Scope

Under the Act, direct-to-consumer genetic testing companies are required to provide information to consumers about companies' policies for collecting, using, and disclosing genetic information. In this respect, Kristen Rosati, Partner at Coppersmith Brockelman PLC provided, "Companies are required to provide a 'high-level privacy policy' that includes basic information about these topics and a 'prominent, publicly available privacy notice that includes information about the company's data collection, consent, use, access, disclosure, transfer, security and retention, and deletion practices'.

As a practical matter, most companies will have to provide a publicly available privacy notice directly to consumers ordering genetic testing. To comply with the new Arizona requirements, a company should include information about:

• the company's consent practices; 
• how the company will collect, internally use, and externally disclose genetic data to third parties;
• a basic description of the security program the company has in place to prevent unauthorised access or disclosure; 
• a description of how long the company will retain genetic data; and 
• how the data will be destroyed at the end of the retention period."

Consent requirements under the Act

Another interesting aspect of this Act is that it calls for three forms of consent as part of the requirement for express consent. Specifically, the Act introduces initial express consent, separate express consent, and informed consent, and Kristen highlighted that, "Where a law requires consent, it is always important to document and record those consents to be able to prove compliance with the law."

In addition, Kristen explained that there are four separate consents under the law.

"'Express consent' is defined as 'a consumer's affirmative response to a clear and prominent notice regarding collecting, using, or disclosing genetic data for a specific purpose'. 

'Initial express consent' must describe the use of the genetic data, including who has access to the test results and how the genetic data may be shared. The statute does not describe when this 'initial' consent is required, but the likely interpretation is that it will be required upon initiation of the business with the consumer.

'Separate express consent' is required if: 

• genetic data will be disclosed to third parties other than the company's vendors or service providers;
• the genetic data will be used for purposes other than providing the genetic testing product or service to the consumer; or 
• the biological sample will be retained following the initial testing service provided.   

While the statute does not define what 'separate express consent' means, a likely interpretation is that it must be separated from the 'initial express consent' collected at initiation of the services. A different form or a separately signed part of the form, which is not a requirement of receiving the genetic testing service, likely would comply with this requirement.

'Informed consent' is the terminology used for consent to transfer the genetic data to third parties for research. An 'informed consent' must comply with the federal regulations on human subjects research protection, found [under Part 46 of Title 45 of the Code of Federal Regulations], also known as the 'Common Rule'.

Finally, there are separate requirements to obtain consent to use genetic data for marketing."

Security programs

A further requirement provided for by the Act concerns the obligation to develop, implement, and maintain a comprehensive security program to protect a consumer's genetic data against unauthorised access, use, or disclosure.

In this respect, Kristen stated, "There are no details in the new statute about what security is required. The statute simply requires covered companies to [have a comprehensive security program in place]. Companies thus may look to other standards that apply to determine the elements of an appropriate security program, such as compliance with the Health Insurance Portability and Accountability Act of 1996 ('HIPAA') Security Rule, the Health Information Trust Alliance certification, or other industry best practices."

Implication of the Act to businesses

Kristen explained, "The Act has limited applicability to organisations conducting business in Arizona and applies only to a 'direct-to-consumer genetic testing company'. [However,] there are a number of embedded definitions here that are important to understand to determine whether a company must comply with the Act, including biological samples, consumer, genetic data, and genetic testing. If a company must comply with this new Arizona law, the company must comply with a host of new requirements." 

Yet, there are also various important exclusions under the Act which were provided for in order to reduce the impact on health care organisations and clinical laboratories providing treatment involving genetic data and on organisations engaged in medical research. Specifically, Kristen detailed that, "the Act does not apply to:  

• protected health information that is collected by an entity regulated by HIPPA; 
• biological samples obtained or genetic data generated for a patient's medical screening, treatment, or diagnosis; and
• genetic data that is generated for purposes that are already exempt from Arizona's original genetic testing statute."

Those original exemptions include genetic testing widely accepted and used in clinical practice, genetic testing for criminal investigation, genetic testing for HIV, paternity testing, and genetic testing for research. Furthermore, the Act does not apply to a public or private institution of higher education, such as a university, or an entity owned or operated by such an institution.

Kristen stated, "This new Arizona law was triggered by the concerns that companies doing direct-to-consumer testing were not subject to HIPAA and state-based health information confidentiality laws."  

Conclusion

The Law introduces significant requirements and obligations to direct-to-consumer genetic testing companies and failure to comply with the Law attracts a civil penalty of up to $2,500 per violation, payment of actual damages incurred by consumers, and costs and reasonable attorney fees incurred by the Office of the Attorney General. 

Kristen acknowledged that "this is a good development - and one I understand was supported by direct-to-consumer testing companies - because it assures individuals that their most private information will be protected when they sign up for genetic testing services."

Wangari Thuo, Privacy Analyst
[email protected] 

Comments provided by:

Kristen Rosati, Partner
[email protected]
Coppersmith Brockelman PLC