THE SENATE

S.B. NO.

2032

THIRTY-FIRST LEGISLATURE, 2022

 

STATE OF HAWAII

 

 

 

 

 

 

A BILL FOR AN ACT

 

 

Relating to GENETIC INFORMATIOn PRIVACY.

 

 

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF HAWAII:

 


     SECTION 1.  The legislature finds that the number of companies offering direct-to-consumer genetic tests, otherwise known as ancestry tests, at-home genetic tests, direct-access genetic tests, genealogy tests, and home deoxyribonucleic acid (DNA) tests, has been growing, along with the range of information on the health conditions and traits covered by the tests.

     Direct-to-consumer genetic tests provide consumers with direct access to their genetic information without the involvement of healthcare providers and health plans.  As the name suggests, the tests are marketed directly to consumers through the media, print advertisements, or the Internet, and purchased by consumers online or in stores.  The consumers collect and mail their DNA samples pursuant to instructions provided by the direct-to-consumer genetic testing company, and a laboratory analyzes the DNA samples for genetic variations that fit the purpose of the test.  The method by which the test results are communicated to the consumer varies by company; some post the results on a secure website and provide the consumer with access thereto, some mail a written report to the consumer, and some share the results over the telephone.

     While direct-to-consumer genetic testing promotes awareness of genetic diseases and can assist consumers in taking a proactive role in maintaining or improving their health and wellness, the legislature is concerned that there is currently little oversight or regulation of direct-to-consumer genetic testing companies, especially in terms of how the privacy and confidentiality of a consumer's genetic information are protected.  The legislature acknowledges that the Health Insurance Portability and Accountability Act of 1996 (HIPAA) established national standards to protect an individual's medical records and other personal health information, including genetic information.  However, HIPAA applies only to health plans, health care clearinghouses, and certain healthcare providers; it does not apply to direct-to-consumer genetic testing companies.

     Accordingly, the purpose of this Act is to protect the privacy and confidentiality of genetic data of consumers who order or purchase a genetic testing product or service and submit their biological samples to direct-to-consumer genetic testing companies, by requiring direct-to-consumer genetic testing companies to adhere to certain requirements pertaining to its collection, use, and disclosure of genetic data.

     SECTION 2.  The Hawaii Revised Statutes is amended by adding a new chapter to be appropriately designated and to read as follows:

"Chapter

Hawaii Genetic Information Privacy Act

     §   -1  Short title.  This chapter shall be known and may be cited as the Hawaii Genetic Information Privacy Act.

     §   -2  Definitions.  As used in this chapter, unless the context clearly requires otherwise:

     "Biological sample" means any material part of a human being, discharge from a human being, or derivative of a human being that is known to contain the DNA of the human being.  "Biological sample" includes the tissue, blood, urine, and saliva of a human being.

     "Consumer" means any individual who is a resident of the State.

     "De-identified data" means data that has been de-identified in accordance with title 45 Code of Federal Regulations section 164.514(b).

     "Direct-to-consumer genetic testing company" or "company" means any person that provides directly to consumers, genetic testing products or services related to genetic testing products.  Services related to genetic testing products include:

     (1)  Collecting or receiving biological samples or genetic data from a consumer;

     (2)  Analyzing the genetic data derived from the biological samples or genetic data of a consumer; and

     (3)  Communicating the results of the genetic testing to the consumer.

     "Direct-to-consumer genetic testing product" means genetic tests that are marketed directly to consumers and purchased by the consumer online or in stores.  "Direct-to-consumer genetic testing product" includes ancestry tests, at-home genetic tests, direct-access genetic tests, genealogy tests, and home DNA tests.

     "Disclose" means to release, transfer, or otherwise divulge a consumer's genetic data to any person other than the consumer who ordered the genetic testing.

     "DNA" means deoxyribonucleic acid.

     "Express consent" means a statement of permission given by a consumer that is positive, direct, and unequivocal, requiring no inference or implication to supply its meaning, regarding the collection, use, or disclosure of genetic data for a specific purpose.

     "Genetic data" means data in any format that contains information relating to a consumer's genetic characteristics.  "Genetic data" includes:

     (1)  Raw sequence data that results from the sequencing of a consumer's complete extracted DNA or a portion of the extracted DNA;

     (2)  Genotypic and phenotypic information that results from analyzing the raw sequence data; and

     (3)  Self-reported health information regarding a consumer's health conditions that the consumer submits to a direct-to-consumer genetic testing company that is:

          (A)  Analyzed in connection with the consumer's raw sequence data; or

          (B)  Used for scientific research or product development.

"Genetic data" does not include de-identified data.

     "Genetic test" or "genetic testing" means any laboratory test of a consumer's complete DNA, regions of DNA, chromosomes, genes, or gene products to determine the presence of a consumer's genetic characteristics.

     "Individual" means a natural person.

     "Person" means any individual, group, partnership, firm, association, corporation, trust, business trust, estate, cooperative, consortium, joint venture, or any other form of business or legal entity, and the legal representative of such entity.

