The Nevada Consumer Health Data Privacy Law (Senate Bill 370) protects Nevada consumers' personal data by restricting the ways entities collect, use, and sell Nevada their private health information.
The law was passed on June 5, 2023 and will go into effect on March 31, 2024.
This article will take you through what the Nevada Consumer Health Privacy Law is, who it applies to, how to comply with the law, and the penalties for noncompliance.
Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:
-
At Step 1, select the Website option or App option or both.
-
Answer some questions about your website or app.
-
Answer some questions about your business.
-
Enter the email address where you'd like the Privacy Policy delivered and click "Generate."
You'll be able to instantly access and download your new Privacy Policy.
- 1. What is the Nevada Consumer Health Data Privacy Law?
- 2. Who Does the Nevada Consumer Health Data Privacy Law Apply to?
- 3. How to Comply With the Nevada Consumer Health Data Privacy Law
- 3.1. Get Consent When Required
- 3.2. Create and Maintain a Privacy Policy That References Health Data
- 3.2.1. The Types of Health Data Collected and What You Use it For
- 3.2.2. Why the Health Data is Collected, Used, and Shared
- 3.2.3. Where the Health Data is Collected From
- 3.2.4. How You Use Health Data You Collect
- 3.2.5. What Health Data is Shared With Third Parties
- 3.2.6. What Third Parties You Share Health Data With
- 3.2.7. How Consumers Can Submit a Request Concerning Their Health Data
- 3.2.8. The Effective Date and How Consumers are Notified About Changes to the Privacy Policy
- 3.2.9. Display and Get Consent to Your Privacy Policy
- 3.3. Give Consumers a Way to Make Rights Requests
- 3.4. Respond to Consumer Requests in a Timely Manner
- 3.4.1. Provide Consumers With a Way to Appeal Your Request Denials
- 4. Penalties for Nevada Consumer Health Data Privacy Law Noncompliance
- 5. Summary
What is the Nevada Consumer Health Data Privacy Law?
The Nevada Consumer Health Data Privacy Law was created in order to protect Nevada consumer's personal health information.
Protected health information under the law includes information about:
- Any health conditions, diseases, or diagnoses
- Social, psychological, medical, or behavioral interventions (such as drugs, surgeries, or medical devices)
- Surgeries or other health-related procedures (such as medical exams and tests)
- Medication use or acquisition
- Bodily functions, vital signs (such as body temperature, pulse rate, respiration rate, and blood pressure), or symptoms
- Reproductive or sexual health care
- Gender-affirming health care (treatments for gender dysphoria, hormone treatment, or gender-affirming surgeries)
The law also covers any biometric data or genetic data used in relation to the information listed above and geolocation information as it pertains to receiving health care.
Section 8 of the Nevada Consumer Health Data Privacy Law defines the types of information that count as consumer health data under the law:
The Nevada Consumer Health Data Privacy Law does not cover information that is used for:
- Playing games on a video game platform
- Identifying a consumer's shopping habits
- Certain research purposes
- Public health activities
The law also doesn't cover information that falls under Acts including the Social Security Act, the Fair Credit Reporting Act, and the Family Educational Rights and Privacy Act.
Who Does the Nevada Consumer Health Data Privacy Law Apply to?
The Nevada Consumer Health Data Privacy Law applies to:
- Any entities that do business within the state of Nevada and provide products or services to Nevada consumers and
- Any entities that decide the purposes of processing (using), sharing, or selling Nevada consumers' personal health data
The law does not apply to entities subject to the Health Insurance and Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act.
