United States: Nevada and Washington consumer health privacy laws operative in March - Top 6 things to do now

In brief

If your organization does business across the US and collects consumer health data (broadly defined, health inferences generated from non-health data count), compliance with US state consumer health privacy laws is just around the corner. Consumer health privacy laws in Nevada (Senate Bill 370) and Washington (the My Health My Data Act) become fully operative for regulated entities on 31 March 2024. Requirements specific to consumer health data are already operative in Connecticut



Here are the top 6 things to do now:

1. (Re)consider online tracking technologies and don't sell consumer health data. Organizations in the health or wellness related industries should weigh the advantages of any online tracking technologies against the risks that such tracking, which typically involves disclosing personal information to other parties, is considered "selling" of consumer health data. Selling is any disclosure of consumer health data for valuable consideration. Under each of the Nevada and Washington laws, any "selling" of consumer health data requires signed authorization (a form of signed opt-in) that is practically cumbersome to obtain. 

Guidance from the department of Health and Human Services provides that when an entity regulated by the US federal Health Insurance and Portability Act (HIPAA) collects an individual's IP address, such information connects the individual to the regulated entity (even if there is no existing relationship with the entity) and constitutes individually identifiable health information. Given the broad definitions of consumer health data in the Nevada and Washington laws, IP addresses may be found to be consumer health data under such laws and subject to the requirements related to "selling". Selling may be any disclosure of consumer health data, such as IP addresses, where the recipient is not contractually bound to restrictions on using the data. 

2. Document necessity or obtain consent. Under each of the Nevada and Washington laws, regulated entities are required to obtain consent before collecting and sharing consumer health data beyond what is necessary to provide a product or service that the consumer has requested. Consent to sharing must be separate and distinct from the consent to colleting consumer health data beyond what is necessary. 

Numerous recent general US state consumer privacy laws, including the California Consumer Privacy Act, have similar requirements to obtain consent when personal information is processed beyond what is necessary. Regulated entities (and organizations doing business in the US in general) should analyze and document the necessity of its personal data handling practices and obtain consent as required when necessity is not met. 
The consent requirements are different from, and are in addition to, the signed authorization requirements that apply to selling. 

3. Determine what data is in scope. Organizations clearly operating in the health care industry and already subject to prescriptive health privacy laws, such as HIPAA, or the rules adopted by Washington's Office of the Insurance Commissioner (Insurance Commissioner Rules), benefit from certain exemptions under the new state consumer health privacy laws (the Washington law only has data level exemptions, but the Nevada law has data and entity level exemptions). Other organizations, such as certain wellness companies, may have to comply with the new state laws for more of the personal information it processes because no exemptions apply. Determining what data is in scope, and exactly with which parties consumer health data is shared, is necessary to draft new required privacy policies and update data subject request programs.

4. Update privacy policies. The Washington law has disclosure requirements that are unique. Regulated entities are required to list by name every (non-data processor) affiliate to which they disclose consumer health data. Preparing new dedicated policies or creating state-specific sections in existing online privacy disclosures may be easiest to manage and most transparent for consumers, but each organization will need to assess its privacy disclosures overall to determine its approach. 

5. Update data subject request programs. Adding to existing data subject rights that apply to some organizations (e.g., consumers have extensive existing rights under the Insurance Commissioner Rules in Washington), regulated entities should prepare for data subject requests under the new state laws. Notably, there are limited exemptions available to regulated entities upon which to deny requests. 

6. Don’t geofence around health care facilities. It is unlawful for any person to implement a geofence to identify, track, collect data from, or send notifications or messages or advertisements related to a consumer’s health data to, a consumer within certain distance from in person medical/health facilities. This prohibition should not be relevant for most organizations (because they don't and would not consider such geofencing), but is outright prohibited under each of the Nevada and Washington laws and therefore makes this top 6 list.


As the Washington My Health My Data Act has a private right of action, requirements (which are very similar in the Washington and Nevada laws) will become clearer as they are interpreted in court. Taking the 6 actions above now should position your organization well in the meantime.

Contact Information
Helena Engfeldt
Partner at BakerMcKenzie
San Francisco
Read my Bio

Copyright © 2024 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.