     §   -3  Direct–to–consumer genetic testing company; requirements; prohibition.  (a)  A direct-to-consumer genetic testing company shall:

     (1)  Provide consumers with a clear and complete written notice regarding the company's policies and procedures for the collection, use, and disclosure of genetic data, by making available to the consumer the following:

          (A)  A high-level privacy policy overview that includes basic essential information about the company's collection, use, or disclosure of genetic data; and

          (B)  A prominent, publicly available written privacy notice that describes the company's practice relating to biological samples and genetic data, including genetic data collection, consumer consent, use of genetic data, access to genetic data, disclosure of genetic data, transfer of genetic data, security protocols, and retention and deletion of genetic data;

     (2)  Obtain the consumer's consent for the collection, use, or disclosure of the consumer's genetic data, including:

          (A)  Initial express consent that:

              (i)  Clearly describes how the company will use the consumer's genetic data collected through the genetic testing product or service;

             (ii)  Specifies who has access to the consumer's genetic test results; and

            (iii)  Specifies how the genetic data may be shared;

          (B)  Separate express consent for each of the following:

              (i)  Transfer or disclosure of the consumer's genetic data to any person other than the company's vendors and service providers;

             (ii)  Use of the consumer's genetic data beyond the primary purpose of the genetic testing product or service and inherent contextual uses; and

             (iii)  Retention of any biological sample provided by the consumer following completion of the initial testing service requested by the consumer.

          (C)  Informed consent in compliance with the federal policy for the protection of human research subjects prescribed by title 45 Code of Federal Regulations part 46, for the transfer or disclosure of the consumer's genetic data to third-party persons for research purposes or research conducted under the control of the company for the purpose of publication or generalizable knowledge; and

          (D)  Express consent for the consumer to receive:

              (i)  Marketing of products and services based on the consumer's genetic data; or

             (ii)  Marketing of products and services by a third‑party person based on the consumer having ordered or purchased a genetic testing product or service.

              For the purposes of this subparagraph, "marketing" does not include the provision of customized content or offers on websites or through applications or services provided by the direct-to-consumer genetic testing company that has a first-party relationship with the consumer.

     (3)  Not disclose a consumer's genetic data to law enforcement or any other government agency except when required under court order or pursuant to subpoena issued by the department of the attorney general, or with the prior express consent of the consumer;

     (4)  Develop, implement, and maintain a comprehensive security program to protect a consumer's genetic data against unauthorized access, use, or disclosure; and

     (5)  Provide a process that allows a consumer to:

          (A)  Access the consumer's genetic data;

          (B)  Delete the consumer's account and genetic data; and

          (C)  Request and obtain the destruction of the consumer's biological sample.

     (b)  Notwithstanding any other provision in this section to the contrary, a direct-to-consumer genetic testing company shall not disclose a consumer's genetic data to any person offering health insurance, life insurance, or long-term care insurance or to any employer of the consumer without the prior express consent of the consumer.

     (c)  Notwithstanding any other provision in this section to the contrary, the disclosure of a consumer's genetic data pursuant to this chapter shall comply with all state and federal laws governing the protection of privacy and security of personal information and health information.

     §   -4  Exceptions.  This chapter shall not apply to:

     (1)  Protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States department of health and human services under title 45 Code of Federal Regulations parts 160 and 164;

     (2)  Biological samples that are obtained or genetic data that is generated for the purposes of an individual's medical screening, treatment, or diagnosis; and

     (3)  A public or private institution of higher education or an entity owned or operated by a public or private institution of higher education.

     §   -5  Violations; civil penalty.  Any person who violates any provision of this chapter shall be assessed a civil penalty of not less than $2,500 for each violation in addition to any other applicable penalties.

     §   -6  Enforcement; civil action; damages; costs; attorneys' fees.  (a)  The director of the office of consumer protection shall have concurrent jurisdiction with the attorney general to enforce the provisions of this chapter.

     (b)  The director of the office of consumer protection, by and through the attorney general, may bring an action in any court of competent jurisdiction, on behalf of the State or in parens patriae on behalf of consumers to:

     (1)  Enjoin any violation of this chapter;

     (2)  Enjoin any person from continuing to engage in acts in violation of this chapter or acts in furtherance thereof;

     (3)  Collect the penalties provided by section    -5; or

     (4)  Recover any damages sustained by any person injured by a violation of this chapter, on whose behalf the action was brought.

     In any such action, the State shall also be entitled to recover the costs of suit together with reasonable attorneys' fees."

     SECTION 3.  If any provision of this Act, or the application thereof to any person or circumstance, is held invalid, the invalidity does not affect other provisions or applications of the Act that can be given effect without the invalid provision or application, and to this end the provisions of this Act are severable.

     SECTION 4.  This Act shall take effect upon its approval.

 

INTRODUCED BY:

_____________________________

 

 


 


 

Report Title:

Genetic Information Privacy Act; Direct-to-Consumer Genetic Testing Company; Genetic Information; Privacy; Penalty; Civil Action

 

Description:

Requires direct-to-consumer genetic testing companies to adhere to certain requirements pertaining to its collection, use, and disclosure of genetic data.  Establishes fines for violations.  Allows the Director of the Office of Consumer Protection, by and through the Attorney General, to bring civil action against violators on behalf of the State or consumers for injunctions, collection of civil penalties, and recover damages.  Allows the State to recover the costs of suit and reasonable attorneys' fees.

 

 

 

The summary description of legislation appearing on this page is for informational purposes only and is not legislation or evidence of legislative intent.