Most healthcare organizations in the United States are required to comply with the Health Insurance Portability and Accountability Act (HIPAA), which has many requirements for safeguarding personal and protected health information (PHI).
HIPAA is it only covers healthcare providers, health plans, healthcare clearinghouses, and business associates of those entities that are provided with PHI, which includes genetic data. Most private companies that collect genetic data are not classed as HIPAA-covered entities or business associates, so the HIPAA Rules do not apply.
Over the past few months, several states have introduced laws to protect individuals from misuse of their genetic data, to hold private companies accountable, and ensure they operate using proper data governance practices.
States Introduce Laws to Improve Privacy and Security of Genetic Data
Genetic data includes highly sensitive information about an individual. The information can be used to determine the probability of an individual developing certain diseases, to determine family history, and an individual’s ethnicity. Some companies are now offering genetic testing for consumers and deliver genetic testing kits that can be used at home for identifying family traits to assess future disease risk, to produce wellness reports, and for ancestry services and tracing DNA relatives.
These services have increased in popularity in recent years, but the data collected and stored by these genetic testing companies are usually exempt from HIPAA and other federal laws. Some states have now introduced legislation that has requirements covering the collection, use, storage, and disclosure of genetic information.
Alaska and Nevada were among the first states to introduce such legislation, and recently they have been joined by Arizona, California, Florida, and Utah.
Arizona Updates Statues to Cover Genetic Data
In April 2021, the Arizona state legislature introduced new genetic data provisions to its statutes that cover direct-to-consumer genetic testing companies. Companies that offer genetic testing are required to provide clear information to consumers about their policies concerning the collection, use, and disclosure of genetic data, including who will be provided with test results and how genetic information may be shared.
Companies must obtain express consent before conducting marketing activities on consumers based on their genetic data or before marketing can be conducted by a third-party person to a consumer based on them having ordered or purchased a genetic testing product or service. PHI is exempt, as is any genetic testing conducted for medical treatment or by a public or private higher education institution.
California Genetic Information Privacy Act
The Genetic Information Privacy Act (GINA) was signed into law in California on October 6, 2021, and updated the California Consumer Privacy Act of 2018. GINA takes effect on January 1, 2022. As with Arizona, the law requires genetic testing companies to be transparent about their data collection and sharing practices, and also requires clear information to be provided to consumers and for express consent to be obtained from consumers before their genetic data are used or shared.
Any company that sells, markets, or interprets genetic data, and any company that offers direct-to-consumer genetic testing products or services that involves the collection, analysis, or storage of genetic data is covered by GINA. Separate consent must be obtained for each use purpose before the transfer to another party or use of the data for marketing purposes. Security measures must be implemented to ensure genetic data are protected from unauthorized use, alteration, or destruction. GINA also requires covered entities to destroy stored genetic data within 30 days of consent being withdrawn. The failure to comply with the requirements of GINA can result in civil financial penalties.
Florida Protecting DNA Privacy Act
Florida’s genetic data privacy law – The Protecting DNA Privacy Act – took effect on October 1, 2021. The Protecting DNA Privacy Act prohibits the collection or retention of another individual’s DNA sample without consent, procuring a DNA sample from another individual for analysis, and disclosure of the results of genetic tests without written consent.
Florida goes further than California, with violations potentially resulting in criminal penalties. It is a third-degree felony to submit another person’s DNA for testing or to disclose test results without consent. The transfer of any DNA samples or results to a third party without consent is a second-degree felony. There are exceptions for criminal investigations and prosecutions, compliance with a subpoena, summons or other lawful court order, compliance with federal law, medical testing, and several other purposes.
Utah Genetic Information Privacy Act
Utah introduced the Genetic Information Privacy Act, with took effect in May 2021. The legislation applies to direct-to-consumer genetic testing companies and, like in California, requires consumers to be notified about data collection, usage, and sharing practices, including to whom genetic test results will be provided.
Consent must be obtained before any use or sharing of genetic data and a process must be implemented that allows consumers to access their genetic data and have their data permanently destroyed. Utah also prohibits the sharing of genetic data with a health insurance company or an individual’s employer without first obtaining consent.
Other states are expected to introduce similar laws to ensure the privacy and security of genetic data in the coming months.