BILL ANALYSIS
|
Senate Research Center |
H.B. 2545 |
|
88R21251 JES-F |
By: Capriglione et al. (Johnson) |
|
|
Business & Commerce |
|
|
5/2/2023 |
|
|
Engrossed |
AUTHOR'S / SPONSOR'S STATEMENT OF INTENT
Genetic data, which results from the DNA or RNA analysis of a biological sample, can provide insights about ethnicity, family history, and predisposition to diseases and health disorders. Such personal information is currently protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), a federal law that holds healthcare providers to certain security standards in collecting genetic data. However, private genetic testing companies such as Ancestry and 23&Me fall in a regulatory gray area.
Currently, Texas does not have a genetic data privacy law, which would hold
genetic testing companies accountable for data protection. However, states such
as Arizona, California, Kentucky, Maryland, Utah, and Wyoming have enacted
genetic data privacy laws to regulate genetic data use.
H.B. 2545 would establish genetic data protection for Texans by adding Chapter 503A to the Texas Business and Commerce Code. Most significantly, the bill holds genetic data testing companies accountable for how they secure and use genetic data and biological samples. For Texans who submit DNA to direct-to-individual genetic testing companies, H.B. 2545 would reaffirm that they are always informed and have complete control of when and how their genetic data will be shared through signed informed consent. Finally, H.B. 2545 would establish that genetic data cannot be shared with a governmental entity unless a warrant is issued, providing penalties for any genetic data testing company that violates the law.
The committee substitute for H.B. 2545 includes that the bill's provisions do not apply to a public, private, or independent institution of higher education.
Key Provisions:
Support:
H.B. 2545 amends current law relating to the use of an individual's genetic data by certain genetic testing companies for commercial purposes and authorizes a civil penalty.
RULEMAKING AUTHORITY
This bill does not expressly grant any additional rulemaking authority to a state officer, institution, or agency.
SECTION BY SECTION ANALYSIS
SECTION 1. Amends Subtitle A, Title 11, Business and Commerce Code, by adding Chapter 503A, as follows:
�
CHAPTER 503A. DIRECT-TO-INDIVIDUAL GENETIC TESTING COMPANIES
Sec. 503A.001.� DEFINITIONS.� Defines "biological sample," "deidentified data," "direct-to-individual genetic testing company," "DNA," "express consent," "genetic data," "genetic testing," and "person."
Sec. 503A.002.� APPLICABILITY.� (a) Provides that this chapter applies to a direct-to-individual genetic testing company that:
(1)� offers its products or services to individuals who are residents of this state; or
(2)� collects, uses, or analyzes genetic data that results from the company's products or services and was provided to the company by an individual who is a resident of this state.
(b)� Provides that this chapter does not apply to:
(1)� an entity only when they are engaged in collecting, using, or analyzing genetic data or biological samples in the context of research, as defined by 45 C.F.R. Section 164.501, that is conducted in accordance with:
(A) the federal policy for the protection of human subjects (45 C.F.R. Part 46);
(B) the good clinical practice guidelines issued by the International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use (ICH); or
(C) the United States Food and Drug Administration policy for the protection of human subjects (21 C.F.R. Parts 50 and 56); or
(2)� genetic data that is protected health information collected by a covered entity or business associate, as defined by 45 C.F.R. Part 160, subject to the privacy, security, and breach notification rules under the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. Section 1320d et seq.); or
(3) an institution of higher education or a private or independent institution of higher education, as those terms are defined by Section 61.003 (Definitions), Education Code.
Sec. 503A.003.� REQUIREMENTS FOR CERTAIN USES OF DEIDENTIFIED DATA.� (a)� Requires a direct-to-individual genetic testing company that possesses an individual's deidentified data, except as otherwise provided by this chapter or other law, to:
(1)� implement administrative and technical measures to ensure the data is not associated with a particular individual; and
(2)� publicly commit to maintaining and using data in deidentified form and refraining from making any attempt to identify an individual using the individual's deidentified data.
