Healthcare Privacy Laws & Regulations Around the World

Nevada Health Data Privacy Law

Status

The Nevada Governor approved Senate Bill 370 (Nevada’s Consumer Health Data Privacy Law), which aims to impose certain requirements on collecting, using, and selling consumer health data. It will come into effect on March 31, 2024.

Applicability

The law applies to any persons who operate in the state of Nevada or provide their products or services to consumers in Nevada. Regulated entities also include persons who are, alone or in partnership with another person, determining the purpose and means of processing, sharing, or selling consumer health data. However, the law is not applicable to:

• any person or entity subject to the HIPAA;
• information created for compliance with the Healthcare Quality Improvement Act of 1986;
• patient data, including substance use disorder records;
• research, public health activities, and state-authorized data collection;
• personally identifiable information under specific federal laws (Gramm-Leach-Bliley Act, Social Security Act, Fair Credit Reporting Act, Family Educational Rights and Privacy Act);
• entities processing consumer health data on behalf of governments or tribes.

Data Subject Rights

Under the law, consumers have been provided with several rights. These include the right to request a regulated entity to confirm if it collects, processes, or sells consumer’s health data, access to third parties to whom the consumer health data is sold or shared, right to request to cease collection, processing, or selling consumer’s health data, and the right to request the regulated entity to delete consumer’s health data.

Obligations of Regulated Entities

Privacy Policy/Notice

The law requires regulated entities to create, maintain, and display a privacy notice on their main internet website while including specific information, such as categories of consumer health data, sources from which it is collected, third parties, and affiliates with which the data is shared, the purpose of data collection, consumers’ privacy rights, and the process of notifying the consumer whose health data is collected by the regulated entity.

Consent

The regulated entity should not collect consumer health data except with affirmative and voluntary consent of the consumer, or the health data is to be collected only to the extent necessary to provide the product and service requested by the consumer.

Restrict Access to Data

The regulated entity must restrict access to consumer health data to only authorized employees and processors. Access can only be provided where it is reasonably necessary to either further the process for which the consumer's consent is acquired or to provide products or services requested by the consumer.

Sharing/Sale

The law prohibits offering to sell or selling a consumer’s health data if there is no written authorization from the consumer or if the authorization is written in a manner that is outside the scope of or inconsistent with the written authorization. The authorization must be provided in plain language while including specific descriptions. Moreover, the regulated entity can share health data with the consumer’s consent or when necessary for a requested service or required by law. The consent for sharing consumers' health data must be obtained separately from the consent for collecting the health data.

Security Measures

Regulated entities are required to implement appropriate technical, security, and administrative controls to protect consumer health data. These controls must meet the security standards of the industry in which the regulated entity operates to protect the accessibility, integrity, and confidentiality of consumer health data and be reasonable, taking into account the volume and nature of the consumer health issue.

Geofencing Restriction

The law prohibits any person from implementing geofencing within 1,750 feet of any medical facility that provides health care services for the purpose of tracking consumers seeking in-person health care services, collecting consumer health data, or sending notifications to consumers related to their health care services.

Regulatory Authority

The Nevada Attorney General has the exclusive right to enforce and implement the provisions of the law.

Penalties for Non-Compliance

This law does not provide any private right of action. However, any violations of the law are to be considered deceptive trade practices and hence enforceable by the state Attorney General. The court may impose a penalty of not more than $12,500 for each violation.

Washington My Health My Data Act

Status

Washington’s House Bill 1155, commonly known as My Health, My Data Act (MHMDA), was signed into law on 27 April 2023. The law aims to govern the regulated entities and small businesses and have respective implementation deadlines. The prohibition on geofencing does not include any specific effective date; therefore, as per the Washington legislative convention, this prohibition goes into effect 90 days from the end of the current legislative session on July 22, 2023. All other requirements related to Regulated Entities shall be effective from March 31, 2024. However, small businesses have been given a year to comply with the MHMDA provisions. Hence, they are required to be compliant starting June 30, 2024.

Applicability

The MHMDA broadly applies to all ‘regulated entities’, which include all the legal entities conducting business in Washington or producing or providing products or services targeted to consumers in Washington that, alone or jointly with others, determine the purpose or means of collecting, processing, sharing, or selling of consumer health data. An entity that only stores data in Washington is not a regulated entity. MHMD creates blanket exemptions for three categories of organizations: government agencies, tribal nations, and “contracted service providers when processing consumer health data on behalf of a government agency”.

In addition, MHMDA applies to small businesses if they satisfy either of the following conditions:

• Collects, processes, sells, or shares consumer health data of less than 100,000 consumers during a calendar year; or
• Derives less than 50 percent of gross revenue from the collection, processing, selling, or sharing of consumer health data, and controls, processes, sells, or shares consumer health data of less than 25,000 consumers.

Data Subject Rights

Under MHMDA, consumers can exercise their right to confirm if the entity collects, processes, or shares consumer health data, access a list of the third parties with which the data is shared or sold, withdraw consent from the entity’s collection, sharing of consumer health data, and request to delete consumers’ health data. Consumers are also entitled to access a list of the names and email addresses (or other online mechanisms for contact) of third parties and affiliates with whom the data was “shared” or “sold.”

Obligations of the Regulated Entities

Privacy Policy/Notice

All the regulated entities must create and maintain a privacy policy that “clearly and conspicuously” communicates categories of consumer health data collected, the purpose of collection, categories of sources from where it is collected, categories of data shared, list of third parties with which it is shared, and consumers’ privacy rights. The regulated entities and small businesses shall publish a link to their privacy policy on their homepage.

Consent

Consent is one of the essential components of MHMDA. Consent must be collected before collecting and sharing consumers’ health data. It must also be noted that the consent for collecting consumer health data must be distinct and separate from the consent obtained for sharing consumer health data. Where collection or sharing of consumer health information is necessary to provide a product or service that a consumer has requested, consumer consent is not required. However, there is no ‘necessity’ exception for secondary uses of consumer data or the “sale” of such information.

Sharing/Sale

MHMDA requires all persons to obtain a valid authorization from the consumer before selling or offering to sell the consumer health data. The authorization must be separate and distinct from the consent obtained for selling consumer data. The authorizations are only valid for one year, and the seller and buyers must retain a copy of the authorization for six years.

Restricted Access to Data

Regulated entities and small businesses must restrict access to consumer health data to only those employees, processors, and contractors for whom the access is necessary to further the purpose for which the consent is obtained.

Security Measures

Regulated entities and small businesses must implement technical and physical data security measures that, at a minimum, satisfy reasonable industry standards to protect health data appropriate for the volume and nature of the data to ensure the confidentiality, integrity, and accessibility of consumer health data.

Geofencing Restriction

It is illegal for any person to implement a geofence around an entity providing healthcare facilities to identify or track a consumer seeking healthcare services, collect health data from consumers, and send notifications, messages, or advertisements to consumers based on their health data or healthcare services.

Regulatory Authority

The Attorney General of Washington is responsible for enforcing and implementing the provisions of MHMDA.

Penalties for Non-Compliance

Violations of MHMDA provisions will be deemed as unfair or deceptive trade practices under Washington’s Consumer Protection Act.