How to Comply With the Nevada Consumer Health Data Privacy Law
The introductory text of the Nevada Consumer Health Data Privacy Law explains that applicable entities must:
- Create and maintain an accessible Privacy Policy concerning consumer health data
- Get active consent from consumers before collecting or sharing their health data
- Respond to consumer requests concerning their health data
- Have a process for consumers to appeal the entity's decision if their requests are denied
- Keep consumers' health data secure
- Only process consumers' health data for specific purposes
- Only sell consumers' health data under specific circumstances
- Only use geofencing (a technique for capturing individual's locations through their GPS) under specific circumstances
- Not discriminate against consumers for exercising their rights
- Make sure any third parties they contract with that process consumers' health data also comply with this law
There are a few steps you can take to comply with the Nevada Consumer Health Data Privacy Law, including getting consent, maintaining a Privacy Policy, giving consumers a way to make requests concerning their health data, responding to consumer requests regarding their health data, and providing a way for consumers to appeal request decisions.
Get Consent When Required
You must get consent from Nevada consumers prior to collecting their personal health data (unless it is necessary to provide a product or service that the consumer has requested from you).
If you want to share a consumer's health data with a third party, you must get explicit consent for that purpose.
The consent for sharing consumers' health data must be obtained separately from the consent for collecting the health data.
Your consent requests must inform consumers of the following:
- What kinds of health data they are consenting to being collected or shared
- Your reasons for collecting or sharing the health data
- What third parties the health data is being shared with
- How consumers can withdraw their consent
BetterHelp uses a popup banner to inform consumers that it processes personally identifiable information (PII) and personal health information to provide the services outlined in its Privacy Policy:
It explains that it may share PII with third parties for advertising and analytics purposes, and provides links to its Privacy Policy and its Sharing Settings so that users can learn more about who it shares data with and why, and to opt out.
Create and Maintain a Privacy Policy That References Health Data
You need to maintain a clearly written and regularly updated Privacy Policy that contains relevant clauses related to health data.
Let's take a look at the health data clauses you should include in your Privacy Policy to ensure that it complies with the law.
The Types of Health Data Collected and What You Use it For
This clause explains the categories of health data you collect and what you use the data for.
You can't collect, use, or share consumer's health data for any purposes other than the ones listed in this clause unless you disclose those categories in your Privacy Policy and get consent from consumers before processing it.
Talkspace's Privacy Policy contains a table that describes the types of personal data it collects (including health data), how it obtains the data, and what it does with the data:
Why the Health Data is Collected, Used, and Shared
This clause explains the reasons why you collect, use, and disclose consumers' health data. You should only collect or process health data when necessary to fulfill the purposes listed in this clause.
Flagler Hospital's Notice of Privacy Practices lets consumers know that it may use or disclose their health data for purposes including treatment, payment, healthcare operations, and appointment reminders:
Where the Health Data is Collected From
You should let consumers know whether you obtain their health data directly, such as through an intake form, or indirectly, such as via third parties or tracking tools.
Laguna Treatment Hospital's Privacy Policy informs consumers that its server automatically logs information about their browsers when they visit its website, and that it collects personal and health data directly from consumers for referral purposes:
How You Use Health Data You Collect
This clause should explain how the health data you collect is used.
OhioHealth's Privacy Policy explains how it processes consumers' information, including to improve its website functionality, to fulfill consumer requests, and for communication purposes:
What Health Data is Shared With Third Parties
You should list the health data that you share with third parties here. You can use this clause to inform consumers that you share their health data with third parties, but you must also get consent from consumers before doing so.
Advanced Dermatology's Notice of Privacy Practices lets consumers know that it may share their private health information (PHI) including treatment information, lab or biopsy results, and information about healthcare operations:
What Third Parties You Share Health Data With
You can use this clause to list the categories of third parties to whom you disclose consumers' health data.
Riley Children's Health's Privacy Policy lists the third parties it may share consumer's health data with, including service providers, affiliates, law enforcement, and in connection with ownership transfers or mergers:
How Consumers Can Submit a Request Concerning Their Health Data
This clause should provide a method for consumers to submit requests about their data. It should also explain how consumers can appeal your decision if their requests are denied.