(b)� Requires a company to enter into a legally enforceable contractual obligation prohibiting the person from attempting to identify an individual using the individual's deidentified data if the direct-to-individual genetic testing company shares an individual's deidentified data with another person.
Sec. 503A.004.� REQUIREMENTS FOR CERTAIN USES OR DISCLOSURE OF GENETIC DATA AND BIOLOGICAL SAMPLE. (a)� Requires a direct-to-individual genetic testing company to:
(1)� develop, implement, and maintain a comprehensive security program to protect an individual's genetic data against unauthorized access, use, or disclosure; and
(2)� make publicly available:
(A)� a high-level privacy policy overview that includes basic, essential information about the company's collection, use, or disclosure of genetic data; and
(B)� a prominent privacy notice that includes information about the company's data collection, consent, use, access, disclosure, transfer, security, retention, and deletion practices.
(b)� Requires a direct-to-individual genetic testing company, before collecting, using, or disclosing an individual's genetic data, to provide to the individual information about the company's collection, use, and disclosure of genetic data the company collects through a genetic testing product or service, including information that:
(1)� clearly describes the company's use of the genetic data;
(2)� specifies the persons who have access to test results; and
(3)� specifies the manner in which the company is authorized to share the genetic data.
(c)� Requires a direct-to-individual genetic testing company to provide a process for an individual to:
(1)� access the individual's genetic data;
(2)� delete the individual's account and genetic data; and
(3)� destroy or require the destruction of the individual's biological sample.
Sec. 503A.005.� REQUIRED CONSENT.� (a)� Requires a direct-to-individual genetic testing company engaging in any of the following activities to obtain:
(1)� an individual's separate express consent for:
(A)� the transfer or disclosure of the individual's genetic data to any person other than the company's vendors and service providers;
(B)� the use of genetic data for a purpose other than the primary purpose of the company's genetic testing product or service; or
(C)� the retention of any biological sample provided by the individual following the company's completion of the initial testing service requested by the individual;
(2)� an individual's informed consent in accordance with guidelines for the protection of human subjects issued under 45 C.F.R. Part 46, for transfer or disclosure of the individual's genetic data to a third party for:
(A)� research purposes; or
(B)� research conducted under the control of the company for the purpose of publication or generalizable knowledge; and
(3)� an individual's express consent for:
(A)� marketing by the company to the individual based on the individual's genetic data; or
(B)� marketing by a third party to the individual based on the individual's ordering or purchasing of a genetic testing product or service.
(b)� Provides that "marketing," for the purposes of Subsection (a), does not include providing customized content or offers to an individual with whom a direct-to-individual genetic testing company has a first-party relationship on the company's Internet website or through an application or service provided by the company to the individual.
Sec. 503A.006.� PROHIBITED DISCLOSURES. (a) Prohibits a direct-to-individual genetic testing company from disclosing an individual's genetic data to a law enforcement entity or other governmental body unless:
(1)� the company first obtains the individual's express written consent; or
(2)� the entity or body obtains a warrant or complies with another valid legal process required by the company.
(b)� Prohibits a direct-to-individual genetic testing company from disclosing, without first obtaining an individual's written consent, the individual's genetic data to:
(1)� an entity that offers health insurance, life insurance, or long-term care insurance; or
(2)� an employer of the individual.
Sec. 503A.007.� CIVIL PENALTY.� (a)� Provides that a direct-to-individual genetic testing company that violates this chapter is liable to this state for a civil penalty in an amount not to exceed $2,500 for each violation.
(b)� Authorizes the attorney general to bring an action to recover a civil penalty imposed under Subsection (a) and to restrain and enjoin a violation of this chapter.� Authorizes the attorney general to recover reasonable attorney's fees and court costs incurred in bringing the action.
SECTION 2. Makes application of this Act prospective.
SECTION 3. Effective date: September 1, 2023.