California Expected to Join Illinois in Regulating Genetic Data
Companies like Ancestry, 23andMe, and MyMedLab need to pay attention. Poised for its Governor’s signature, California’s SB-980 entitled the “Genetic Information Privacy Act” (“GIPA”) will join Illinois’ series of laws, of the same name, found in 410 ILCS 513/1 et seq. (passed in 2018) in regulating the use, destruction, security, and access to individual genetic information and permit generous civil penalties in response to violations. Anyone else smell the class-actions?
On the surface, California and Illinois’ laws fill existing gaps in the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) regulations by applying to “direct-to-consumer genetic testing compan[ies].” By statute, HIPAA only applies to 3 types of entities:
Health Care Providers: doctors, clinics, psychologists, dentists, nursing homes, pharmacies.
Health Plans: health insurance companies, and government and private health plans.
Health Care Clearing Houses: “entities that process nonstandard health information they receive from another entity into a standard.”
Accordingly, non-covered entities that handle private health information are not subject to HIPAA’s federal regulations. And, California’s GIPA expressly excludes HIPAA-protected data from its application.
If passed, California’s GIPA would require any company that collects, uses, maintains, or discloses genetic data collected or derived from a direct-to-consumer genetic testing product or service, or provided directly by a consumer, to advise the consumer of the company’s policies and procedures for the collection, use, maintenance, and disclosure, as applicable, of genetic data, and then obtain the consumer’s consent thereto. Unlike its Illinois counterpart, GIPA defines “Genetic Data” outside of HIPAA confines as follows:
Any data, regardless of its format, that results from the analysis of a biological sample from a consumer, or from another element enabling equivalent information to be obtained and concerns genetic material. Genetic material includes, but is not limited to, deoxyribonucleic acids (DNA), ribonucleic acids (RNA), genes, chromosomes, alleles, genomes, alterations or modifications to DNA or RNA, single nucleotide polymorphisms (SNPs), uninterpreted data that results from the analysis of the biological sample, and any information extrapolated, derived, or inferred therefrom.
Similar to data owner’s rights under the California Consumer Privacy Act of 2018, consumers have the right to revoke their consent and insist on the destruction of their biological sample within thirty (30) days of a request. Undefined, but “reasonable security procedures” are required to protect the genetic data and a “prominent and easily accessible privacy notice that includes, at a minimum, complete information about the company’s data collection, consent, use, access, disclosure, maintenance, transfer, security, and retention and deletion practices, and information that clearly describes how to file a complaint alleging a violation of [GIPA].”
The exception to GIPA compliance is for “deidentified data,” which is defined as data “that cannot be used to infer information about, or otherwise be linked to, a particular individual,” which a company must demonstrate in 3 ways: 1) Implement reasonable measures to ensure that the information cannot be associated with a consumer or household; 2) Publicly commit to maintain and use the information only in deidentified form and not to attempt to reidentify the information, unless testing reverse engineering tactics; and 3) Contractually obligate any recipients of the information to take similar, reasonable measures to ensure that the information stays anonymized. The final requirement is extremely similar to a Business Associate Agreement.
Violations of GIPA may result in civil penalties, divided between negligent and intentional offenses. Negligent violations are punishable by up to $1,000.00 and court costs, while “willful” violations shall be assessed a penalty in an amount between $1,000.00 and $10,000.00 plus court costs. Parties are also prohibited from contracting out of GIPA compliance with their consumers.
GIPA’s penalties are less than those imposed in Illinois, which permits fines equal to the greater of actual damages or $2,500.00 in liquidated damages for negligent violations. Any party who intentionally or recklessly violates Illinois’ Genetic Information Privacy Act will incur liquidated damages of $15,000 or actual damages, whichever is greater. In addition to statutory fines, violators may be forced to reimburse victims for reasonable attorney’s fees and any form of litigation expense – including expert witness fees.