United States: Nevada and Washington consumer health privacy laws operative in March – Top 6 things to do now

By neub9
3 Min Read

In Summary

If your organization operates in the US and collects consumer health data, be aware that compliance with US state consumer health privacy laws is approaching. States like Nevada (Senate Bill 370) and Washington (My Health My Data Act) will have fully operative regulations for regulated entities starting on March 31, 2024.

Several requirements concerning consumer health data are already in effect in Connecticut.

Here are the top 6 action items to consider now:

1. Reconsider online tracking technologies and opt against selling consumer health data

Organizations in health and wellness industries should weigh the benefits of online tracking against the risks involved. The sale of consumer health data, including IP addresses, requires cumbersome signed authorization under Nevada and Washington laws, creating a significant burden.

Guidance from the Department of Health and Human Services suggests that even an IP address can be considered consumer health data under these laws, making it necessary to comply with the regulations regarding data selling.

2. Document necessity or obtain consent

Regulated entities must obtain consent before collecting and sharing consumer health data beyond what is required to provide a requested product or service. Separate consent for data sharing is a crucial requirement that must be met.

3. Determine what data is in scope

Organizations in the healthcare industry that are subject to existing privacy laws, such as HIPAA, benefit from certain exemptions under the new state consumer health privacy laws. Other entities need to assess what data falls within the scope of the regulations and with whom it is shared.

4. Update privacy policies

The Washington law has unique disclosure requirements, necessitating organizations to list non-data processor affiliates to which they disclose consumer health data. It is essential to update privacy policies and create dedicated state-specific sections to ensure transparency.

5. Update data subject request programs

Regulated entities should prepare for data subject requests under the new state laws and be aware that there are limited exemptions available upon which to deny requests.

6. Avoid geofencing around healthcare facilities

Geofencing around health care facilities is prohibited under the Nevada and Washington laws, and organizations should ensure compliance with this regulation.


The Washington My Health My Data Act has a private right of action, and it is crucial for organizations to take the necessary actions now to comply with the upcoming regulations. This proactive approach will position your organization well and ensure compliance in the meantime.

Share This Article
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *