the law’s effective date.
- Build a compliance program. Begin addressing the obligations by:
  - Developing and maintaining a health data privacy policy.
  - Implementing necessary just-in-time notices and prior opt-in consent to certain collection and sharing of consumer health data.
  - Updating any third-party agreements (including data processing agreements) where necessary.
  - Building up internal processes to respond to and grant consumer privacy rights requests.

Authors

Thora Johnson Partner, Cyber, Privacy & Data Innovation, Strategic Advisory & Government Enforcement (SAGE)

Washington, D.C.

See my bio

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Thora Johnson Partner

Washington, D.C.

Thora has extensive experience counseling clients on the Health Insurance Portability and Accountability Act (HIPAA) and other state and federal health privacy and regulatory compliance regimes including:

Office of the National Coordinator for Health Information Technology’s interoperability and information blocking regulations
Centers for Medicare & Medicaid Service’s (CMS’s) interoperability and patient access regulations
Part 2 confidentiality requirements applicable to substance abuse records
State health information privacy laws
Medicare/Medicaid compliance
Mental Health Parity and Addiction Equity Act (MHPAEA)
Genetic Information Nondiscrimination Act (GINA)
Affordable Care Act (ACA) compliance
Regulatory requirements of the Employer Retirement Income Security Act (ERISA), the Internal Revenue Code, HIPAA, and the ACA as they apply to employer health and wellness plans
Price transparency and surprise billing rules applicable to hospitals and health plans

Kyle Kessler Senior Associate, Cyber, Privacy & Data Innovation, Global Compliance & Regulatory

Los Angeles

See my bio

M:+1 310 251 5299
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Global Compliance & Regulatory
Technology Transactions
Technology & Innovation
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Kyle Kessler Senior Associate

Los Angeles

Kyle advises public and private companies across several sectors, including life sciences and health technology, financial services, private equity, social media and technology on a range of EU and U.S. federal and state privacy laws. Kyle’s strategic counseling advice includes, but is not limited to:

U.S. state privacy laws in California, Colorado, Connecticut, Utah and Virginia (CCPA, CPRA, CPA, CTDPA, UCPA, VCDPA)
Consumer health privacy laws, including Washington’s My Health My Data
US data broker laws, including California's Delete Act
Children's Online Privacy Protection Act (COPPA)
Computer Fraud and Abuse Act (CFAA)
Contest and Sweepstakes Laws
Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM)
Electronic Communications Privacy Act (ECPA)
Europe (EU) General Data Protection Regulation (GDPR)
EU e-Privacy Directive
UK's Age Appropriate Design Code (Children's Code)
False, Misleading, or Deceptive Acts or Practices
Federal Trade Commission Act (FTC)
Health Insurance Portability and Accountability Act (HIPAA)
Health Information Technology for Economic and Clinical Health Act (HITECH)
Restore Online Shoppers' Confidence Act (ROSCA)
Retail Sales Laws
Advertising and Payment Card Self-Regulatory Frameworks
State Breach Notification and Security Laws
Telephone Consumer Protection Act (TCPA)

Kyle works with clients to develop internal privacy and security compliance programs, including assisting with privacy audits and data mapping, valuating privacy and security risks in corporate transactions, advising companies through the full pre-IPO and post IPO diligence cycle, drafting and negotiating data-related vendor and arrangement contracts, meeting with teams to assist with privacy by design, developing internal and external privacy policies for employees, customers, and contractors, drafting and training on the implementation of consumer rights requests, and developing comprehensive security programs and policies.

She partners with her clients to provide practical business counsel, with an in-house and outside counsel perspective. She regularly counsels startups and tech companies through the funding life cycle, or in connection with the launch of innovative technology, products, or platforms. Kyle's background in marketing, publication relations and communications enhances the consumer protection support she provides clients. She drafts disclosure and consent frameworks in compliance with privacy and consumer protection regulations. Kyle also helps develop, implement, administer regulatory compliance programs for all aspects of promotional and customer-facing activities, including:

Contests and sweepstakes
Direct mail, email, in-store and online, social media and text messaging advertisements and marketing campaigns
Gift cards
Influencer and social media agreements and endorsements
Price comparisons
Print advertisements and product placements
Reward and loyalty programs

Kyle is active in the LGBTQ+ community and helps lead Orrick's LGBTQ+ Attorney Affinity Group. She was also selected to participate in the Leadership Council on Legal Diversity's (LCLD) 2022 Pathfinders Program.

Before joining Orrick, Kyle was an in-house attorney at a company named to Forbes' 100 Largest Private Companies list.

Alyssa Wolfington Managing Associate, Cyber, Privacy & Data Innovation, Strategic Advisory & Government Enforcement (SAGE)

New York

See my bio

D:+1 212 506 5000
E: [email protected]

Practice:

Cyber, Privacy & Data Innovation
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Alyssa Wolfington Managing Associate

New York

Alyssa navigates clients through privacy programs and policy creation, and provides guidance on compliance with federal, state and international laws and regulations, including the California Consumer Privacy Act (CCPA), the Children’s Online Privacy Protection Act (COPPA), the General Data Protection Regulation (GDPR), the Federal Trade Commission Act (FTC Act), the Health Insurance Portability and Accountability Act (HIPAA) and state data breach notification laws. She advises clients on security incident response and federal and state investigations related to privacy and data security. She also provides assessments of privacy and security practices for companies carrying out due diligence in the context of corporate transactions.