Nevada SB 538 (Consumer Health Data): What It Means for Medical Practices
8 min read · Last reviewed May 23, 2026
Nevada's SB 538 (NRS 603A.400 to 603A.550), effective March 31, 2024, regulates "consumer health data" with a definition far broader than HIPAA's PHI. The single biggest divergence: SB 538 has no minimum-volume threshold and applies to any regulated entity processing consumer health data of Nevada residents, with a categorical prohibition on geofencing around health-care facilities at NRS 603A.540 that HIPAA does not impose.
What Nevada SB 538 actually requires
SB 538, codified at NRS 603A.400 to 603A.550, is Nevada's consumer health data statute, modeled loosely on Washington's My Health My Data Act but with distinct enforcement and exemption posture. The statute is administered by the Nevada AG and enforced through the Deceptive Trade Practices Act.
Core obligations under SB 538:
- Privacy notice for consumer health data. NRS 603A.420 — a regulated entity must publish a clear and conspicuous health-data privacy policy on its website disclosing the categories of consumer health data collected, the purposes, the categories of recipients, consumer rights, and the contact for exercising those rights.
- Opt-in consent for collection and sharing. NRS 603A.430 — consent must be obtained for any collection or sharing of consumer health data that is not strictly necessary to provide a product or service the consumer has requested. The opt-in must be freely given, specific, informed, and unambiguous; pre-ticked boxes and bundled consents do not qualify.
- Sale prohibition without separate authorization. NRS 603A.450 — selling consumer health data requires a separate written authorization that names the recipient, identifies the data, states the purpose, and notes the consumer's right to revoke. This authorization is functionally similar to a CMIA-style authorization rather than CPA-style opt-out-of-sale.
- Consumer rights. NRS 603A.460 — right to confirm processing, access, deletion, and withdrawal of consent. Response deadline: 45 days, one 45-day extension.
- Geofence prohibition. NRS 603A.540 — a categorical bar on any person implementing a geofence around a "health care facility" for the purpose of (a) identifying consumers seeking health-care services, (b) tracking consumers, (c) collecting consumer health data, or (d) sending health-related notifications, advertisements, or messages.
- Data security. NRS 603A.470 — reasonable security practices to protect consumer health data from unauthorized access, with no prescribed technical standard.
The HIPAA carve-out at NRS 603A.490(1)(a) is entity-level, not data-level. A regulated entity that is subject to HIPAA is exempt from SB 538 as to its HIPAA-regulated activities; a non-HIPAA business unit operated by the same parent organization can still be in scope.
Where Nevada is stricter than HIPAA
The single comparative table a Nevada practice needs:
| Topic | HIPAA | Nevada SB 538 | Stricter | |---|---|---|---| | Scope of regulated data | PHI held by covered entities or BAs | Consumer health data including location, biometric, reproductive, gender-affirming, bodily function data (NRS 603A.400) | Nevada | | Applicability threshold | Covered entity / BA status | Any person targeting Nevada consumers — no volume threshold | Nevada | | Opt-in for collection | Authorization for non-TPO use (45 CFR § 164.508) | Opt-in for any non-essential collection or sharing (NRS 603A.430) | Nevada | | Geofence around health facilities | Not addressed | Categorically prohibited (NRS 603A.540) | Nevada | | Sale of health data | Authorization required (45 CFR § 164.508(a)(4)) | Separate written authorization with revocation right (NRS 603A.450) | Nevada | | Privacy policy specificity | Notice of Privacy Practices required (45 CFR § 164.520) | Distinct health-data privacy policy required (NRS 603A.420) | Nevada | | Civil penalty per violation | $145–$73,011 per violation, $2,190,294 annual cap per identical violation (2026 HHS-adjusted; 45 CFR § 160.404 and 45 CFR Part 102) | Up to $5,000 per violation under DTPA (NRS 598.0999) | HIPAA per-violation higher | | Private right of action | None | None — AG-only enforcement | Tie |
Where Nevada practices most often trip is the geofence prohibition. NRS 603A.540 is categorical: no implementing a geofence around any "health care facility" for any of the four enumerated purposes. Most marketing platforms run geo-targeted ads as a default; a Nevada practice that runs a Facebook or Google geo-radius ad targeting users near a fertility clinic, oncology center, OB/GYN, or behavioral health office is potentially exposed even if its own facility is not being geofenced. The statute targets the target of the geofence, not just the entity erecting it.
