What is GIPA?
California is one of a few states that have recently implemented broad consumer privacy protections beyond those offered by the federal Health Insurance Portability and Accountability Act (HIPAA) and the Federal Trade Commission Act (FTCA). This past October, California passed legislation to protect health information for its residents with Senate Bill 41, also known as the Genetic Information Privacy Act (GIPA). The new legislation will go into effect on January 1st, 2022.
GIPA enforces certain privacy requirements on direct-to-consumer genetic testing companies, particularly regarding genetic data. GIPA defines genetic data as “any data, regardless of its format, that results from the analysis of a biological sample from a consumer, or from another element enabling equivalent information to be obtained, and concerns genetic material. Genetic material includes, but is not limited to, deoxyribonucleic acids (DNA), ribonucleic acids (RNA), genes, chromosomes, alleles, genomes, alterations or modifications to DNA or RNA, single nucleotide polymorphisms (SNPs), uninterpreted data that results from the analysis of the biological sample, and any information extrapolated, derived, or inferred therefrom.”
Although GIPA does not apply to deidentified data, it enforces more stringent standards than HIPAA, requiring that data cannot be used to infer information about or be linked to a particular individual. According to GIPA, companies possessing consumer’s genetic data must:
- Take reasonable measures to ensure that the information cannot be associated with a consumer or household.
- Publicly commit to maintain and use the information only in deidentified form and not attempt to reidentify the information, unless solely for the purpose of determining whether its deidentification processes comply with GIPA’s requirements. In this event, the business must not disclose any information reidentified in the process and destroy the reidentified information upon completion of the assessment.
- Contractually obligate any recipients of the information to take reasonable measures to ensure that the information cannot be associated with a consumer or household and to commit to maintaining and using the information only in deidentified form.
Additionally, these companies must implement and maintain reasonable security procedures and practices that will protect their consumers’ genetic data from unauthorized access, destruction, use, modification, or disclosure.
Importantly, they must also develop procedures and practices that clearly allow consumers to access their genetic data and delete it. They must obtain a consumer’s consent for collection, use, or disclosure of an individual’s genetic data, and if that consent is revoked, they must destroy the biological sample within 30 days.
What does GIPA Mean for Discovery?
Vendors and law firms will need to be vigilant about complying with this new law. This means asking your Discovery vendor what processes they have in place to protect any genetic information they may collect. Their approach cannot be one-size-fits-all; it will need to be tailored to account for regional laws.
For law firms, GIPA might also mean carefully following your discovery process so you can defend it if any questions are asked about where your data was collected from. There may also be an opportunity to keep Discovery costs down if this data is excluded from collection to begin with.
Because genetic data will now be included in data breach notifications, any company handling genetic information for a California resident will need to update their security procedures to safeguard against data breaches. Following other data privacy and security laws, GIPA does not specify what constitutes “reasonable” security and leaves individual companies to make that determination based on industry best practices.
We will have a better understanding of the full implications of GIPA in California once the law comes into effect on January 1st, 2022. While much of the language in GIPA applies to direct-to-consumer genetic testing companies, in time the rights it establishes around genetic data may carry over to any company handling this kind of information. As always, it is best to be prepared and take precautions while the lines are being drawn, rather than come under judicial scrutiny and face penalties.