What To Know About New Nevada Consumer Health Data Privacy Bill

Nevada’s legislature passed its Consumer Health Data Privacy bill on June 5. The bill, if signed into law by Governor Joe Lombardo, would take effect on March 31, 2024. If signed into law, the Nevada bill would join Washington’s “My Health Data Act” and the new health data law passed by Connecticut in providing additional protections for consumer health-related data.

Like the Washington and Connecticut laws, the Nevada bill limits what entities can do with health data without consumer consent or valid authorization. Here’s what’s essential to know about the new Nevada bill.

• What data is covered by the bill? The law would apply to consumer health data which it defines as “personally identifiable information that is linked or reasonably capable of being linked to a consumer and that a regulated entity uses to identify the past, present or future health status of the consumer.” This consumer health data would include health condition, status, disease or diagnosis, social psychological, behavioral, or medical intervention, surgeries, use or acquisition of medication, bodily functions, vital signs, or symptoms, reproductive or sexual health care, gender-affirming care, biometric data, genetic data, precise geolocation data used to indicate a consumer’s attempt to receive health care service or products, and any data that is derived or extrapolated from information that is not consumer health data through an algorithm, machine learning, or any other means that collectively is health-related. This very broad definition does exclude data that is related to shopping habits or gaming information.
• Which entities are covered by the bill? The law would apply to any person who conducts business in the state of Nevada or produces or provides products or services that are targeted to consumers in Nevada. This definition is far broader and lacks the limitations found in many of the state consumer data protection acts related to the amount of data collected by the entity. There are exemptions provided for entities that are subject to HIPAA, GLBA, FCRA, and information governed by FERPA.
• No collection or sharing of consumer health data without consent. Perhaps the most impactful part of the law is the prohibition on collecting or sharing any consumer health data without first receiving affirmative, voluntary consent from consumers. Much remains to be seen in terms of how this law will be enforced or the specific impacts of the law, but this prohibition would appear to require businesses to provide consumers with enough knowledge about what the entity is doing with their consumer health data for the consumer to provide voluntary consent.
• No geofencing. The law prohibits the collection of precise geolocation data about consumers. Specifically, the law would prohibit the collection of data identifying the precise location of a consumer within 1,750 feet of their exact position.
• Restriction on the sale of consumer health data. Consumer health data may not be sold unless valid authorization is received. The law lays out the requirements for valid authorizations and requires they contain specific information, such as a description of the purpose of the sale and the name and contact information of the person or entity that is purchasing the data.

While limited to consumer health data this law, and similar laws in Washington and Connecticut, are likely to impact more than just healthcare facilities. As this law authorizes fines of up to $5,000 per violation and criminal prosecution, it is important to understand and observe your business’s potential obligations under this law.

For more information about this law, please contact the legal professionals at Clark Hill, PLC.

The views and opinions expressed in the article represent the views of the author and not necessarily the official view of Clark Hill PLC. Nothing in this article constitutes professional legal advice nor is it intended to be a substitute for professional legal advice.