The other consistent surprise is the threshold — or rather, the absence of one. CTDPA, CPA, CDPA, and CCPA all have minimum-consumer thresholds. SB 538 has none. A single Nevada-targeting health-related website with two visitors per week is in scope if it collects consumer health data outside HIPAA.
Where HIPAA is stricter than Nevada
The three areas where federal law is the harder rule:
- Security Rule technical safeguards. SB 538's "reasonable security" standard at NRS 603A.470 is unspecified. HIPAA's Security Rule at 45 CFR Part 164, Subpart C prescribes a structured technical, administrative, and physical safeguards program — annual risk analysis, audit logging, encryption decisions, contingency planning, sanction policy.
- Breach notification. SB 538 does not impose its own breach-notification regime; Nevada's separate breach statute at NRS 603A.220 governs personal-information breaches with a "most expedient time" standard. HIPAA's 60-day deadline at 45 CFR § 164.404(b) is more concrete.
- Records retention. HIPAA requires six-year retention of compliance documentation under 45 CFR § 164.530(j); SB 538 does not impose comparable retention.
Breach notification timeline
SB 538 does not have its own breach-notification provisions. Nevada practices follow two parallel breach regimes:
- NRS 603A.220 — Nevada's data-breach notification statute. Notice to affected Nevada residents "in the most expedient time possible and without unreasonable delay." No fixed outer statutory deadline; AG enforcement has read the standard as approximately 45 days absent investigative complexity.
- HIPAA notification. 45 CFR § 164.404 — 60-day individual notice; HHS report under 45 CFR § 164.408 within 60 days for 500+ affected.
The interaction worth flagging: an unauthorized acquisition of consumer health data held by a non-HIPAA business unit (a non-patient marketing list, a non-patient web form database) does not get HIPAA breach treatment but does get NRS 603A.220 treatment.
Penalties + private right of action
The numbers a Nevada practice needs:
- Civil penalty under DTPA. NRS 598.0999 — up to $5,000 per violation of a Deceptive Trade Practice. Each affected consumer can be counted as a separate violation in AG enforcement actions.
- Injunctive relief and restitution. NRS 598.0989 — AG can seek injunction, restitution, and disgorgement of profits.
- No private right of action. SB 538 expressly designates DTPA enforcement; individuals cannot bring direct SB 538 claims. Plaintiffs have attempted derivative common-law claims premised on SB 538 violations as predicates, but no published Nevada judgment has accepted that theory.
- HIPAA OCR penalties continue to apply in parallel under 45 CFR § 160.404.
Nevada's AG-only enforcement makes the practical risk profile different from Washington's MHMDA, where the private right of action through Washington's CPA at RCW 19.373.110 has driven class-action exposure. Multi-state practices typically build SB 538 compliance to the MHMDA bar and inherit Nevada compliance as a byproduct.
Compliance checklist for in-state practices
A Nevada-specific overlay to a HIPAA program:
- Business-unit inventory across the HIPAA boundary. Map which lines of business sit under HIPAA's entity exemption at NRS 603A.490(1)(a) and which non-HIPAA business units (a non-patient wellness brand, a public-facing health quiz, a non-HIPAA marketing affiliate) may themselves be regulated entities under SB 538.
- Distinct consumer-health-data privacy policy under NRS 603A.420 for any non-HIPAA business unit operating a Nevada-facing health-data flow, separate from the practice's HIPAA Notice of Privacy Practices.
- Opt-in consent flow for any non-essential collection or sharing of consumer health data under NRS 603A.430 by a non-HIPAA business unit. Pre-ticked boxes and bundled consents do not satisfy.
- Separate written authorization for sale of consumer health data under NRS 603A.450 when applicable.
- Geofence audit — review every active marketing campaign for geo-targeting around health-care facilities under NRS 603A.540. Disable any geofence that captures users near competitor or specialty-care facilities for purposes of health-related advertising. The geofence prohibition reaches any person, so it can apply to a HIPAA-covered practice's marketing activities even where the entity exemption otherwise covers patient-care data.
- Consumer-rights response process under NRS 603A.460 with a 45-day clock distinct from HIPAA's 30-day PHI access clock for any non-HIPAA business unit subject to SB 538.
- Vendor contracts — any contractor processing consumer health data for a non-HIPAA business unit must contractually commit to SB 538 obligations, layered onto any HIPAA BAA structure that applies elsewhere in the organization.
- Workforce training on SB 538 at hire and annually for staff supporting non-HIPAA business units, separately documented from HIPAA training. Cover the geofence prohibition and the entity-level (not data-level) HIPAA carve-out specifically.
The d3rx compliance binder state-overlay branches on Nevada and produces the SB 538-aware health-data privacy policy template, the opt-in consent flow, and the geofence-review checklist a Nevada practice runs alongside the federal HIPAA backbone. It is an administrative documentation aid; the practice and its counsel remain responsible for executing the controls.
Cross-references: see Washington's My Health My Data Act for the sister consumer-health-data statute with a private right of action, and California CMIA for the older state medical-information statute that influenced SB 538's authorization structure.
Step 1 · Get the binder
Get the d3rx compliance binder for your practice
Pre-filled to address the gaps this guide covers — Nevada SB 538 (Consumer Health Data): What It Means for Medical Practices. We will email you the section preview and your binder intake link.
No PHI required. We use your email to send the binder preview and intake link only.
Frequently asked
Does Nevada SB 538 ban my appointment-reminder geo-targeting?
Often yes. NRS 603A.540 prohibits any person from implementing a geofence around a 'health care facility' to identify, track, or send notifications to consumers regarding their consumer health data. A geofenced ad targeted at people who walked into a fertility clinic, oncology center, or behavioral health office is squarely barred. Appointment reminders sent to a consenting patient via a direct messaging channel are fine; geo-targeting strangers near your facility based on a presumed health interest is not.
Is the HIPAA carve-out under SB 538 entity-level or data-level?
Entity-level. NRS 603A.490(1)(a) exempts any person or entity subject to HIPAA — the carve-out attaches to the regulated entity's HIPAA status, not to a specific data category. A HIPAA-covered Nevada practice generally sits outside SB 538 by virtue of the entity exemption. Mixed-business entities that operate a HIPAA-covered practice line and a non-HIPAA consumer-facing line (e.g., a wellness brand, a non-patient marketing list) need to evaluate whether the non-HIPAA business unit is itself a 'regulated entity' under SB 538.
How broad is 'consumer health data' under Nevada SB 538?
Very broad. NRS 603A.400 defines consumer health data as personal information that is linked or reasonably linkable to a consumer and that a regulated entity uses to identify the consumer's past, present, or future physical or mental health status. The definition explicitly includes location data that could indicate an attempt to access health services, biometric and genetic data, gender-affirming care information, reproductive or sexual health information, and bodily function data. It captures far more than HIPAA's narrower PHI definition.
Does Nevada SB 538 create a private right of action?
No. NRS 603A.520 gives exclusive enforcement to the Nevada Attorney General through the Deceptive Trade Practices Act at NRS 598.0903 et seq. There is no direct private right of action under SB 538. AG enforcement can seek injunctive relief, restitution, and civil penalties up to $5,000 per violation under NRS 598.0999. Nevada is one of the few comprehensive consumer-health data states without a private cause of action — contrast with Washington's MHMDA.
