Existing federal law and regulations contain various protections for health information maintained or used: (1) by a person or entity that provides health care, an insurer or a business associate of a person or entity that provides health care or an insurer; or (2) for scientific research. (42 U.S.C. §§ 11101 et seq.; Pub. L. No. 104-191, 100 Stat. 2548; 21 C.F.R. Parts 46, 50 and 56, 42 C.F.R. Parts 2 and 3, 45 C.F.R. Parts 160 and 164) Sections 2-34 of this bill prescribe various protections for consumer health data that is maintained and used by other persons and nongovernmental entities and for other purposes. Section 7 of this bill defines the term “consumer” to mean a natural person who has requested a product or service from a regulated entity and who resides in this State or whose consumer health data is collected in this State, except for a natural person acting in an employment context or as an agent of a governmental entity. Section 8 of this bill defines the term “consumer health data” to mean personally identifiable information that is linked or reasonably capable of being linked to a consumer and is used by a regulated entity to identify the health status of the consumer. Section 15 of this bill defines the term “regulated entity” to refer to a person who: (1) conducts business in this State or produces or provides products or services that are targeted to consumers in this State; and (2) determines the purpose and means of processing, sharing or selling consumer health data. Sections 3-6, 9-14 and 16-19 of this bill define certain other terms. Section 20 of this bill provides that the provisions of sections 2-34 do not apply to certain persons, entities and data, including: (1) certain persons and entities whose collection and disclosure of data is specifically regulated by federal law; and (2) certain data that is collected or disclosed under certain provisions of federal law or regulations or state law.
Section 21 of this bill requires a regulated entity to develop, maintain and make available a policy concerning the privacy of consumer health data. Section 21 also prohibits a regulated entity from: (1) taking certain actions with regard to consumer health data that are inconsistent with the policy without the affirmative, voluntary consent of the consumer; or (2) entering into a contract for the processing of consumer health data that is inconsistent with the policy. Section 22 of this bill generally prohibits a regulated entity from collecting or sharing consumer health data without the affirmative, voluntary consent of the consumer to whom the data relates, except to the extent necessary to provide a product or service that the consumer has requested from the regulated entity. Section 22 of this bill prescribes certain requirements governing such consent.
Section 24 of this bill requires a regulated entity, upon the request of a consumer, to: (1) confirm whether the regulated entity is collecting, sharing or selling consumer health data concerning the consumer; (2) provide the consumer with a list of all third parties with whom the regulated entity has shared or to whom the regulated entity has sold consumer health data relating to the consumer; (3) cease collecting or sharing consumer health data relating to the consumer; or (4) delete consumer health data concerning the consumer. Section 24 also requires a regulated entity to establish a secure and reliable means of making such a request. Section 25 of this bill prescribes requirements governing the response to such a request, including a requirement that a regulated entity provide information in response to such a request free of charge in most circumstances. However, if a consumer submits more than two requests in a year and those requests are manifestly unfounded, excessive or repetitive, section 25 authorizes the regulated entity to charge a reasonable fee to provide such information. Section 26 of this bill prescribes requirements governing the time within which a regulated entity or an affiliate, processor or other third party with which a regulated entity has shared data must delete consumer health data in response to a request for such deletion. Section 27 of this bill requires a regulated entity to establish a process to appeal the refusal of the regulated entity to act on a request made pursuant to section 24.
Section 28 of this bill requires a regulated entity to limit access to and establish, implement and maintain policies and procedures to protect the security of consumer health data. Section 29 of this bill requires a processor who processes consumer health data on behalf of a regulated entity to only process such data in accordance with a written contract between the processor and the regulated entity. Section 29 also requires such a processor to assist the regulated entity in complying with the provisions of sections 2-34.
Section 30 of this bill prohibits a person from selling or offering to sell consumer health data without the written authorization of the consumer to whom the data pertains or beyond the scope of such authorization, with certain exceptions. Section 30 also prohibits a person from conditioning the provision of goods or services on a consumer providing such authorization. Section 30 requires a person who sells consumer health data to: (1) establish a means by which a consumer may revoke such written authorization; and (2) provide a copy of such written authorization to the consumer and purchaser. Section 30 also requires both a seller and a purchaser of consumer health data to maintain such written authorization for at least 6 years after the expiration of the written authorization. Section 17 of this bill exempts certain activity from the definition of the term “sell,” thereby exempting such activity from the requirements of section 30.
Section 31 of this bill prohibits a person from implementing a geofence within 1,750 feet of any person or entity that provides in-person health care services or products for certain purposes. Section 33 of this bill prohibits a regulated entity from discriminating against a consumer for taking any action authorized by sections 2-34 or to enforce those provisions.
Existing law provides that a variety of actions constitute deceptive trade practices. (NRS 118A.275, 205.377, 228.620, 370.695, 597.997, 603.170, 604B.910, 676A.770; chapter 598 of NRS) Existing law authorizes a court to impose a civil penalty of not more than $12,500 for each violation upon a person whom the court finds has engaged in a deceptive trade practice directed toward an elderly person or a person with a disability. (NRS 598.0973) Additionally, existing law authorizes a court to make such additional orders or judgments as may be necessary to restore to any person in interest any money or property which may have been acquired by means of any deceptive trade practice. (NRS 598.0993) In addition to these enforcement mechanisms, existing law provides that when the Commissioner of Consumer Affairs or the Director of the Department of Business and Industry has cause to believe that a person has engaged or is engaging in any deceptive trade practice, the Commissioner or Director may request that the Attorney General represent him or her in instituting an appropriate legal proceeding, including an application for an injunction or temporary restraining order. (NRS 598.0979) Existing law provides that if a person violates a court order or injunction resulting from a complaint brought by the Commissioner, the Director, the district attorney of any county of this State or the Attorney General, the person is required to pay a civil penalty of not more than $10,000 for each violation. Furthermore, if a court finds that a person has willfully engaged in a deceptive trade practice, the person who committed the violation: (1) may be required to pay an additional civil penalty not more than $5,000 for each violation; and (2) is guilty of a felony or misdemeanor, depending on the value of the property or services lost as a result of the deceptive trade practice. (NRS 598.0999) With certain exceptions, section 34 of this bill provides that a person who violates any provision of sections 2-34 is guilty of a deceptive trade practice. Sections 1 and 34 of this bill provide that a person injured by such a violation does not have a private right of action. Section 34 additionally provides that the provisions of sections 2-34 must not be construed to affect any other provision of law.
Section 35 of this bill exempts consumer health data from provisions of existing law governing information collected on the Internet from consumers because those provisions are less stringent than the provisions of sections 2-34.
Statutes affected: As Introduced: 603A.338
Reprint 1: 598.0977, 603A.338
Reprint 2: 598.0977, 603A.338
Reprint 3: 598.0977, 603A.338
Reprint 4: 598.0977, 603A.338
As Enrolled: 598.0977, 603A.338
BDR: 603A.338