1. A regulated entity shall only authorize the employees and processors of the regulated entity to access consumer health data where reasonably necessary to: (a) Further the purpose for which the consumer consented to the collection or sharing of the consumer data pursuant to NRS 603A.500; or (b) Provide a product or service that the consumer to whom the consumer health data relates has requested from the regulated entity. 2. A regulated entity shall establish, implement and maintain policies and practices for the administrative, technical and physical security of consumer health data. The policies must: (a) Satisfy the standard of care in the industry in which the regulated entity operates to protect the confidentiality, integrity and accessibility of consumer health data; (b) Comply with the provisions of NRS 603A.010 to 603A.290, inclusive, where applicable; and (c) Be reasonable, taking into account the volume and nature of the consumer health data at issue. (Added to NRS by 2023, 3459)
Nevada Legal Code