Nevada’s new consumer health data law—like Washington’s My Health My Data Act—implements strict—and separate—consent requirements for the collection and sharing of an individual’s health data, with few exceptions.
March 31, 2024 saw two US state consumer health data protection laws take effect. Nevada’s consumer health data law is one of them. For our coverage of Washington’s My Health My Data Act, which is also in effect, please see our previous coverage here.
The consumer health data specific bills are unlike recent omnibus US state data protection laws, which broadly regulate the collection and processing of any type of personal data. These laws only act to regulate specific categories of consumer health data. Connecticut also implemented a similar law, but as an add-on to Connecticut’s already in effect omnibus data protection law.
Like Washington’s My Health My Data Act, Nevada’s law has no threshold triggers—meaning it applies to any business collecting or processing any amount of consumer health data—and applies to any collection or processing occurring in the state of Nevada. Also similar to Washington’s My Health My Data Act, the Nevada law will not apply to entities governed by HIPAA.
However, the Nevada consumer health data law is different from the Washington law in one important aspect—it generally does not provide a private right of action.
The Nevada law also requires a business to post separate privacy notices—apart from a business’s general website or other privacy notices—related to their collection and use of health data, and implementation of reasonable and appropriate technical and organizational security measures to protect health data.
In addition to requiring separate, express opt-in consents before a business is permitted to collect and disclosure consumer health data, the new law also puts geofencing prohibitions and consumer health data privacy rights in place.
Entities that operate in the state of Nevada should take note, and businesses operating in the US should keep their eye on similar consumer health data protection laws that are popping up. Especially given the fact that other states such as Washington have similar laws on the books or are looking at implementing similar laws.
Regulated Data and Entities
The Nevada consumer health data law only applies to “Regulated Entities,” which is broadly defined as any entity that (1) conducts business in the state of Nevada or produces or provides products or services that are targeted to Nevada residents; and (2) collects, processes, shares, or sells consumer health data.
There are no threshold triggers. Other, broader, US state data protection laws typically don’t apply to a business until that business collects a certain amount of personal data. For example, the Colorado Privacy Act does not regulate a business until it collects, annually, 100,000 or more Colorado resident’s personal data. Broader, US state data protection laws have been drafted in a manner to avoid impacting small businesses. Without the threshold triggers, these new consumer health data laws will apply to any business no matter how much consumer health data they interact with.
Importantly, the definition of “consumer” includes both individuals who are residents of Nevada and those whose consumer health data is collected in the state of Nevada. The latter could implicate residents of other states who travel to Nevada for medical procedures. This takes on added importance in the aftermath of the US Supreme Court overturning Roe v. Wade as individuals seek reproductive health care services across state lines.
Consumer Health Data
The definition of “consumer health data” is broad. It includes “personally identifiable information that is linked or reasonable capable of being linked to a consumer and that a regulated entity uses to identify the past, present or future physical or mental health status of a consumer.”
Below is a non-exhaustive list of consumer health data categories that are considered “consumer health data” under the Nevada consumer health data law:
- Any health condition or status, disease or diagnosis;
- Social, psychological, behavioral or medical interventions;
- Surgeries or other health-related procedures;
- The use or acquisition of medication;
- Bodily functions, vital signs or symptoms;
- Reproductive or sexual health care;
- Gender-affirming care;
- Biometric data and genetic data related to the above categories; and
- Information related to the precise geolocation information of a consumer that a regulated entity uses to indicate an attempt by a consumer to receive health care services or product.
Consumer health data can also include information derived from non-consumer health data, if such non-consumer health data is processed with any data falling into the above categories. Meaning, any processing of consumer health data with non-consumer health data may pull in consent and other data protection requirements to data not otherwise falling into the above categories.
Consent and Necessity
The biggest shift in practices will certainly stem from the new law’s consent requirements. A business is only permitted to collect and process consumer health data in two circumstances:
- Where it has obtained the consumer’s prior consent; or
- It is necessary to provide a product or service the consumer requests from the specific business.
The same circumstances apply to when a business is permitted to share or disclose consumer health data to a third party—meaning a business either needs to obtain a separate consent for sharing the consumer health data, or the consumer needs to request such sharing as part of the provision of services.
Consent under Nevada consumer health data law must be obtained via prior, express opt-in consent. Businesses cannot rely on implied consent, pre-checked boxes, or combined consents (e.g., consent for marketing activities combined with consent for collecting consumer health data under one check box option).
One exception to the consent for sharing requirement is that businesses are permitted to disclose consumer health data to “processors”—similar to the same concept instituted under other U.S. data protection laws—that act as service providers and vendors, provided such entities enter into written contracts that strictly regulate and limit what the processor can do with the consumer health data.
Consumer Health Data Rights
Consumer privacy rights have become common place under US and other data protection laws—such as the right to access personal data, delete personal data, and correct personal data.
The Nevada law is not different and provides consumers the same privacy rights as promulgated under the Washington My Health My Data Act. Consumers have the following privacy rights under Nevada’s law:
- Confirm whether a business is collecting, sharing, or selling consumer health data;
- Access the consumer health data a business has collected about them;
- Delete the consumer health data a business holds about them; and
- Withdraw consent for collection and/or sharing of their consumer health data.
Businesses must respond to any such requests within 45 days from receipt of the request—but are permitted to seek an additional 45 days if warranted due to the complexity or volume of the request.
Geofencing Prohibitions
The Nevada consumer health data law also tracks with Washington’s geofencing prohibition but institutes a smaller area around medical facilities where such technology may be prohibited.
Under the Nevada consumer health data law, businesses are prohibited from implementing a geofence within 1,750 feet of any medical facility for the purposes of (1) identifying or track consumers seeking health care services; (2) collecting consumer health data; or (3) sending notifications, messages, or ads to consumers related to or derived from their health data or use of health care services.
A “geofence” is defined to mean technology that uses global positioning coordinates, cell tower connectivity, cellular data, radio frequency identification, wireless Internet data, or any other form of detecting the physical location of a person to establish a virtual boundary with a radius of 1,750 fee or less around a specific location.
Enforcement
Unlike the My Health My Data Act in Washington, Nevada’s consumer health data law does not create a private right of action.
Nevada’s law will be enforceable by the Nevada Attorney General.
Conclusion
With the Nevada consumer health data law now in effect, businesses operating in the state of Nevada and that touch the health care industry or that provide services related to health care in any way must ensure they have processes and procedures in place to comply with the consent and other requirements.
As more US states continue to implement new—and amend existing—data protection requirements, the Benesch Data Protection and Privacy team is committed to staying at the forefront of knowledge and experience to assist our clients in compliance efforts. We are available to assist you with any compliance needs.
Luke Schaetzel at lschaetzel@beneschlaw.com or 312.212.4977.