(Health) Data is What (Health) Data Does in Nevada
Note: This title is inspired by Professor Daniel J. Solove’s recent essay, ‘Data Is What Data Does: Regulating Based on Harm and Risk Instead of Sensitive Data.’
On June 16, 2023, Nevada Senate Bill 370 (SB 370) was signed into law by Governor Lombardo, making Nevada the second state, after Washington, to pass broad-based consumer health data privacy legislation this session. The act will take effect on March 31, 2024.
The Washington ‘My Health, My Data’ Act (MHMD), which was enacted on April 27, 2023, established a first-of-its-kind, comprehensive framework within U.S. law for the protection of consumer health data and health-related inferences. To help stakeholders assess how SB 370 fits into the expanding U.S. state health privacy landscape, the Future of Privacy Forum has released a chart comparing SB 370 to MHMD.
SB 370 and MHMD adopt similar, but not identical, frameworks for protecting personal health data. Both laws restrict the disclosure of personal health data to third parties and limit the use of geofencing to collect information from or target content to people entering health care facilities. SB 370, however, establishes a use-based definition of “consumer health data,” applies to a narrower scope of covered entities, contains greater flexibility for businesses in responding to access and deletion requests, and provides sole enforcement through the state Attorney General.
Key differences include the following:
1. SB 370 applies to a narrower, use-based range of “consumer health data.” Rather than governing all consumer personal data that could potentially identify health status, SB 370 applies to information that a regulated entity “uses to identify the past, present or future health status of the consumer.” Furthermore, SB 370 excludes certain personal information concerning consumer shopping habits and interests.
2. As compared to MHMD, SB 370 covers fewer organizations, excluding Health Insurance Portability and Accountability Act (HIPAA) and Gramm-Leach-Bliley Act (GLBA)-covered entities, among others, from coverage. By contrast, MHMD excludes data that is subject to HIPAA and GLBA, but not HIPAA and GLBA-regulated entities in their entirety. Both laws apply to entities that “conduct business” in the state in which they were enacted or provide products or services targeted to state consumers and, solely or with others, “determine the purpose and means of processing, sharing, or selling consumer health data.”
3. SB 370 grants individuals a more limited “right to access” than MHMD. The law allows consumers to request access to a list of the third parties with whom a regulated entity has shared their consumer health data, but, unlike MHMD, does not grant individuals the right to access a copy of their health data held by the regulated entity.
4. Under SB 370, regulated entities have greater flexibility in responding to deletion requests. Entities are granted up to two years to comply with deletion requests for consumer health data contained within archival or backup systems, as opposed to the six months provided for under MHMD.
5. While MHMD contains a provision for enforcement through a private right of action, SB 370 is enforceable solely by the state Attorney General.