The Nevada Consumer Health Data Privacy Law (Senate Bill 370) protects Nevada consumers' personal data by restricting the ways entities collect, use, and sell Nevada their private health information.

The law was passed on June 5, 2023 and will go into effect on March 31, 2024.

This article will take you through what the Nevada Consumer Health Privacy Law is, who it applies to, how to comply with the law, and the penalties for noncompliance.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.

    TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  2. Answer some questions about your website or app.

    TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  3. Answer some questions about your business.

    TermsFeed Privacy Policy Generator: Answer questions about business practices - Step 3

  4. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.



What is the Nevada Consumer Health Data Privacy Law?

The Nevada Consumer Health Data Privacy Law was created in order to protect Nevada consumer's personal health information.

Protected health information under the law includes information about:

  • Any health conditions, diseases, or diagnoses
  • Social, psychological, medical, or behavioral interventions (such as drugs, surgeries, or medical devices)
  • Surgeries or other health-related procedures (such as medical exams and tests)
  • Medication use or acquisition
  • Bodily functions, vital signs (such as body temperature, pulse rate, respiration rate, and blood pressure), or symptoms
  • Reproductive or sexual health care
  • Gender-affirming health care (treatments for gender dysphoria, hormone treatment, or gender-affirming surgeries)

The law also covers any biometric data or genetic data used in relation to the information listed above and geolocation information as it pertains to receiving health care.

Section 8 of the Nevada Consumer Health Data Privacy Law defines the types of information that count as consumer health data under the law:

Nevada Consumer Health Data Privacy Law: Section 8 excerpt

The Nevada Consumer Health Data Privacy Law does not cover information that is used for:

  • Playing games on a video game platform
  • Identifying a consumer's shopping habits
  • Certain research purposes
  • Public health activities

The law also doesn't cover information that falls under Acts including the Social Security Act, the Fair Credit Reporting Act, and the Family Educational Rights and Privacy Act.

Who Does the Nevada Consumer Health Data Privacy Law Apply to?

The Nevada Consumer Health Data Privacy Law applies to:

  • Any entities that do business within the state of Nevada and provide products or services to Nevada consumers and
  • Any entities that decide the purposes of processing (using), sharing, or selling Nevada consumers' personal health data

The law does not apply to entities subject to the Health Insurance and Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act.

How to Comply With the Nevada Consumer Health Data Privacy Law

The introductory text of the Nevada Consumer Health Data Privacy Law explains that applicable entities must:

  • Create and maintain an accessible Privacy Policy concerning consumer health data
  • Get active consent from consumers before collecting or sharing their health data
  • Respond to consumer requests concerning their health data
  • Have a process for consumers to appeal the entity's decision if their requests are denied
  • Keep consumers' health data secure
  • Only process consumers' health data for specific purposes
  • Only sell consumers' health data under specific circumstances
  • Only use geofencing (a technique for capturing individual's locations through their GPS) under specific circumstances
  • Not discriminate against consumers for exercising their rights
  • Make sure any third parties they contract with that process consumers' health data also comply with this law

Nevada Consumer Health Data Privacy Law: Intro

There are a few steps you can take to comply with the Nevada Consumer Health Data Privacy Law, including getting consent, maintaining a Privacy Policy, giving consumers a way to make requests concerning their health data, responding to consumer requests regarding their health data, and providing a way for consumers to appeal request decisions.

You must get consent from Nevada consumers prior to collecting their personal health data (unless it is necessary to provide a product or service that the consumer has requested from you).

If you want to share a consumer's health data with a third party, you must get explicit consent for that purpose.

The consent for sharing consumers' health data must be obtained separately from the consent for collecting the health data.

Your consent requests must inform consumers of the following:

  • What kinds of health data they are consenting to being collected or shared
  • Your reasons for collecting or sharing the health data
  • What third parties the health data is being shared with
  • How consumers can withdraw their consent

BetterHelp uses a popup banner to inform consumers that it processes personally identifiable information (PII) and personal health information to provide the services outlined in its Privacy Policy:

BetterHelp consent banner for data processing and sharing

It explains that it may share PII with third parties for advertising and analytics purposes, and provides links to its Privacy Policy and its Sharing Settings so that users can learn more about who it shares data with and why, and to opt out.

Create and Maintain a Privacy Policy That References Health Data

You need to maintain a clearly written and regularly updated Privacy Policy that contains relevant clauses related to health data.

Let's take a look at the health data clauses you should include in your Privacy Policy to ensure that it complies with the law.

The Types of Health Data Collected and What You Use it For

This clause explains the categories of health data you collect and what you use the data for.

You can't collect, use, or share consumer's health data for any purposes other than the ones listed in this clause unless you disclose those categories in your Privacy Policy and get consent from consumers before processing it.

Talkspace's Privacy Policy contains a table that describes the types of personal data it collects (including health data), how it obtains the data, and what it does with the data:

Talkspace Privacy Policy: Personal data chart with types of data, how data is obtained and how used

Why the Health Data is Collected, Used, and Shared

This clause explains the reasons why you collect, use, and disclose consumers' health data. You should only collect or process health data when necessary to fulfill the purposes listed in this clause.

Flagler Hospital's Notice of Privacy Practices lets consumers know that it may use or disclose their health data for purposes including treatment, payment, healthcare operations, and appointment reminders:

Flagler Hospital Notice of Privacy Practices: How we may use and disclose medical information about you clause

Where the Health Data is Collected From

You should let consumers know whether you obtain their health data directly, such as through an intake form, or indirectly, such as via third parties or tracking tools.

