First Regular Session H.B. 2069
SENATE AMENDMENTS TO H.B. 2069
(Reference to House engrossed bill)
Strike everything after the enacting clause and insert:
"Section 1. Title 44, Arizona Revised Statutes, is amended by adding chapter 38, to read:
GENETIC TESTING COMPANIES
ARTICLE 1. GENERAL PROVISIONS
In this chapter, unless the context otherwise requires:
1. "Biological sample" means any material part of a human, discharge from a human or derivative of a human, including tissue, blood, urine or saliva, that is known to contain DNA.
2. "Consumer" means an individual who is a resident of this state.
3. "De-identified data" means data that has been de-identified in accordance with 45 code of federal regulations section 164.514(b).
4. "Direct-to-consumer genetic testing company" or "company" means an entity that offers genetic testing products or services directly to consumers that involve collecting from a consumer of either genetic data or biological samples and from which the company derives genetic data for analysis.
5. "Express consent" means a consumer's affirmative response to a clear and prominent notice regarding collecting, using or disclosing genetic data for a specific purpose.
6. "Genetic data":
(a) Means any data, regardless of its format, that concerns a consumer's genetic characteristics.
(i) Raw sequence data that results from sequencing of a consumer's complete extracted DNA or a portion of the consumer's extracted DNA.
(ii) Genotypic and phenotypic information that results from analyzing the raw sequence data.
(iii) Self-reported health information that a consumer submits to a company regarding the consumer's health conditions and that is used for scientific research or product development and analyzed in connection with the consumer's raw sequence data.
(c) Does not include de-identified data.
7. "Genetic testing" means any laboratory test of a consumer's complete DNA, regions of DNA, chromosomes, genes or gene products to determine the presence of a consumer's genetic characteristics.
44-7922. Direct-to-consumer genetic testing company requirements; prohibition
A. A direct-to-consumer genetic testing company shall:
1. Provide clear and complete information regarding the company's policies and procedures for collecting, using or disclosing genetic data by making available to a consumer both of the following:
(b) A prominent, publicly available privacy notice that includes information about the company's data collection, consent, use, access, disclosure, transfer, security and retention and deletion practices.
2. Obtain a consumer's consent for collecting, using or disclosing the consumer's genetic data, including:
(a) Initial express consent that clearly describes the uses of the genetic data collected through the genetic testing product or service and that specifies who has access to test results and how the genetic data may be shared.
(b) Separate express consent for any of the following:
(i) Transferring or disclosing the consumer's genetic data to any person other than the company's vendors and service providers.
(ii) Using genetic data beyond the primary purpose of the genetic testing product or service and inherent contextual uses.
(iii) Retaining any biological sample provided by the consumer following completion of the initial testing service requested by the consumer.
(c) Informed consent in compliance with the federal policy for the protection of human research subjects prescribed by 45 Code of Federal Regulations part 46 for transferring or disclosing the consumer's genetic data to third-party persons for research purposes or research conducted under the control of the company for the purpose of publication or generalizable knowledge.
(d) Express consent for marketing to a consumer based on the consumer's genetic data or for marketing by a third-party person to a consumer based on the consumer having ordered or purchased a genetic testing product or service. For the purposes of this subdivision, marketing does not include providing customized content or offers on websites or through applications or services provided by the direct-to-consumer genetic testing company with the first-party relationship to the consumer.
3. Require a valid legal process for disclosing genetic data to law enforcement or any other government agency without a consumer's express written consent.
4. Develop, implement and maintain a comprehensive security program to protect a consumer's genetic data against unauthorized access, use or disclosure.
5. Provide a process for a consumer to do all of the following:
(a) Access the consumer's genetic data.
(b) Delete the consumer's account and genetic data.
(c) Request and obtain the destruction of the consumer's biological sample.
6. Disclose genetic data only in accordance with section 12-2802.
B. Notwithstanding any other provision in this section, a direct-to-consumer genetic testing company may not disclose a consumer's genetic data to any entity offering health insurance, life insurance or long-term care insurance or to any employer of the consumer.
This chapter does not apply to any of the following:
1. Protected health information that is collected by a covered entity or business associate governed by the privacy, security and breach notification rules issued by the United States Department of Health and Human Services under 45 Code of Federal Regulations parts 160 and 164.
2. Biological samples that are obtained or genetic data that is generated for the purposes of an individual's medical screening, treatment or diagnosis.
3. Genetic data that is generated by analyses or tests described in section 12-2801, paragraph 1, subdivision (b).
4. A public or private institution of higher education or an entity that is owned or operated by a public or private institution of higher education.
44-7924. Enforcement; violation; civil penalty; damages; costs; attorney fees
The attorney general may bring an action to enforce this chapter. A person who violates this chapter is subject to:
1. A civil penalty of up to $2,500 for each violation.
2. The payment of actual damages incurred by consumers as a result of the violation.
3. Costs and reasonable attorney fees incurred by the office of the attorney general.
Sec. 2. Short Title
Title 44, Chapter 38, Arizona Revised Statutes, as added by this act, may be cited as the "Genetic Information Privacy Act"."
Amend title to conform