The Act creates limitations and obligations for regulated entities on collecting, processing, sharing and selling information, and grants individual rights to consumers, similar to rights and obligations proscribed by most state comprehensive privacy laws across the country. However, the scope of the Act is limited to regulated entities that process consumer health data, as elaborated below.
Scope and application
A “regulated entity” is any person who conducts business in the state of Nevada, or who produces services or products targeted at consumers in the state. In addition, for coverage, the person must -- either alone or with other persons – determine the purpose or means of processing, selling or sharing consumer health data.
“Consumer health data” is information that is linked or is reasonably capable for being linked to a consumer, and that a regulated entity uses to identify the past, present, or future health status of a consumer. The definition includes a wide range of information, including information relating to any health conditions, status, disease or diagnosis; social, psychological, behavioral or medical interventions; surgeries or health-related procedures; acquisition of medication; bodily functions, vital signs and symptoms; reproductive or sexual health care; and gender- affirming care; as well as any biometric or genetic data related to the above categories. In addition, “consumer health data” also includes any precise geolocation information used to indicate an attempt by a consumer to receive health care services and any information described above that is extrapolated from or inferred automatically from any personal information.
The definition of “consumer health data” could be interpreted to include any information that directly or indirectly indicates or can be associated with a consumer’s health status. Thus, any entity could fall within the scope of the Act, if it collects or processes any information related to the health status of a consumer – whether the entity provides health care or related services, or not.
The term “consumer” is defined as a natural person who has requested a product or service from a regulated entity, who is a resident of Nevada, and whose consumer health data is collected. The Act expressly excludes individuals acting in an employment context or as an agent of a governmental entity.
The Act exempts entities that are subject to the federal Health Insurance Portability and Accountability Act and the federal Graham-Leach-Billey Act.
The Act does not apply to information governed by the Social Security Act, the Fair Credit Reporting Act, the Family Educational rights and Privacy Act, the Health Care Quality Improvement Act, information processed for any governmental person, law enforcement. This exclusion would apply even to patient identifying information, patient safety work product, and information used for research, for public health activities. The Act also does not apply to de-identified information.
Obligations of Regulated Entities
The responsibilities of a Regulated Entity include the following:
- Obtain affirmative, voluntary consent for collection, processing, disclosure, or sharing of consumer health data, unless the activity is necessary to provide the consumer with a product or service that the consumer has requested from the entity.
- Refrain from selling, or offering to sell, consumer health data without the written authorization of the consumer to whom the data pertains. If the consumer provides written authorization, the entity must provide the consumer with the means to withdraw the authorization. It is also unlawful to condition the provision of services upon such a written authorization.
- Establish, implement and maintain policies and procedures to maintain the administrative, technical, and physical security of consumer health data.
- Enter into agreements with data processors that outline their responsibilities with respect to consumer health data.
Consumers will have the following rights under the Act:
- To know or confirm that the regulated entity is collecting, processing, and sharing health data relating to the consumer.
- To know with whom the regulated entity has shared consumer health data or to whom the data was sold.
- To request that the regulated entity cease processing of the consumer health data.
- To request the deletion of their health data.
- To not be discriminated against for exercising their rights.
Prohibition of geofencing. One noteworthy provision of the new law is that it will prohibit geofencing in and around health care facilities.
Violations. A violation of the Act may constitute a deceptive trade practice for which the Attorney General may seek injunctive relief and/or civil penalties pursuant to NRS Ch 598. No private right of action is provided for under the law.
Companies offering services or products to consumers in Nevada should evaluate whether their collection or processing of consumer health information falls within the definition of the Act. If a business is subject to the Act, it should address its obligations to establish the required policies, procedures, and disclosures, and make any necessary contractual arrangements in accordance with the Act.