Laguna Treatment Hospital's Privacy Policy informs consumers that its server automatically logs information about their browsers when they visit its website, and that it collects personal and health data directly from consumers for referral purposes:

Laguna Treatment Hospital Privacy Policy: What information do we collect clause

How You Use Health Data You Collect

This clause should explain how the health data you collect is used.

OhioHealth's Privacy Policy explains how it processes consumers' information, including to improve its website functionality, to fulfill consumer requests, and for communication purposes:

OhioHealth Privacy Policy: Use of your information clause

What Health Data is Shared With Third Parties

You should list the health data that you share with third parties here. You can use this clause to inform consumers that you share their health data with third parties, but you must also get consent from consumers before doing so.

Advanced Dermatology's Notice of Privacy Practices lets consumers know that it may share their private health information (PHI) including treatment information, lab or biopsy results, and information about healthcare operations:

Advanced Dermatology Notice of Privacy Practices excerpt

What Third Parties You Share Health Data With

You can use this clause to list the categories of third parties to whom you disclose consumers' health data.

Riley Children's Health's Privacy Policy lists the third parties it may share consumer's health data with, including service providers, affiliates, law enforcement, and in connection with ownership transfers or mergers:

Riley Childrens Health Privacy Policy: How do we share your information clause

How Consumers Can Submit a Request Concerning Their Health Data

This clause should provide a method for consumers to submit requests about their data. It should also explain how consumers can appeal your decision if their requests are denied.

Dental Health Services' Privacy and Confidentiality Notice informs consumers what their rights are concerning their PHI and lets them know that they can make written requests to exercise those rights;

Dental Health Services Privacy and Confidentiality Notice: Rights regarding privacy section

It includes a mailing address and email address where consumers can send their requests, as well as a phone number and link where they can access a copy of the Privacy and Confidentiality Notice:

Dental Health Services Privacy and Confidentiality Notice: Right to receive a copy section

The Effective Date and How Consumers are Notified About Changes to the Privacy Policy

You should include the effective date of your Privacy Policy and how consumers will be notified about any changes you make to your Privacy Policy.

7 Cups' Privacy Policy explains where consumers can find the effective date of the Privacy Policy and that it will email them if there are any changes made to the Privacy Policy:

7 Cups Privacy Policy: Effective Date and Changes to Privacy Policy clause

Once your Privacy Policy is written, you need to make sure consumers can easily access it and give consent to it.

One of the most common places to put links to legal documents is within a website footer.

Ascension includes a link to its Privacy Policy along with links to its other legal policies in its website footer:

Ascension.org - Privacy Policy in footer highlighted

When it comes to getting consent, the most commonly used and legally effective method is to get users to check a box next to an "I Agree" statement, as seen here:

Dr Kim Brown sign-up form with Agree checkbox highlighted

You can get consent whenever a user shares personal information with you such as when signing up for an account, consenting to cookies being placed, or using a contact form to send you a message.

Give Consumers a Way to Make Rights Requests

The Nevada Consumer Health Data Privacy Law gives Nevada consumers the following rights:

  • The right to know whether their health data is being collected, shared, or sold
  • The right to obtain a list of third parties that their health data has been shared with or sold to
  • The right to request an entity to stop collecting, sharing, or selling their health data
  • The right to delete their health data

The Mayo Clinic's Privacy Policy includes links to its Patient Online Services and Patient and Visitor Guide pages, where consumers can make requests concerning their health data:

Mayo Clinic Privacy Policy: How to exercise rights section

You must provide consumers with a secure and reliable method for making requests concerning these rights.

Respond to Consumer Requests in a Timely Manner

Once you receive a consumer request, you should respond to it within 45 days. If you need extra time to respond to the request, you can take an additional 45 days, but you will need to inform the consumer about the reasons for the extension within 45 days of receiving the request.

If you receive a deletion request, you will need to respond to it within 30 days. You should delete all consumer data and notify any third parties in possession of the consumer's health data to do the same within those 30 days.

Provide Consumers With a Way to Appeal Your Request Denials

If you decide not to fulfill a consumer's request concerning their health data, you will need to notify them of your decision (in writing).

Once you receive an appeal, you should inform consumers within 45 days about your decision concerning the appeal and your reasons for making it.

If you decide not to take the action requested in the appeal, you will need to provide the consumer with the contact information for the Office of the Attorney General (the regulating entity for the Nevada Consumer Health Data Privacy Law).

Penalties for Nevada Consumer Health Data Privacy Law Noncompliance

This law doesn't create a private right of action. Violations of the law will constitute a deceptive trade practice under the Nevada Consumer Protection Act under most cases of violations. This means that the Nevada Attorney General will be able to seek injunctive relief and monetary damages, under his discretion, for violations of this law.

Summary

The Nevada Consumer Health Data Privacy Law protects Nevada consumers' health data by providing consumers with rights concerning their health data and requiring organizations that do business within the state of Nevada to follow its rules.

To comply with the Nevada Consumer Health Data Privacy Law, you should take the following steps:

  • Get consent before collecting, using, or sharing consumers' health data
  • Create and maintain a Privacy Policy that addresses health data
  • Provide a way for consumers to make requests concerning their health data
  • Give consumers a way to appeal your decisions regarding their requests

Your Privacy Policy should contain health data-specific clauses, including:

  • The categories of health data you collect
  • What you use the health data you collect for
  • Where the heath data comes from
  • The types of health data you share with third parties
  • The kinds of third parties you share health data with
  • Your reasons for collecting, using, and/or sharing health data
  • How the health data is processed
  • How consumers can make requests concerning their health data
  • How consumers can appeal your responses to their requests
  • The effective date for your Privacy Policy
  • How you notify consumers about changes made to your Privacy Policy

Most violations of the Nevada Consumer Health Data Privacy Law will be considered deceptive trade practices and can result in financial penalties.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy