The Nevada Consumer Health Data Privacy Law (Senate Bill 370) protects Nevada consumers' personal data by restricting the ways entities collect, use, and sell Nevada their private health information.
The law was passed on June 5, 2023 and will go into effect on March 31, 2024.
This article will take you through what the Nevada Consumer Health Privacy Law is, who it applies to, how to comply with the law, and the penalties for noncompliance.
At Step 1, select the Website option or App option or both.
Answer some questions about your website or app.
Answer some questions about your business.
- 1. What is the Nevada Consumer Health Data Privacy Law?
- 2. Who Does the Nevada Consumer Health Data Privacy Law Apply to?
- 3. How to Comply With the Nevada Consumer Health Data Privacy Law
- 3.1. Get Consent When Required
- 3.2.1. The Types of Health Data Collected and What You Use it For
- 3.2.2. Why the Health Data is Collected, Used, and Shared
- 3.2.3. Where the Health Data is Collected From
- 3.2.4. How You Use Health Data You Collect
- 3.2.5. What Health Data is Shared With Third Parties
- 3.2.6. What Third Parties You Share Health Data With
- 3.2.7. How Consumers Can Submit a Request Concerning Their Health Data
- 3.3. Give Consumers a Way to Make Rights Requests
- 3.4. Respond to Consumer Requests in a Timely Manner
- 3.4.1. Provide Consumers With a Way to Appeal Your Request Denials
- 4. Penalties for Nevada Consumer Health Data Privacy Law Noncompliance
- 5. Summary
What is the Nevada Consumer Health Data Privacy Law?
The Nevada Consumer Health Data Privacy Law was created in order to protect Nevada consumer's personal health information.
Protected health information under the law includes information about:
- Any health conditions, diseases, or diagnoses
- Social, psychological, medical, or behavioral interventions (such as drugs, surgeries, or medical devices)
- Surgeries or other health-related procedures (such as medical exams and tests)
- Medication use or acquisition
- Bodily functions, vital signs (such as body temperature, pulse rate, respiration rate, and blood pressure), or symptoms
- Reproductive or sexual health care
- Gender-affirming health care (treatments for gender dysphoria, hormone treatment, or gender-affirming surgeries)
The law also covers any biometric data or genetic data used in relation to the information listed above and geolocation information as it pertains to receiving health care.
Section 8 of the Nevada Consumer Health Data Privacy Law defines the types of information that count as consumer health data under the law:
The Nevada Consumer Health Data Privacy Law does not cover information that is used for:
- Playing games on a video game platform
- Identifying a consumer's shopping habits
- Certain research purposes
- Public health activities
The law also doesn't cover information that falls under Acts including the Social Security Act, the Fair Credit Reporting Act, and the Family Educational Rights and Privacy Act.
Who Does the Nevada Consumer Health Data Privacy Law Apply to?
The Nevada Consumer Health Data Privacy Law applies to:
- Any entities that do business within the state of Nevada and provide products or services to Nevada consumers and
- Any entities that decide the purposes of processing (using), sharing, or selling Nevada consumers' personal health data
The law does not apply to entities subject to the Health Insurance and Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act.
How to Comply With the Nevada Consumer Health Data Privacy Law
The introductory text of the Nevada Consumer Health Data Privacy Law explains that applicable entities must:
- Get active consent from consumers before collecting or sharing their health data
- Respond to consumer requests concerning their health data
- Have a process for consumers to appeal the entity's decision if their requests are denied
- Keep consumers' health data secure
- Only process consumers' health data for specific purposes
- Only sell consumers' health data under specific circumstances
- Only use geofencing (a technique for capturing individual's locations through their GPS) under specific circumstances
- Not discriminate against consumers for exercising their rights
- Make sure any third parties they contract with that process consumers' health data also comply with this law
Get Consent When Required
You must get consent from Nevada consumers prior to collecting their personal health data (unless it is necessary to provide a product or service that the consumer has requested from you).
If you want to share a consumer's health data with a third party, you must get explicit consent for that purpose.
The consent for sharing consumers' health data must be obtained separately from the consent for collecting the health data.
Your consent requests must inform consumers of the following:
- What kinds of health data they are consenting to being collected or shared
- Your reasons for collecting or sharing the health data
- What third parties the health data is being shared with
- How consumers can withdraw their consent
The Types of Health Data Collected and What You Use it For
This clause explains the categories of health data you collect and what you use the data for.
