Law360 (October 4, 2021, 5:30 PM EDT) —
On June 29, Florida Gov. Ron DeSantis signed into law H.B. 833, known as the Protecting DNA Privacy Act.

The act took effect on Oct. 1, and applies to the collection, use, retention, maintenance and disclosure of a DNA sample collected from an individual in Florida as well as the results of any subsequent DNA analysis. The act is self-executing and took effect without the need for creation of implementing regulations.

The act clarifies the extent to which individuals own their genetic information, and it creates new crimes for the unlawful collection, retention, analysis, disclosure or sale of an individual’s DNA sample and the results of a DNA analysis, subject to certain limited exemptions, such as use for specified clinical or research purposes.

The act also has important implications for secondary uses of data by health care providers and others that perform genetic testing and analyze genetic information.

Background

The use and accessibility of genetic testing, especially through direct-to-consumer options, has increased greatly in recent years, which has resulted in growing concerns about the privacy of genetic information and its use by third parties.

The Florida Legislature has been particularly focused on bolstering the protections surrounding genetic information. In 2020, the Florida Legislature amended Florida law to limit the use of genetic information by life insurance companies for certain insurance purposes, including underwriting.[1]

In the final bill analysis for the act, the Florida House of Representatives noted that while many state and federal laws “protect[ed] a person’s unique genetic material from being misused by insurance providers or for discriminatory purposes,” there was no law that “specifically protect[ed] a person’s DNA from being collected or analyzed without his or her consent.”[2]

The act greatly expands current protections of genetic information while further defining an individual’s ownership interest in both the DNA sample and the information derived therefrom.

Analysis

The act seeks to prevent the surreptitious collection or analysis of a DNA sample.[3] It establishes a separate criminal penalty for each instance of intentional collection, retention, maintenance, submission for analysis, performance of analysis, disclosure or sale of an individual’s DNA without his or her express consent.

The act’s heightened protections are rooted in the fact that an individual has an exclusive property right in the results of his or her DNA sample and analysis thereof. While this property right was already present in Florida’s law, it was previously undefined by the Florida Legislature.

Courts applying Florida law have held that property rights in blood and tissue evaporate once the sample is voluntarily given to a third party.[4]

The act is thus significant in clarifying that “exclusive property” means a person’s right “to exercise control over his or her DNA sample or any results of his or her DNA analysis with regard to the collection, use, retention, maintenance, disclosure, or destruction of such sample or analysis results.”

Importantly, the consent requirements apply only to DNA samples that are collected from an individual in Florida, and they are subject to certain limited exemptions. The act does not apply to a DNA sample, a DNA analysis or the results of a DNA analysis when used for specified purposes, including, most relevant for health care providers, the following:
Medical diagnosis, conducting quality assessment, improvement activities and treatment of a patient when: (i) express consent for clinical laboratory analysis of the DNA sample was obtained by the health care practitioner who collected the DNA sample; or (ii) performed by a clinical laboratory certified by the Centers for Medicare and Medicaid Services.

Conducting research, and designing and preparing such research, subject to the requirements of, and in compliance with 45 C.F.R. part 46, 21 C.F.R. parts 50 and 56, or 45 C.F.R. parts 160 and 164; or utilizing information that is de-identified consistent with 45 C.F.R. parts 160 and 164 and that is originally collected and maintained for research subject to the requirements of, and in compliance with, 45 C.F.R. part 46, 21 C.F.R. parts 50 and 56, or 45 C.F.R. parts 160 and 164.
Under the first exemption above, if a clinical laboratory is certified under the Clinical Laboratory Improvement Amendments of 1988, which are administered by the Centers for Medicare and Medicaid Services, and is performing DNA analysis for purposes of medical diagnosis or treatment of a patient, or is using the results of DNA analysis for quality assessment or improvement activities, it would appear to be able to perform such activities absent express consent of the patient.

Moreover, if a health care provider obtained the individual’s express consent for laboratory analysis of the sample before collecting the DNA sample, a health care provider would not need to obtain additional express consent prior to analyzing the DNA sample or using the results of the DNA analysis for the purposes enumerated under the first exemption above. This provision should help CLIA-certified laboratories and other health care providers use samples for these routine purposes.

The second exemption above permits the use of a DNA sample or the results of a DNA analysis for conducting, designing and preparing research if the research is conducted in accordance with the Federal Policy for the Protection of Human Subjects, U.S. Food and Drug Administration regulations on human subjects research or the Health Insurance Portability and Accountability Act privacy rule.

This exemption would appear to permit a HIPAA-covered clinical laboratory, for example, to use the results of a DNA analysis in accordance with the research provisions of HIPAA, including through conducting a review preparatory to research, conducting research pursuant to a waiver of HIPAA authorization granted by an institutional review board or privacy board, or conducting research with a signed HIPAA authorization.

Similarly, both clinical laboratories that are covered entities subject to HIPAA and those that are not covered entities would appear to be able to use a DNA sample or the results of a DNA analysis for research that is subject to, and in compliance with, the common rule or the FDA regulations on human subjects research, such as in the development of an in vitro diagnostic product regulated by the FDA.

Notably, unlike HIPAA, the act does not contain a broad exemption for deidentified information.

Rather, it exempts only deidentified information when such information was originally collected and maintained for research subject to the requirements of, and in compliance with, HIPAA, the common rule or the FDA regulations on human subjects research.

Because the act is more stringent than HIPAA with respect to uses of deidentified information, it is not preempted by HIPAA’s lack of application to deidentified information.

The act’s legislative history does not discuss why the deidentification exemption is so limited, though from a policy perspective one might think that the limitation is due to the safeguards already in place when information is collected and used for research purposes under the referenced regulatory regimes.

When research is conducted pursuant to these regulations, the DNA sample would generally not have been surreptitiously disclosed, and individuals would thus not be surprised by additional uses of their genetic information.

This rather narrow deidentification exemption poses interesting considerations with respect to secondary uses of the results of DNA analyses by health care providers and other businesses.

For example, health care providers subject to HIPAA may be able to use the results of DNA analysis to identify potential clinical research subjects without obtaining prior express consent of the patient, in accordance with HIPAA’s requirements for a review preparatory to research.

However, the lack of a broad deidentification exemption may restrict the ability of health care providers and other businesses to license out the deidentified results of DNA analysis to third parties in the absence of patient consent.

Businesses engaged in such activities should consider reevaluating their consent processes to determine whether they obtain appropriate consent for all uses of deidentified results of DNA analysis.

Conclusion

The act heightens the protection of an individual’s genetic information beyond that found in existing law and lacks a broad exemption for deidentified information.

Going forward, health care providers and other businesses should assess their current practices with respect to the collection or analysis of DNA samples collected from individuals in Florida and use of the results of the analysis of such samples to determine whether they need to modify their consent practices to comply with the act or whether their practices fall under one of the act’s enumerated exemptions.

With respect to the use and disclosure for secondary purposes of the results of DNA analysis, businesses should evaluate whether such uses fall within one of the act’s exemptions or will require additional consent of the individual to whom the information pertains.

Read more at: https://www.law360.com/articles/1427937?copied=1