Categories: Cyber Security, Privacy and Security, Privacy and Security Law
, ,

On June 16, 2023, Nevada enacted Senate Bill 370 (“SB 370”), which imposes broad restrictions on the collection, use, and sale of consumer health data. This law is set to go into effect on March 31, 2024.

SB 370 is the third state law of its kind, aimed at regulating consumer health data and entities not covered by the Health Insurance Portability and Accountability Act (“HIPAA”) or other sector specific federal laws. In May 2023, Washington state enacted the My Health My Data Act; and in June 2023, Connecticut amended its recently-enacted Data Privacy Act to govern “consumer health data” with respect to consent, contracting and geofencing requirements.  Each of these state laws imposes specific requirements on entities with respect to the consumer health data they collect, process, store, and maintain outside of traditional health care settings. Click here for EBG’s previous discussions of the My Health, My Data Act, along with other recent state privacy law developments.

These state laws share a number of similarities, including prohibitions on the collection and sharing of consumer health data without notice and consumer consent, as well as prohibitions on the sale of consumer health data absent written authorization from consumers. However, SB 370 differs from the analog Washington and Connecticut laws in some important respects.

Key Provisions of SB 370

SB 370 applies to “regulated entities,” a term defined as meaning any person who: (1) conducts business in Nevada or produces or provides products or services that are targeted to consumers in Nevada; and (2) alone or with another person(s), determines the purpose and means of processing, sharing, or selling consumer health data. Exempted entities and information types include entities subject to HIPAA; certain data collected for research, entities, and information subject to the Gramm-Leach-Bliley Act; information governed by the Fair Credit Reporting Act; information governed by the Family Educational Rights and Privacy Act; information processed by a governmental or tribal entity; and law enforcement agencies.

Regulated entities are subject to the following provisions:

  • SB 370 does not create a private right of action. Rather, violations of SB 370 will be deemed deceptive trade practices enforceable by the state Attorney General.
  • Similar to the requirements of California’s California Consumer Privacy Act (“CCPA”) (which we previously discussed here), SB 370 requires regulated entities publish consumer health data privacy policies that describe a number of elements, including but not limited to:
    • Categories of consumer health data collected;
    • Manner in which collected consumer health data will be used;
    • Categories of sources from which the consumer health data is collected;
    • Categories of consumer health data shared with other entities;
    • Categories of entities with which the consumer health data is shared;
    • Purposes for collecting, using, and sharing consumer health data; how consumers may exercise their consumer health data rights;
    • The process for which a consumer can review and request changes to their health data that is collected by the regulated entity;
    • The process by which the regulated entity notifies consumers whose health data is collected by the regulated entity of material changes to the appliable privacy policy; and
    • Whether third parties “may collect consumer health data over time and across different Internet websites or online services when the consumer uses any Internet website or online service of the regulated entity[.]”
  • Before collecting consumer health data, regulated entities must either: (1) obtain affirmative, voluntary consent from consumers, or (2) collection must be necessary to provide a product or service the consumer has requested.
  • Similarly, before sharing consumer health data, regulated entities must satisfy either of the following: (1) obtain affirmative, voluntary consent from consumers, (2) collect such data as necessary to provide a product or service the consumer has requested, or (3) collect such data as is otherwise authorized by law. Note that consents obtained for collection and sharing must be “separate and distinct.”
  • No person may sell or offer to sell consumer health data without the relevant consumer’s written authorization. Authorizations for sale must include, but are not limited to, a description of the consumer health data to be sold, a description of the purpose of the sale, the name and contact information of the persons selling and purchasing the data, and the expiration date of the authorization. Consumers must also be afforded a revocation right.
  • Similar to requirements under the HIPAA Security Rule, entities regulated under SB 370 must implement and maintain policies and practices for the administrative, technical, and physical security of consumer health data. These policies must: (1) satisfy the standard of care in the industry in which the regulated entity operates to protect the confidentiality, integrity, and accessibility of consumer health data; (2) comply with the provisions of Nevada’s Data Security and Breach statutes, where applicable; and (3) be reasonable, taking into account the volume and nature of the consumer health data at issue.
  • Entities subject to CCPA will also recognize the obligations that SB 370 places on “processors” (defined as “a person who processes consumer health data on behalf of a regulate entity”) to only process consumer health data pursuant to a contract between the processor and regulated entity.

It should also be noted that SB 370 appears to contemplate future preemption by stating that the law would not apply to “[t]he collection or sharing of consumer health data where expressly authorized by any provision of federal or state law.” 

Epstein Becker Green will be closely monitoring the nationwide privacy landscape as states continue to introduce their own privacy laws in the absence of comprehensive federal legislation. For additional information about the issues discussed above, or if you have any other privacy, cybersecurity, or data asset management concerns, please contact the Epstein Becker Green attorney who regularly handles your legal matters, or one of the authors of this blog post. Read more about our expansive capabilities and offerings here.

Tags: Alaap Shah, Amy Cooperstein, Audrey Davis, California Privacy Rights Act (CPRA), CCPA, Christopher Taylor, Connecticut, Consumer Health Data Privacy, Cybersecurity, Data Privacy Act, Fair Credit Reporting Act, Family Educational Rights and Privacy Act, Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act (HIPAA), HIPAA Privacy Rule, HIPAA Security Rule, My Health My Data Act, Nevada, Nevada Data Security and Breach statute, Privacy Attorney, Senate Bill 370, Washington
Back to Health Law Advisor Blog

Search This Blog

Blog Editors

Authors

Related Services

Topics

Archives

Jump to Page

Subscribe

Sign up to receive an email notification when new Health Law Advisor posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.