Nevada SB 370
Difference between HIPAA and SB 370
Nevada's Senate Bill 370 (SB 370), effective March 31, 2024, introduces comprehensive protections for consumer health data that extend beyond the federal Health Insurance Portability and Accountability Act (HIPAA). Key distinctions between SB 370 and HIPAA include:
Scope and Applicability
- HIPAA: Applies to "covered entities" such as healthcare providers, health plans, healthcare clearinghouses, and their business associates handling protected health information (PHI).
- SB 370: Extends to any entity conducting business in Nevada or targeting products or services to Nevada consumers, regardless of industry, that determines the purpose and means of processing, sharing, or selling consumer health data. This includes organizations beyond traditional healthcare providers.
Definition of Protected Data
- HIPAA: Protects PHI, which includes individually identifiable health information related to an individual's past, present, or future physical or mental health condition, healthcare provision, or payment for healthcare services.
- SB 370: Defines "consumer health data" broadly as personal information linked or reasonably capable of being linked to a consumer that identifies their past, present, or future health status. This encompasses data such as:
- Health condition or status, disease, or diagnosis
- Social psychological, behavioral, or medical intervention
- Use or acquisition of medication
- Bodily functions, vital signs, or symptoms
- Surgeries or health-related procedures
- Gender-affirming care
- Biometric or genetic data
- Reproductive or sexual health care
Consent Requirements
- HIPAA: Allows the use and disclosure of PHI for treatment, payment, and healthcare operations without explicit patient consent.
- SB 370: Requires consumer consent before collecting or sharing health data, except when necessary to provide a product or service requested by the consumer. This ensures consumers are informed and have control over their health data.
Consumer Rights
- HIPAA: Grants individuals rights to access and amend their PHI and receive an accounting of certain disclosures.
- SB 370: Provides consumers with rights to confirm whether their health data is being collected, shared, or sold; access their health data; obtain a list of third parties with whom their data has been shared or sold; withdraw consent; and request deletion of their health data.
Prohibition of Geofencing
- HIPAA: Does not address geofencing practices.
- SB 370: Prohibits the use of geofencing technology within 1,750 feet of any medical facility to collect or track consumer health data or send targeted messaging based on health data, enhancing privacy protections in sensitive locations.
Enforcement and Penalties
- HIPAA: Enforced by the Office for Civil Rights (OCR) within the Department of Health and Human Services, with penalties ranging from fines to corrective action plans.
- SB 370: Enforced by the Nevada Attorney General, with violations considered deceptive trade practices under Nevada law, potentially leading to civil penalties.
Entity Exemptions
- HIPAA: Applies to specific "covered entities" such as healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates.
- SB 370: Offers broader exemptions, including entities subject to HIPAA, financial institutions governed by the Gramm-Leach-Bliley Act, certain Nevada-licensed gaming entities like casinos, and law enforcement agencies or their contractors.
While HIPAA focuses on traditional healthcare entities and PHI, Nevada's SB 370 expands protections to a wider array of organizations and a broader spectrum of health-related data, emphasizing consumer consent and control.
Knowledge Check Choose the best answer for the question.
3-10-Nevada. Which of the following best describes the primary distinction between HIPAA and Nevada's SB 370 in terms of scope?
You forgot to answer the question!