Nevada Health Data Privacy Law (SB 370) Explained: Your Rights and Compliance Requirements

Overview of SB 370

Nevada’s SB 370 is a consumer health data privacy law that sets clear rules for how businesses collect, use, share, and sell information about your health. It fills gaps left by federal health privacy laws by covering apps, websites, advertisers, retailers, and other services that handle health-related data outside traditional healthcare settings.

The law applies to regulated entities that conduct business in Nevada or target Nevada residents and determine the purposes and means of processing consumer health data. Processors that handle such data on behalf of others must also support regulated entities’ compliance obligations.

• Publish a consumer health data privacy policy with transparent data sharing disclosures.
• Obtain affirmative consent for collection and separate consent for sharing consumer health data.
• Secure written authorization before selling consumer health data.
• Honor consumer rights to access, delete, and receive copies of their data, and to withdraw consent.
• Prohibit geofencing practices near medical facilities that target or extract health data.
• Implement safeguards and vendor controls; violations are subject to deceptive trade practices enforcement.

Consumer Health Data Definitions

Consumer health data means personal information that identifies or can be reasonably linked to you and reveals, relates, or could be used to infer your physical or mental health status. The definition is intentionally broad to capture modern data signals beyond traditional medical records.

• Diagnoses, conditions, treatment information, symptoms, medications, and recovery status.
• Reproductive and sexual health information, fertility or pregnancy-related data, and menstrual or family planning details.
• Mental health, disability status, and substance use information.
• Genetic data and biometric health data when used to identify you or draw health-related inferences (for example, facial scans for patient check-in or fingerprints used for medication dispensing).
• Location data and visit patterns that indicate a trip to a medical facility, pharmacy, or clinic.
• Inferences from behaviors—such as use of a period-tracking app or purchase of home test kits—that reasonably suggest a health condition.

Certain information may be outside scope when another law squarely governs it (for example, protected health information under HIPAA), as well as de-identified or publicly available data. However, if data can be linked back to you or used to infer your health status, it is generally treated as consumer health data.

Consent and Authorization Requirements

Before collecting consumer health data that is not strictly necessary to provide a service you requested, businesses must obtain your affirmative consent. Consent must be freely given, specific, informed, and unambiguous—no prechecked boxes, vague bundling, or dark patterns.

Sharing consumer health data with third parties typically requires separate, purpose-specific consent. You must be able to withdraw consent as easily as you gave it, and businesses should document consent decisions and honor them promptly.

• Provide clear, just-in-time notices that describe the categories of data, purposes, and recipients.
• Offer granular choices for distinct purposes (for example, analytics versus advertising).
• Record and retain proof of consent and its scope; respect revocation without delay.

Selling consumer health data is more restricted: a business must obtain your written authorization before any sale. That authorization should be separate from general terms, describe what data will be sold, to whom, and for what purpose, and explain that you can revoke it. Conditioning service access on a sale authorization is not permitted.

Geofence Restrictions Near Medical Facilities

SB 370 restricts the use of geofencing technology around medical facilities to protect health data confidentiality. Businesses may not create or use geofences to identify or track individuals, collect health data, or target ads based on a person’s presence in the vicinity of a facility that provides health services.

• Prohibited practices include drawing a virtual boundary around a clinic or hospital to capture device identifiers or push targeted health-related messages.
• Campaigns that retarget people because they visited a medical facility, or that infer conditions from such visits, are not allowed.
• Compliance steps include disabling location-based advertising near sensitive sites and contractually restricting vendors from geofence-based targeting in these areas.

Consumer Rights and Access Requests

You have the right to know whether a business collects, uses, or shares your consumer health data and why. You can request access to the categories and specific pieces of data held about you, along with data sharing disclosures that identify the categories of third parties and affiliates that received it.

You can request deletion of your consumer health data and withdraw any prior consent. If a business seeks to sell your health data, it must have your written authorization, which you may revoke at any time.

