Email
WEST VIRGINIA LEGISLATURE
2024 REGULAR SESSION
Introduced
House Bill 5110
By Delegate Young
[Introduced January 25, 2024; Referred to the Committee on Health and Human Resources then the Judiciary
A BILL to amend the Code of West Virginia, 1931, as amended, by adding thereto a new article, designated §16-67-1, §16-67-2, §16-67-3, and §16-67-4, all relating to creating the Genetic Information Privacy Act; and to provide guidelines for the collection, storage, and protection of privacy with concern to genetic material and information.
Be it enacted by the Legislature of West Virginia:
(a) This article shall be known, and may be cited, as the Genetic Information Privacy Act.
(b) For purposes of this article, the following definitions apply:
(1) "Biological sample" means any material part of the human, discharge therefrom, or derivative thereof, such as tissue, blood, urine, or saliva, known to contain deoxyribonucleic acid (DNA).
(2) "Consumer" means an individual who is a resident of this state.
(3) "Direct-to-consumer genetic testing company" or "company" means an entity that:
(A) Offers consumer genetic testing products or services directly to a consumer; or
(B) Collects, uses, or analyzes genetic data that resulted from a direct-to-consumer genetic testing product or service and was provided to the company by a consumer.
(4) "Direct-to-consumer genetic testing company" does not include any entity only when they are engaged in collecting, using, or analyzing genetic data or biological samples in the context of research, as defined in 45 C.F.R sec. 164.501, conducted in accordance with the Federal Policy for the Protection of Human Subjects, 45 C.F.R. pt. 46, the Good Clinical Practice Guideline issued by the International Council for Harmonisation, or the United States Food and Drug Administration Policy for the Protection of Human Subjects under 21 C.F.R. pts. 50 and 56;
(5) "Express consent" means a consumer's affirmative response to a clear, meaningful, and prominent notice regarding the collection, use, or disclosure of genetic data for a specific purpose.
(6) "Genetic data" means any data, regardless of its format, that concerns a consumer's genetic characteristics.
(A) "Genetic data" includes, but is not limited to:
(i) Raw sequence data that result from sequencing of a consumer's complete extracted or a portion of the extracted DNA;
(ii) Genotypic and phenotypic information that results from analyzing the raw sequence data; and
(iii) Self-reported health information that a consumer submits to a company regarding the consumer's health conditions and that is used for scientific research or product development and analyzed in connection with the consumer's raw sequence data.
(B) "Genetic data" does not include deidentified data. For purposes of this subsection, "deidentified data" means data that cannot reasonably be used to infer information about, or otherwise be linked to, an identifiable consumer, and that is subject to:
(i) Administrative and technical measures to ensure that the data cannot be associated with a particular consumer;
(ii) Public commitment by the company to maintain and use data in deidentified form and not attempt to reidentify data; and
(iii) Legally enforceable contractual obligations that prohibit any recipients of the data from attempting to reidentify the data.
(7) "Genetic testing" means any laboratory test of a consumer's complete DNA, regions of DNA, chromosomes, genes, or gene products to determine the presence of genetic characteristics of a consumer.
(8) "Person" means an individual, partnership, corporation, association, business, business trust, or legal representative of an organization.
(a) To safeguard the privacy, confidentiality, security, and integrity of a consumer's genetic data, a direct-to-consumer genetic testing company shall:
(1) Provide clear and complete information regarding the company's policies and procedures for collection, use, or disclosure of genetic data by making available to a consumer:
(A) A high-level privacy policy overview that includes basic, essential information about the company's collection, use, or disclosure of genetic data; and
(B) A prominent, publicly available privacy notice that includes, at a minimum, information about the company's data collection, consent, use, access, disclosure, transfer, security, and retention and deletion practices;
(2) Obtain a consumer's consent for collection, use, or disclosure of the consumer's genetic data including, at a minimum:
(A) Initial express consent that clearly describes the uses of the genetic data collected through the genetic testing product or service, and specifies who has access to test results and how the genetic data may be shared;
(B) Separate express consent for transferring or disclosing the consumer's genetic data to any person other than the company's vendors and service providers, or for using genetic data beyond the primary purpose of the genetic testing product or service and inherent contextual uses;
(C) Separate express consent for the retention of any biological sample provided by the consumer following completion of the initial testing service requested by the consumer.
(D) Informed consent in compliance with the federal policy for the protection of human research subjects, 45 C.F.R. Sec. 46 (2019), for transfer or disclosure of the consumer's genetic data to third party persons for research purposes or research conducted under the control of the company for the purpose of publication or generalizable knowledge; and
(E) Express consent for marketing to a consumer based on the consumer's genetic data; or for marketing by a third-party person to a consumer based on the consumer having ordered or purchased a genetic testing product or service. Marketing does not include the provision of customized content or offers on the websites or through the applications or services provided by the direct-to-consumer genetic testing company with the first-party relationship to the customer.
(3) Require valid legal process for disclosing genetic data to law enforcement or any other government agency without a consumer's express written consent;
(4) Develop, implement, and maintain a comprehensive security program to protect a consumer's genetic data against unauthorized access, use, or disclosure; and
(5) Provide a process for a consumer to:
(A) Access the consumer's genetic data;
(B) Delete the consumer's account and genetic data; and
(C) Request and obtain the destruction of the consumer's biological sample.
(b) Notwithstanding any other provisions in this section, a direct-to-consumer genetic testing company may not disclose a consumer's genetic data to any entity offering health insurance, life insurance or long-term care insurance, or to any employer of the consumer without the consumer's written consent.
(c) The Attorney General may bring an action in the name of the state, or as parens patriae on behalf of Consumers, to enforce this article. In any action brought by the Attorney General to enforce this article, a violation of this article is subject to a civil penalty of $2,500 for each violation of this article, the recovery of actual damages incurred by Consumers on whose behalf the action was brought, and costs and reasonable attorneys' fees incurred by the office of the Attorney General.
(a) Limitations. This article does not apply to:
(1) Protected health information that is collected by a covered entity or business associate as those terms are defined in 45 C.F.R. Parts 160 and 164;
The disclosure of genetic data pursuant to this article shall comply with all state and federal laws for the protection of privacy and security. This article shall not apply to protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services (Parts Regulations) 160 and 164 of Title 45 of the Code of Federal Services (Parts Regulations) established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the federal Health Information Technology for Economic and Clinical Health Act (Public Law 111-5).
NOTE: The purpose of this bill is to provide guidelines for the collection, storage, and protection of privacy with concern to genetic material and information.
Strike-throughs indicate language that would be stricken from a heading or the present law, and underscoring indicates new language that would be added.
Webmaster | © 2024 West Virginia Legislature **