Dental Health Services' Privacy and Confidentiality Notice informs consumers what their rights are concerning their PHI and lets them know that they can make written requests to exercise those rights;
It includes a mailing address and email address where consumers can send their requests, as well as a phone number and link where they can access a copy of the Privacy and Confidentiality Notice:
The Effective Date and How Consumers are Notified About Changes to the Privacy Policy
You should include the effective date of your Privacy Policy and how consumers will be notified about any changes you make to your Privacy Policy.
7 Cups' Privacy Policy explains where consumers can find the effective date of the Privacy Policy and that it will email them if there are any changes made to the Privacy Policy:
Display and Get Consent to Your Privacy Policy
Once your Privacy Policy is written, you need to make sure consumers can easily access it and give consent to it.
One of the most common places to put links to legal documents is within a website footer.
Ascension includes a link to its Privacy Policy along with links to its other legal policies in its website footer:
When it comes to getting consent, the most commonly used and legally effective method is to get users to check a box next to an "I Agree" statement, as seen here:
You can get consent whenever a user shares personal information with you such as when signing up for an account, consenting to cookies being placed, or using a contact form to send you a message.
Give Consumers a Way to Make Rights Requests
The Nevada Consumer Health Data Privacy Law gives Nevada consumers the following rights:
- The right to know whether their health data is being collected, shared, or sold
- The right to obtain a list of third parties that their health data has been shared with or sold to
- The right to request an entity to stop collecting, sharing, or selling their health data
- The right to delete their health data
The Mayo Clinic's Privacy Policy includes links to its Patient Online Services and Patient and Visitor Guide pages, where consumers can make requests concerning their health data:
You must provide consumers with a secure and reliable method for making requests concerning these rights.
Respond to Consumer Requests in a Timely Manner
Once you receive a consumer request, you should respond to it within 45 days. If you need extra time to respond to the request, you can take an additional 45 days, but you will need to inform the consumer about the reasons for the extension within 45 days of receiving the request.
If you receive a deletion request, you will need to respond to it within 30 days. You should delete all consumer data and notify any third parties in possession of the consumer's health data to do the same within those 30 days.
Provide Consumers With a Way to Appeal Your Request Denials
If you decide not to fulfill a consumer's request concerning their health data, you will need to notify them of your decision (in writing).
Once you receive an appeal, you should inform consumers within 45 days about your decision concerning the appeal and your reasons for making it.
If you decide not to take the action requested in the appeal, you will need to provide the consumer with the contact information for the Office of the Attorney General (the regulating entity for the Nevada Consumer Health Data Privacy Law).
Penalties for Nevada Consumer Health Data Privacy Law Noncompliance
This law doesn't create a private right of action. Violations of the law will constitute a deceptive trade practice under the Nevada Consumer Protection Act under most cases of violations. This means that the Nevada Attorney General will be able to seek injunctive relief and monetary damages, under his discretion, for violations of this law.
Summary
The Nevada Consumer Health Data Privacy Law protects Nevada consumers' health data by providing consumers with rights concerning their health data and requiring organizations that do business within the state of Nevada to follow its rules.
To comply with the Nevada Consumer Health Data Privacy Law, you should take the following steps:
- Get consent before collecting, using, or sharing consumers' health data
- Create and maintain a Privacy Policy that addresses health data
- Provide a way for consumers to make requests concerning their health data
- Give consumers a way to appeal your decisions regarding their requests
Your Privacy Policy should contain health data-specific clauses, including:
- The categories of health data you collect
- What you use the health data you collect for
- Where the heath data comes from
- The types of health data you share with third parties
- The kinds of third parties you share health data with
- Your reasons for collecting, using, and/or sharing health data
- How the health data is processed
- How consumers can make requests concerning their health data
- How consumers can appeal your responses to their requests
- The effective date for your Privacy Policy
- How you notify consumers about changes made to your Privacy Policy
Most violations of the Nevada Consumer Health Data Privacy Law will be considered deceptive trade practices and can result in financial penalties.
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.