In May of 2019, the Governor of Nevada approved Senate Bill 220 (SB 220), an updated Nevada consumer privacy law. This legislation, which becomes effective on October 1, 2019, strengthens existing Nevada consumer privacy protections. It does so by making it easier for consumers to opt-out of the sale, by operators of websites, of certain personal information.
How is Online Privacy Protected Under Current Nevada Law?
Before the updated Nevada consumer privacy law, Nevada protected the online privacy of consumers by requiring that operators of websites or online services make a privacy notice available to consumers. This privacy notice, under Nevada law, required operators to:
- Describe the types of information about consumers operators collected through its website; and
- Describe those third parties with whom the operator would share the information, among other things.
What New Privacy Protections Does SB 220 Afford?
SB 220, the Nevada consumer privacy law, broadens the scope of consumer protections, by regulating the sale of consumer information by an operator in exchange for money.
SB 220 defines a sale as an exchange, for money, of “covered information” about an individual.
The law defines “covered information” as personally identifying information, which includes:
- First and last name;
- A home or other physical address that includes the name of a street and the name of a city or town;
- An email address;
- A telephone number;
- A Social Security number;
- An identifier that allows a specific individual to be contacted either physically or online; and
- Any other information regarding an individual, and maintained in a form that makes such individual personally identifiable.
Importantly, the Nevada consumer privacy law gives individuals the right to direct operators to not make sales of covered information that the operator has collected or will collect.
Under SB 220, operators are required to establish a designated “request” address, such as an email address, a website, or a toll-free number, through which an individual may request that the operator not sell his or her covered information.
An operator receiving this request must honor the request, provided that the operator can:
- Reasonably verify the authenticity (genuineness) of the request; and
- The identity of the consumer
Under SB 220, operators must respond to requests within 60 days after they receive the request.
How Does SB 220 Compare to the HIPAA Privacy Rule?
The HIPAA Privacy Rule also regulates the sale of certain personal information. The information the HIPAA Privacy Rule regulates is known as PHI, or protected health information.
Protected health information is the term given to health data created, received, stored, or transmitted by HIPAA-covered entities and their business associates in relation to the provision of healthcare, healthcare operations, and payment for healthcare services.
Just as SB 220 provides consumers more control with how their personal information is used, by giving them the ability to opt out of sales of their covered information, so too does the HIPAA Privacy Rule. Under the HIPAA Privacy Rule, patients control how their PHI is used for marketing purposes, by requiring that covered entities or business associates receive written patient authorization for certain types of marketing.
Under the Privacy Rule, covered entities and business associates must obtain the individual’s written authorization for (among certain other types of marketing) marketing in which a covered entity or business associate:
- Uses or discloses PHI to a third party; and
- Receives financial remuneration for doing so.
Financial remuneration is defined as direct or indirect payment that flows from or on behalf of a third party whose product or service is being described in a marketing communication.
Compliancy Group Simplifies HIPAA Compliance
Compliancy Group was founded to help simplify the HIPAA compliance challenge. We give healthcare organizations everything they need to address the full extent of the HIPAA regulations.
Our ongoing support and web-based compliance app, The Guard™, gives healthcare organizations the tools to address the law so they can get back to confidently running their business.
Find out how Compliancy Group has helped thousands of organizations like yours Achieve, Illustrate, and Maintain™ their HIPAA compliance!