Nevada Data Privacy Law for Healthcare: SB 370 Requirements and Compliance Guide

Regulated Entities and Scope

Who is covered

SB 370 applies to regulated entities that do business in Nevada or offer products or services targeted to Nevada consumers and determine the purposes and means of processing consumer health data. It also covers processors that handle such data on behalf of a regulated entity.

Scope of activities

The law reaches the collection, use, sharing, and sale of consumer health data in both digital and offline contexts. It applies across care delivery, telehealth, health apps, wearables, and adtech that touch health-related signals.

Territorial reach and thresholds

Coverage is based on Nevada-directed activity rather than revenue or dataset-size thresholds. If you market to, monitor, or serve Nevada consumers—or collect consumer health data in Nevada—you should evaluate applicability.

Operational implications for healthcare

Hospitals, clinics, telemedicine platforms, digital therapeutics, EHR and billing vendors, and health-adjacent apps must map data flows, confirm roles (regulated entity vs. processor), and ensure contracts and workflows align with SB 370 requirements.

Consumer Health Data Definitions

Core definition

Consumer health data is personal information linked or reasonably linkable to a consumer that identifies past, present, or future physical or mental health status. It includes obvious medical details and less obvious signals that can reveal health status.

Illustrative examples

• Diagnoses, conditions, treatments, procedures, and clinical notes.
• Prescription and over‑the‑counter medication data, lab results, and imaging.
• Biometric and genetic data, including heart rate, sleep, and fertility metrics from devices.
• Reproductive and sexual health information and related behavioral inferences.
• Precise location data and visit patterns that could indicate a consumer sought health care services.

Exclusions and deidentification

Properly deidentified or publicly available information is outside scope. The HIPAA exemption also removes HIPAA-protected health information from SB 370, though covered entities should confirm when they process consumer health data outside HIPAA contexts.

Consent and Authorization Requirements

Separate consent requirement

You must obtain clear, opt‑in consent before collecting consumer health data unless a narrow exception applies (for example, to provide a service the consumer requested). Consent must be specific to each purpose, easy to understand, and not bundled with unrelated terms.

Sharing, sale, and downstream use

Sharing consumer health data generally requires separate consent, and any sale or monetization typically requires a distinct, more formal authorization. Your records should show when, how, and for what purposes each consent or authorization was obtained and whether it has been withdrawn.

Consent management practices

• Present granular choices by data category and purpose, with plain-language just‑in‑time notices.
• Offer straightforward withdrawal that is as easy as giving consent, and honor it across systems.
• Flow consent signals to processors and third parties; prevent use beyond disclosed purposes.

Privacy Policy Development

Privacy policy obligations

You must maintain a consumer health data privacy policy that is prominent and accessible. It should explain what you collect, why you collect it, how you use it, with whom you share it, retention practices, and how consumers can exercise their rights.

Required data sharing disclosures

• Categories of consumer health data collected and the specific purposes for each category.
• Categories of sources and of third parties and affiliates with whom you share consumer health data.
• How consumers can submit, authenticate, and track rights requests and withdrawals of consent.
• Retention schedules and deletion practices tied to articulated purposes.

Governance and safeguards

Adopt role‑based access, processor agreements, and administrative, technical, and physical safeguards proportionate to the sensitivity of the consumer health data you handle. Review and update the policy regularly and keep version histories.

Consumer Rights and Data Requests

Available rights

• Right to know whether you collect, share, or sell consumer health data.
• Right to access data and obtain a list of third parties and affiliates that received it.
• Right to delete consumer health data and require downstream deletion where applicable.
• Right to withdraw consent without losing service functionality unrelated to the withdrawn purpose.

Request handling

Publish clear instructions for submitting requests, authenticate consumers reasonably, and respond within the law’s timelines. Keep an auditable log of requests, response dates, and outcomes, and ensure processors help you fulfill obligations.

Data minimization and retention

Collect only what is reasonably necessary for disclosed purposes and retain it no longer than needed. Align deletion workflows with your retention schedule and ensure backups and archives are covered.

Restrictions on Geofencing Practices

Geofencing prohibitions

SB 370 restricts the use of geofencing around locations that provide in‑person health care services when used to identify or track consumers, collect consumer health data, or send notifications, messages, or advertisements related to health care services.

Practical controls

• Disable location‑based audience creation and suppression around health care facilities.
• Contractually bar adtech partners from using geofences for health‑related targeting or data collection.
• Use privacy reviews to vet campaigns and SDKs that access precise location or Bluetooth beacons.

Exemptions and Enforcement Mechanisms

Key exemptions

The HIPAA exemption removes HIPAA‑protected health information handled by covered entities and business associates. Additional exemptions typically include deidentified data, publicly available information, and data processed for certain research or compliance purposes.

Regulatory enforcement

Enforcement rests with state authorities, and violations can lead to investigations, injunctive relief, and civil penalties. There is no private right of action under SB 370. Treat violations as serious compliance events and document remedial steps promptly.

Bottom line: map your consumer health data, implement the separate consent requirement, deliver precise data sharing disclosures in a robust privacy policy, operationalize rights and deletion, and prevent prohibited geofencing to maintain durable SB 370 compliance.

FAQs.

What constitutes consumer health data under Nevada law?

It is personal information linked or reasonably linkable to a consumer that reveals or could infer physical or mental health status—ranging from diagnoses and treatment details to biometric readings, reproductive health information, medication data, and precise locations that indicate a visit to a health care facility.

How must regulated entities obtain consent for data collection?

You must use a clear, affirmative, and purpose‑specific opt‑in. The separate consent requirement means consent to collect consumer health data cannot be bundled with general terms or unrelated permissions. Keep records of consents, allow easy withdrawal, and cascade consent signals to partners.

What consumer rights does SB 370 provide?

Consumers can know whether you collect, share, or sell their consumer health data; access it and learn who received it; delete it (with downstream deletion where applicable); and withdraw consent without unfair treatment tied to unrelated features or services.

When does the Nevada healthcare data privacy law take effect?

SB 370 took effect on March 31, 2024. If you process consumer health data related to Nevada consumers or within Nevada, you should already be operating under these requirements.