BILL ANALYSIS
Senate Research Center |
C.S.H.B. 2545 |
88R28576 JES-F |
By: Capriglione et al. (Johnson) |
|
Business & Commerce |
|
5/9/2023 |
|
Committee Report (Substituted) |
AUTHOR'S / SPONSOR'S STATEMENT OF INTENT
Genetic data, which results from the DNA or RNA analysis of a biological sample, can provide insights about ethnicity, family history, and predisposition to diseases and health disorders. Such personal information is currently protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), a federal law that holds healthcare providers to certain security standards in collecting genetic data. However, private genetic testing companies such as Ancestry and 23andMe fall in a regulatory gray area.
Currently, Texas does not have a genetic data privacy law, which would hold
genetic testing companies accountable for data protection. However, states such
as Arizona, California, Kentucky, Maryland, Utah, and Wyoming have passed and
enacted genetic data privacy laws to regulate genetic data use.
H.B. 2545 would establish genetic data protection for Texans by adding Chapter 503A to the Business and Commerce Code. Most significantly, the bill holds genetic data testing companies accountable for how they secure and use genetic data and biological samples. For Texans who submit DNA to direct-to-individual genetic testing companies, H.B. 2545 would reaffirm that they are always informed and have complete control of when and how their genetic data will be shared through signed informed consent. Finally, H.B. 2545 would establish that genetic data cannot be shared with a governmental entity unless a warrant is issued, providing penalties for any genetic data testing company that violates the law.
C.S.H.B. 2545 clarifies that the bill is referring to consumers and not individuals and it exempts clinical health care providers, such as MD Anderson, from the definition of "direct-to-consumer" genetic testing company. Additionally, it includes a new section which states that a consumer has exclusive property rights in, and retains the rights to exercise exclusive control over, the consumer's DNA derived from a biological sample and the sample itself.
C.S.H.B. 2545 amends current law relating to an individual's genetic data, including the use of that data by certain genetic testing companies for commercial purposes and the individual's property right in DNA and authorizes a civil penalty.
RULEMAKING AUTHORITY
This bill does not expressly grant any additional rulemaking authority to a state officer, institution, or agency.
SECTION BY SECTION ANALYSIS
SECTION 1. Amends Subtitle A, Title 11, Business and Commerce Code, by adding Chapter 503A, as follows:
�
CHAPTER 503A. DIRECT-TO-CONSUMER GENETIC TESTING COMPANIES;
RIGHTS REGARDING DNA
Sec. 503A.001. DEFINITIONS. Defines "biological sample," "deidentified data," "direct-to-consumer genetic testing company," "DNA," "express consent," "genetic data," "genetic testing," and "person."
Sec. 503A.002. APPLICABILITY. (a) Provides that this chapter applies to a direct-to-consumer genetic testing company that:
(1) offers its products or services to individuals who are residents of this state; or
(2) collects, uses, or analyzes genetic data that results from the company's products or services and was provided to the company by an individual who is a resident of this state rather than by or at the direction of a health care provider.
(b)� Provides that this chapter does not apply to:
(1)� an entity only when they are engaged in collecting, using, or analyzing genetic data or biological samples in the context of research, as defined by 45 C.F.R. Section 164.501, that is conducted in accordance with:
(A) the federal policy for the protection of human subjects (45 C.F.R. Part 46);
(B) the good clinical practice guidelines issued by the International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use (ICH); or
(C) the United States Food and Drug Administration policy for the protection of human subjects (21 C.F.R. Parts 50 and 56); or
(2)� genetic data that is protected health information collected by a covered entity or business associate, as defined by 45 C.F.R. Part 160, subject to the privacy, security, and breach notification rules under the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. Section 1320d et seq.);
(3) an institution of higher education or a private or independent institution of higher education, as those terms are defined by Section 61.003 (Definitions), Education Code;
(4) an entity when the entity is offering genetic testing products or services through a health care provider; or
(5) the collection, use, or analysis of genetic data by a health care provider.
Sec. 503A.003. EXCLUSIVE PROPERTY RIGHT IN DNA; CONFIDENTIALITY. Provides that an individual has a property right in, and retains the right to exercise exclusive control over, the individual's biological sample and the results of genetic testing or analysis conducted on the individual's DNA, including to the collection, use, retention, maintenance, disclosure, or destruction of the sample or results. Provides that the results of the genetic testing of an individual's DNA, without regard to whether those results are held by a public or private entity, are confidential and are prohibited from being disclosed to another person without the individual's express consent.