Why the Health Data is Collected, Used, and Shared
This clause explains the reasons why you collect, use, and disclose consumers' health data. You should only collect or process health data when necessary to fulfill the purposes listed in this clause.
Flagler Hospital's Notice of Privacy Practices lets consumers know that it may use or disclose their health data for purposes including treatment, payment, healthcare operations, and appointment reminders:
Where the Health Data is Collected From
You should let consumers know whether you obtain their health data directly, such as through an intake form, or indirectly, such as via third parties or tracking tools.
How You Use Health Data You Collect
This clause should explain how the health data you collect is used.
What Health Data is Shared With Third Parties
You should list the health data that you share with third parties here. You can use this clause to inform consumers that you share their health data with third parties, but you must also get consent from consumers before doing so.
Advanced Dermatology's Notice of Privacy Practices lets consumers know that it may share their private health information (PHI) including treatment information, lab or biopsy results, and information about healthcare operations:
What Third Parties You Share Health Data With
You can use this clause to list the categories of third parties to whom you disclose consumers' health data.
How Consumers Can Submit a Request Concerning Their Health Data
This clause should provide a method for consumers to submit requests about their data. It should also explain how consumers can appeal your decision if their requests are denied.
Dental Health Services' Privacy and Confidentiality Notice informs consumers what their rights are concerning their PHI and lets them know that they can make written requests to exercise those rights;
It includes a mailing address and email address where consumers can send their requests, as well as a phone number and link where they can access a copy of the Privacy and Confidentiality Notice:
One of the most common places to put links to legal documents is within a website footer.
When it comes to getting consent, the most commonly used and legally effective method is to get users to check a box next to an "I Agree" statement, as seen here:
You can get consent whenever a user shares personal information with you such as when signing up for an account, consenting to cookies being placed, or using a contact form to send you a message.
Give Consumers a Way to Make Rights Requests
The Nevada Consumer Health Data Privacy Law gives Nevada consumers the following rights:
- The right to know whether their health data is being collected, shared, or sold
- The right to obtain a list of third parties that their health data has been shared with or sold to
- The right to request an entity to stop collecting, sharing, or selling their health data
- The right to delete their health data
You must provide consumers with a secure and reliable method for making requests concerning these rights.
Respond to Consumer Requests in a Timely Manner
Once you receive a consumer request, you should respond to it within 45 days. If you need extra time to respond to the request, you can take an additional 45 days, but you will need to inform the consumer about the reasons for the extension within 45 days of receiving the request.
If you receive a deletion request, you will need to respond to it within 30 days. You should delete all consumer data and notify any third parties in possession of the consumer's health data to do the same within those 30 days.
Provide Consumers With a Way to Appeal Your Request Denials
If you decide not to fulfill a consumer's request concerning their health data, you will need to notify them of your decision (in writing).
Once you receive an appeal, you should inform consumers within 45 days about your decision concerning the appeal and your reasons for making it.
If you decide not to take the action requested in the appeal, you will need to provide the consumer with the contact information for the Office of the Attorney General (the regulating entity for the Nevada Consumer Health Data Privacy Law).
Penalties for Nevada Consumer Health Data Privacy Law Noncompliance
This law doesn't create a private right of action. Violations of the law will constitute a deceptive trade practice under the Nevada Consumer Protection Act under most cases of violations. This means that the Nevada Attorney General will be able to seek injunctive relief and monetary damages, under his discretion, for violations of this law.
The Nevada Consumer Health Data Privacy Law protects Nevada consumers' health data by providing consumers with rights concerning their health data and requiring organizations that do business within the state of Nevada to follow its rules.
To comply with the Nevada Consumer Health Data Privacy Law, you should take the following steps:
- Get consent before collecting, using, or sharing consumers' health data
- Provide a way for consumers to make requests concerning their health data
- Give consumers a way to appeal your decisions regarding their requests
- The categories of health data you collect
- What you use the health data you collect for
- Where the heath data comes from
- The types of health data you share with third parties
- The kinds of third parties you share health data with
- Your reasons for collecting, using, and/or sharing health data
- How the health data is processed
- How consumers can make requests concerning their health data
- How consumers can appeal your responses to their requests
Most violations of the Nevada Consumer Health Data Privacy Law will be considered deceptive trade practices and can result in financial penalties.