Businesses must provide straightforward methods—such as a web form or email address—to submit verifiable requests and respond within a timely period permitted by law. If a request is denied, you should receive an explanation and instructions for further review.

• Right to know and access, including a portable copy where feasible.
• Right to deletion of consumer health data, subject to limited exceptions.
• Right to withdraw consent and to revoke any sale authorization.
• Right to receive data sharing disclosures identifying categories of recipients.
• Right to be free from discrimination for exercising your rights.

Health Data Privacy Policy Obligations

Regulated entities must publish a consumer health data privacy policy that is clear, accessible, and comprehensive. The policy should explain how consumer health data is collected, used, shared, and protected, and how you can exercise your rights.

• Categories of consumer health data collected, including any biometric health data.
• Sources of the data and the specific purposes for each use.
• Whether data is shared or sold, with data sharing disclosures that name categories of third parties and affiliates.
• How to submit access, deletion, and consent-withdrawal requests, and how identity is verified.
• Retention practices and deletion timelines consistent with data minimization.
• How affirmative consent and written authorization are obtained, recorded, and revoked.

For regulated entities, compliance also means aligning internal practices with the public policy: keep the policy up to date, provide just-in-time notices for new purposes, and ensure processors follow documented instructions and confidentiality obligations.

Security and Enforcement Provisions

Businesses must implement reasonable administrative, technical, and physical safeguards to maintain health data confidentiality and integrity. Security should be risk-based and proportionate to the sensitivity of the data and the nature of processing.

• Data minimization and retention limits; delete data when no longer necessary for stated purposes.
• Access controls, role-based permissions, encryption in transit and at rest, and secure key management.
• Vendor and processor contracts that mandate confidentiality, security controls, sub-processor oversight, and assistance with consumer requests.
• Employee training, logging and monitoring, incident response planning, and periodic assessments.

Enforcement occurs under Nevada’s deceptive trade practices enforcement framework. The Attorney General may seek injunctive relief and civil penalties, and require remediation for violations. There is no private right of action under this law; compliance is monitored and enforced by the state.

• Map consumer health data flows and update records of processing.
• Refresh notices, capture consent, and establish written authorization workflows for any sale.
• Disable geofence-based targeting near medical facilities and audit advertising partners.
• Stand up request intake, verification, and response procedures that meet statutory timelines.
• Harden security controls and update processor agreements to reflect SB 370 duties.

Bottom line: SB 370 strengthens Nevada’s protections for consumer health data by requiring affirmative consent, written authorization for sales, clear data sharing disclosures, robust safeguards, and regulated entities’ compliance programs—backed by state deceptive trade practices enforcement.

FAQs

What types of health data are protected under SB 370?

Protected consumer health data includes information that identifies or can be linked to you and reveals or infers your health status—such as diagnoses, treatments, reproductive and sexual health details, mental health or disability information, genetic data, and biometric health data used for health-related purposes. It also covers location signals and behavioral inferences that indicate a visit to a medical facility or suggest a condition.

How must businesses obtain consumer consent under this law?

Businesses must seek affirmative consent before collecting consumer health data that is not necessary to deliver a requested service, and obtain separate, purpose-specific consent before sharing it. Consent must be clear, specific, and freely given—without prechecked boxes or dark patterns—and you must be able to withdraw it easily. Any sale of consumer health data requires a separate written authorization that is specific and revocable.

What are the restrictions on geofencing near medical facilities?

SB 370 prohibits using geofences around medical facilities to identify or track individuals, collect consumer health data, or target health-related advertising based on a person’s presence in that area. Businesses should disable location-based targeting near clinics, hospitals, and similar facilities and ensure vendors do the same.

How can consumers request information about their health data collection?

You can submit a verifiable request through the methods a business provides—often a web form or email—to confirm whether it collects your consumer health data, access a copy, and obtain data sharing disclosures that identify categories of recipients. You may also request deletion and withdraw any consent or sale authorization. The business must respond within a legally allowed time and may ask for reasonable verification of your identity.