Table of Contents
Introduction
During the height of the COVID-19 pandemic, many were surprised to learn that HIPAA does not broadly protect all health-related information. To fill that gap—and to address data protection concerns related to reproductive health services after the 2022 reversal of Roe v. Wade—states have recently begun enacting statutes to protect consumer health information. Nevada has joined Washington and Connecticut in this effort by enacting SB 370, which will take effect March 31, 2024.
Understanding SB 370: How Will It Apply?
The statute, known as SB 370, aims to protect “consumer health data” in the hands of a “regulated entity.” Let’s delve into the definitions provided within the statute to better understand its application:
-
Regulated Entity: This term refers to any person conducting business in Nevada or producing/providing products or services targeted to Nevada consumers. Additionally, the regulated entity must determine the purpose and meaning of processing, sharing, or selling consumer health data. It’s important to note that there are some exemptions from SB 370, such as entities subject to HIPAA or financial institutions subject to the Gramm-Leach-Bliley Act.
-
Consumer: A consumer is defined as a person who has requested a product or service from a regulated entity and either resides in Nevada or has their consumer health data collected in Nevada.
-
Consumer Health Data: This term refers to personally identifiable information that is linked or reasonably capable of being linked to a consumer. The regulated entity must use this data to identify the past, present, or future health status of the consumer. Notably, the intent and purpose of collecting the health data matter—health data not actually used to identify a consumer’s health status falls outside the scope of the statute.
The statute provides an illustrative, but not exclusive, list of what the term “consumer health data” includes. Apart from typical examples like information on health conditions, diseases, medical interventions, surgeries, and reproductive or gender-affirming care, it also encompasses certain biometric or genetic data, geolocation information, and information derived or extrapolated from non-health data. For instance, analyzing a consumer’s shopping habits to determine whether they have specific medical conditions would fall within the statute.
SB 370 Requirements: What Will Regulated Entities Need to Do?
SB 370 imposes several new requirements on regulated entities. It’s crucial for these entities to be aware of and adhere to these requirements, which include:
-
Developing and Posting a Privacy Policy: Regulated entities must develop a detailed policy governing the privacy of consumer health data. This policy should include numerous required elements and must be conspicuously posted on the entity’s website.
-
Consent for Collecting and Sharing Data: Regulated entities must refrain from collecting and sharing consumer health data unless they have the voluntary consent of the consumer or it is necessary to provide a product or service the consumer requested.
-
Process for Consumer Requests: Regulated entities must establish a process to permit and authenticate certain requests by consumers. This includes providing a list of all third parties with whom the regulated entity has shared or sold the consumer’s health data, ceasing the collection, sharing, or selling of the consumer’s health data, or deleting the consumer’s health data.
-
Limited Access to Health Data: Regulated entities must ensure that only employees and processors with a “need to know” the consumer’s health data have access to that data.
-
Security Policies and Procedures: Regulated entities must establish and implement policies and procedures for the administrative, technical, and physical security of consumer health data.
Enforcement of SB 370: Who Will Enforce It?
Enforcement of violations of SB 370 falls under the jurisdiction of the Nevada Attorney General. Only the Attorney General may enforce violations under the state’s deceptive trade practices laws. It’s important to note that SB 370 does not create a private right of action, meaning individuals cannot file suits based on the statute.
Key Takeaways and Next Steps
SB 370 is set to regulate companies conducting business in Nevada or targeting products and services to Nevada customers that collect consumer health data concerning Nevadans. Before the effective date of March 31, 2024, affected companies should evaluate whether they are collecting consumer health data that falls within SB 370’s parameters. If necessary, they should develop a compliance plan to implement the new requirements outlined in the statute.
It’s crucial for regulated entities to understand the definitions, requirements, and exemptions provided by SB 370 to ensure compliance and protect consumer health data. By taking proactive measures, companies can navigate the changing landscape of data protection laws and prioritize the privacy and security of consumer health information.
This document is intended to provide general information regarding SB 370 in Nevada and should not be considered specific legal advice. If you have further questions or require legal advice on this matter, please consult the attorneys listed or reach out to your regular legal counsel at Brownstein Hyatt Farber Schreck, LLP. Please note that the information in this article is accurate as of the publication date and may not reflect subsequent changes in the law.