Sec. 503A.004. REQUIREMENTS FOR CERTAIN USES OF DEIDENTIFIED DATA.� (a)� Requires a direct-to-consumer genetic testing company that possesses an individual's deidentified data, except as otherwise provided by this chapter or other law, to:
(1)� implement administrative and technical measures to ensure the data is not associated with a particular individual; and
(2)� publicly commit to maintaining and using data in deidentified form and refraining from making any attempt to identify an individual using the individual's deidentified data.
(b)� Requires a company to enter into a legally enforceable contractual obligation prohibiting the person from attempting to identify an individual using the individual's deidentified data if the direct-to-consumer genetic testing company shares an individual's deidentified data with another person.
Sec. 503A.005. REQUIREMENTS FOR CERTAIN USES OR DISCLOSURE OF GENETIC DATA AND BIOLOGICAL SAMPLE. (a)� Requires a direct-to-consumer genetic testing company to:
(1) develop, implement, and maintain a comprehensive security program to protect an individual's genetic data against unauthorized access, use, or disclosure; and
(2) make publicly available:
(A) a high-level privacy policy overview that includes basic, essential information about the company's collection, use, or disclosure of genetic data; and
(B) a prominent privacy notice that includes information about the company's data collection, consent, use, access, disclosure, transfer, security, retention, and deletion practices.
(b) Requires a direct-to-consumer genetic testing company, before collecting, using, or disclosing an individual's genetic data, to provide to the individual information about the company's collection, use, and disclosure of genetic data the company collects through a genetic testing product or service, including information that:
(1) clearly describes the company's use of the genetic data;
(2) specifies the persons who have access to test results; and
(3) specifies the manner in which the company is authorized to share the genetic data.
(c)� Requires a direct-to-consumer genetic testing company to provide a process for an individual to:
(1) access the individual's genetic data;
(2) delete the individual's account and genetic data; and
(3) destroy or require the destruction of the individual's biological sample.
Sec. 503A.006. REQUIRED CONSENT. (a) Requires a direct-to-consumer genetic testing company engaging in any of the following activities to obtain:
(1)� an individual's separate express consent for:
(A)� the transfer or disclosure of the individual's genetic data to any person other than the company's vendors and service providers;
(B)� the use of genetic data for a purpose other than the primary purpose of the company's genetic testing product or service; or
(C)� the retention of any biological sample provided by the individual following the company's completion of the initial testing service requested by the individual;
(2)� an individual's informed consent in accordance with guidelines for the protection of human subjects issued under 45 C.F.R. Part 46, for transfer or disclosure of the individual's genetic data to a third party for:
(A)� research purposes; or
(B)� research conducted under the control of the company for the purpose of publication or generalizable knowledge; and
(3)� an individual's express consent for:
(A)� marketing by the company to the individual based on the individual's genetic data; or
(B)� marketing by a third party to the individual based on the individual's ordering or purchasing of a genetic testing product or service.
(b) Provides that "marketing," for the purposes of Subsection (a), does not include providing customized content or offers to an individual with whom a direct-to-consumer genetic testing company has a first-party relationship on the company's Internet website or through an application or service provided by the company to the individual.
Sec. 503A.007. PROHIBITED DISCLOSURES. (a) Prohibits a direct-to-consumer genetic testing company from disclosing an individual's genetic data to a law enforcement entity or other governmental body unless:
(1) the company first obtains the individual's express written consent; or
(2) the entity or body obtains a warrant or complies with another valid legal process required by the company.
(b) Prohibits a direct-to-consumer genetic testing company from disclosing, without first obtaining an individual's written consent, the individual's genetic data to:
(1) an entity that offers health insurance, life insurance, or long-term care insurance; or
(2) an employer of the individual.
Sec. 503A.008. CIVIL PENALTY. (a)� Provides that a direct-to-consumer genetic testing company that violates this chapter is liable to this state for a civil penalty in an amount not to exceed $2,500 for each violation.
(b)� Authorizes the attorney general to bring an action to recover a civil penalty imposed under Subsection (a) and to restrain and enjoin a violation of this chapter. Authorizes the attorney general to recover reasonable attorney's fees and court costs incurred in bringing the action.
SECTION 2. Makes application of this Act prospective.
SECTION 3. Effective date: September 1, 2023.