How does SB 538 interact with Washington's My Health My Data Act for multi-state practices?
They differ on enforcement, not substance. Both regulate 'consumer health data' broader than HIPAA, both impose opt-in consent for collection and sharing, both prohibit health-facility geofencing, both carve out HIPAA-covered data. The two practical differences: Washington's MHMDA at RCW 19.373.110 grants a private right of action through Washington's Consumer Protection Act; Nevada's SB 538 does not. Multi-state telehealth practices typically build to the MHMDA bar and inherit SB 538 compliance.
What is a 'regulated entity' under Nevada SB 538?
Broader than CPA-style consumer-privacy thresholds. NRS 603A.400 defines regulated entity to mean any person who conducts business in Nevada or produces or provides products or services that are targeted to consumers in Nevada and that determines the purposes and means of processing consumer health data. Unlike comprehensive privacy laws, SB 538 has no minimum consumer count or revenue threshold. A non-HIPAA business with a Nevada website that collects consumer health data through any channel is in scope.
Turn this into a review-ready binder
The Security Risk Analysis is where this guide becomes documentation you can actually hand to a reviewer — assembled into one review-ready binder. Source-grounded, citation-linked, and explicit about what it does and does not do.
Editorial process. This guide was drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and edited by the D3rx team for restraint and source fidelity. A named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged to verify citations — see the team page for status. Until that reviewer engagement is finalized, this page does not claim credentialed review.
This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, CMS, the Code of Federal Regulations, NIST, and state regulators.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
- NRS 603A.400 to 603A.550https://www.leg.state.nv.us/NRS/NRS-603A.html
- 45 CFR Part 164, Subpart Chttps://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C
- NRS 603A.220https://www.leg.state.nv.us/
- 45 CFR § 164.404(b)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.404
- 45 CFR § 164.530(j)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-J/section-164.530
- 45 CFR § 164.408https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.408
- 45 CFR § 160.404https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-D/section-160.404
Sources verified as of May 23, 2026
This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.
Related Guides
Related across the archive
- ComplianceCalifornia Healthcare Compliance: CMIA + HIPAA — Where They DivergeCalifornia's CMIA (Civ. Code §§ 56–56.37) vs HIPAA: stricter consent, 5-working-day inspection / 15-day copy access, private right of action, up to $25k per knowing-and-willful violation + misdemeanor exposure.
- ComplianceColorado Privacy Act for Medical Practices: Where It Stacks on HIPAAColorado Privacy Act (C.R.S. § 6-1-1301 et seq.) vs HIPAA: narrow health-data carve-out, AG-only enforcement, $20k per-violation cap, and CRS § 6-1-716 30-day breach window.
- ComplianceVirginia CDPA for Medical Practices: Where It Stacks on HIPAAVirginia Consumer Data Protection Act (Va. Code § 59.1-575) vs HIPAA: the HIPAA carve-out, what intake forms and marketing lists still trigger CDPA, and AG penalty math.
- GlossaryePHI (Electronic Protected Health Information)PHI that is created, received, maintained, or transmitted in electronic form.
- RegulationHIPAA Individual Breach Notification (45 CFR 164.404)Required content, methods, and 60-day deadline for notifying affected individuals after a breach of unsecured PHI.
- SRAChange Healthcare Ransomware: What Small Practices Took AwayThe February 2024 Change Healthcare cyberattack, what HHS and UnitedHealth Group disclosed, and the small-practice lessons about clearinghouse concentration risk, contingency planning, and the Security Rule's information system activity review.
- BillingWhat to Do When a Payer Says You're UnderbillingGot a letter saying you're underbilling? Here's what it actually means, whether you should worry, and what action to take.
- StateAlaska healthcare compliance overlayAlaska has no state-specific medical-information privacy statute beyond HIPAA, and no health-data-only breach rule.