Telephone: (602) 926-3171




TO:                  MEMBERS OF THE SENATE

                        HEALTH & HUMAN SERVICES COMMITTEE

DATE:            March 22, 2021

SUBJECT:      Strike everything amendment to H.B. 2069, relating to to genetic testing; private property



            Outlines disclosure, consent, testing and privacy requirements and exemptions for a direct-to-consumer genetic testing company that collects and processes DNA, chromosomes, genes or gene products. Designates penalties for violations of prescribed requirements and prohibitions. Defines key terms relating to the practice of genetic testing.


            Current statute defines genetic testing as a test of a person's genes, genetic sequence, gene products or chromosomes for abnormalities or deficiencies, including carrier status that: 1) are linked to physical or mental disorders or impairments; 2) indicate a susceptibility to any illness, disease, impairment or other disorder, whether physical or mental; 3) demonstrate genetic or chromosomal damage due to any environmental factor (A.R.S.§ 12-2801).

            In Arizona, genetic testing and information derived from genetic testing is confidential and considered privileged information to the person tested. Information relating to genetic testing can only be released as authorized by Arizona or Federal law, including Health Insurance Portability and Accountability Act (HIPPA) privacy standards (A.R.S. § 12-2802).

            Arizona and Federal patient privacy laws prohibit a person from ordering or requiring the performance of a genetic test without first receiving the specific written informed consent of the subject of the test who has the capacity to consent. If the person subject to the test lacks the capacity to consent, an authorized person must provide written consent for the tested individual. The results of a genetic test are privileged and confidential and may not be released to any party without the express consent of the tested individual (A.R.S. § 20-448.02).

            There is no anticipated fiscal impact to the state General Fund associated with this legislation.


Genetic Testing Company Requirements

1.   Requires a direct-to-consumer genetic testing company to provide clear and complete information regarding the company’s policies and procedures for collecting, using or disclosing genetic data by making the following information available:

a)   a high-level privacy policy overview that includes basic, essential information about the company's collection, use or disclosure of genetic data; and

b)   a prominent, publicly available private notice that includes information about the company’s collection, consent, use, access, disclosure, transfer, security and retention and deletion practices.

2.   Requires a direct-to-consumer genetic testing company to obtain a consumer's consent for collecting, using or disclosing the consumer's genetic data, including:

a)   initial express consent that clearly describes the uses of the genetic data collected through the genetic testing product or service and that specifies who has access to test results and how the genetic data may be shared;

b)   separate express consent for the following:

c)   transferring or disclosing the consumer's genetic data to any other person that the company's vendors and service providers;

d)   using genetic data beyond the primary purpose of the genetic testing product or service; and

e)   retaining any biological sample provided by the consumer following completion of the initial requested testing service;

f) informed consent in compliance with prescribed federal policies regarding the protection of human research subjects; and

g)   express consent for marketing to a consumer based on the consumer's genetic data or for marketing by a third-party person to a consumer based on the consumer's order or purchase of a genetic testing product or service.

3.   Necessitates that a direct-to-consumer genetic testing company must require a valid legal process for disclosing genetic data to law enforcement or any other government agency without a consumer's express written consent.

4.   Directs a direct-to-consumer genetic testing company to develop, implement and maintain a comprehensive security program to protect a consumer's genetic data against unauthorized access, use or disclosure.

5.   Instructs a direct-to-consumer genetic testing company to provide a process for a consumer to:

a)   access the consumer's genetic data;

b)   delete the consumer's account and genetic data; and

c)   request and obtain the destruction of the consumer's biological sample.

6.   Specifies that a direct-to-consumer genetic testing company may only disclose genetic data as prescribed.

7.   Prohibits a direct-to-consumer genetic testing company from disclosing a consumer's genetic data to any entity offering health insurance, life insurance or long-term care insurance or to any employer of the consumer.


8.   Exempts the following entities, information, samples and data from requirements prescribe for genetic testing companies:

a)   protected health information that is collected by a covered entity or business associate governed by the privacy, security and breach notification as issued by the United States Department of Health and Human Services;

b)   biological samples that are obtained or genetic data that is generated for the purposes of an individual's medical screening, treatment or diagnosis;

c)   genetic data that is generated by analyses or tests; and

d)   a public or private institution of higher education or an entity that is owned or operated by a public or private institution of higher education.


9.   Allows the Attorney General to bring action against an individual who violates outlined standards regarding genetic testing information, and prescribes the following penalties:

a)   a civil penalty of up to $2,500 for each violation;

b)   the payment of actual damages incurred by consumers as a result of the violation; and/or

c)   costs and reasonable attorney fees incurred by the office of the Attorney General.


10.  Designates this legislation as the Genetic Information Privacy Act.

11.  Defines relevant terms.

12.  Becomes effective on the general effective date.