During the height of the COVID-19 pandemic, many were surprised to learn that HIPAA does not broadly protect all health-related information. To fill that gap—and to address data protection concerns related to reproductive health services after the 2022 reversal of Roe v. Wade—states have recently begun enacting statutes to protect consumer health information. Nevada has joined Washington and Connecticut in this effort by enacting SB 370, which will take effect March 31, 2024.
How will SB 370 apply? The statute protects “consumer health data” in the hands of a “regulated entity.” The following statutory definitions explain these concepts:
- “Regulated entity” is defined as any person who conducts business in Nevada, or produces or provides products or services targeted to Nevada consumers, and determines the purpose and meaning of processing, sharing or selling consumer health data. Importantly, however, there are some broad exemptions from SB 370. For example, it does not apply to any entity subject to HIPAA or any financial institution subject to the Gramm-Leach-Bliley Act.
- “Consumer” is defined as a person who has requested a product or service from a regulated entity and who either resides in Nevada or whose consumer health data is collected in Nevada.
- “Consumer health data” is defined as personally identifiable information that is linked or reasonably capable of being linked to a consumer and that the regulated entity uses to identify the past, present or future health status of the consumer. That is, the intent and purpose of collecting the health data matters—health data not actually used to identify a consumer’s health status falls outside the scope of the statute.
The statute provides an illustrative, but not exclusive, list of what the term “consumer health data” includes. In addition to typical examples—such as information on health conditions or diseases, medical interventions, surgeries, and reproductive or gender-affirming care—the term also includes certain biometric or genetic data, geolocation information and information that is derived or extrapolated from non-health data. For example, analyzing a consumer’s shopping habits to determine whether the consumer has specific medical conditions would fall within the statute.
What will SB 370 require? The statute imposes numerous new requirements on regulated entities, including to:
- Develop and conspicuously post on the entity’s website a detailed policy, including numerous required elements, governing the privacy of consumer health data;
- Refrain from collecting and sharing consumer health data except with the voluntary consent of the consumer or to the extent necessary to provide a product or service the consumer requested;
- Put in place a process to permit and authenticate certain requests by consumers, including providing a list of all third parties with whom the regulated entity has shared or sold the consumer’s health data; ceasing collecting, sharing, or selling the consumer’s health data; or deleting the consumer’s health data;
- Ensure that only employees and processors with a “need to know” the consumer’s health data have access to that data; and
- Establish and implement policies and procedures for the administrative, technical, and physical security of consumer health data.
How will SB 370 be enforced? Importantly, only the Nevada Attorney General may enforce violations of SB 370 under the state’s deceptive trade practices laws. SB 370 expressly did not create a private right of action permitting aggrieved individuals to file suits.
Takeaways: SB 370 is likely to, for the first time, regulate companies doing business in Nevada, or targeting products and services to Nevada customers, that collect consumer health data concerning Nevadans. Before the March 31, 2024, effective date, affected companies should evaluate whether they are collecting consumer health data that falls within SB 370’s parameters, and if needed, develop a compliance plan to implement these new requirements.
This document is intended to provide you with general information regarding SB 370 in Nevada. The contents of this document are not intended to provide specific legal advice. If you have any questions about the contents of this document or if you need legal advice as to an issue, please contact the attorneys listed or your regular Brownstein Hyatt Farber Schreck, LLP attorney. This communication may be considered advertising in some jurisdictions. The information in this article is accurate as of the publication date. Because the law in this area is changing rapidly, and insights are not automatically updated, continued accuracy cannot be guaranteed.