13-60 - Genetic Information Privacy Act
Title 13 > 13-60
Sections (11)
Genetic Information Privacy Act
13-60-101 - Title.
This chapter is known as the “Genetic Information Privacy Act.”
Enacted by Chapter 361, 2021 General Session
13-60-102 - Definitions.
As used in this part:
(1) “Biological sample” means any human material known to contain DNA, including tissue, blood, urine, or saliva.
(2) “Consumer” means an individual who is a resident of the state.
(3) “Deidentified data” means data that: cannot reasonably be linked to an identifiable individual; andpossessed by a company that:takes administrative and technical measures to ensure that the data cannot be associated with a particular consumer;makes a public commitment to maintain and use data in deidentified form and not attempt to reidentify data; andenters into legally enforceable contractual obligation that prohibits a recipient of the data from attempting to reidentify the data.
(4) “Direct-to-consumer genetic testing company” or “company” means an entity that: offers consumer genetic testing products or services directly to consumers; orcollects, uses, or analyzes genetic data that a consumer provides to the entity.
(5) “DNA” means deoxyribonucleic acid.
(6) “Express consent” means a consumer’s affirmative response to a clear, meaningful, and prominent notice regarding the collection, use, or disclosure of genetic data for a specific purpose.
(7) “Genetic data” means any data, regardless of format, concerning a consumer’s genetic characteristics.”Genetic data” includes:raw sequence data that result from sequencing all or a portion of a consumer’s extracted DNA;genotypic and phenotypic information obtained from analyzing a consumer’s raw sequence data; andself-reported health information regarding a consumer’s health conditions that the consumer provides to a company that the company: uses for scientific research or product development; andanalyzes in connection with the consumer’s raw sequence data.”Genetic data” does not include deidentified data.
(8) “Genetic testing” means: a laboratory test of a consumer’s complete DNA, regions of DNA, chromosomes, genes, or gene products to determine the presence of genetic characteristics of the consumer; oran interpretation of a consumer’s genetic data.
Amended by Chapter 327, 2023 General Session
13-60-103 - Limitations.
This part does not apply to:
(1) protected health information that is collected by a covered entity or business associate as those terms are defined in 45 C.F.R. Parts 160 and 164;
(2) a public or private institution of higher education; or
(3) an entity owned or operated by a public or private institution of higher education.
Amended by Chapter 327, 2023 General Session
13-60-104 - Consumer genetic information — Privacy notice — Consent — Access — Deletion — Destruction.
(1) A direct-to-consumer genetic testing company shall: provide to a consumer:essential information about the company’s collection, use, and disclosure of genetic data; anda prominent, publicly available privacy notice that includes information about the company’s data collection, consent, use, access, disclosure, transfer, security, retention, and deletion practices;obtain a consumer’s initial express consent for collection, use, or disclosure of the consumer’s genetic data that:clearly describes the company’s use of the genetic data that the company collects through the company’s genetic testing product or service;specifies who has access to test results; andspecifies how the company may share the genetic data;if the company engages in any of the following, obtain a consumer’s:separate express consent for: the transfer or disclosure of the consumer’s genetic data to any person other than the company’s vendors and service providers;the use of genetic data beyond the primary purpose of the company’s genetic testing product or service; orthe company’s retention of any biological sample provided by the consumer following the company’s completion of the initial testing service requested by the consumer;informed consent in accordance with the Federal Policy for the Protection of Human Subjects, 45 C.F.R. Part 46, for transfer or disclosure of the consumer’s genetic data to a third party for: research purposes; orresearch conducted under the control of the company for the purpose of publication or generalizable knowledge; andexpress consent for: marketing to a consumer based on the consumer’s genetic data; ormarketing by a third party person to a consumer based on the consumer having ordered or purchased a genetic testing product or service;require valid legal process for the company’s disclosure of a consumer’s genetic data to law enforcement or any government entity without the consumer’s express written consent;develop, implement, and maintain a comprehensive security program to protect a consumer’s genetic data against unauthorized access, use, or disclosure; andprovide a process for a consumer to:access the consumer’s genetic data;delete the consumer’s account and genetic data; anddestroy the consumer’s biological sample.
(2) Notwithstanding Subsection (1)(c)(iii), a direct-to-consumer genetic testing company with a first-party relationship to a consumer may, without obtaining the consumer’s express consent, provide customized content or offers on the company’s website or through the company’s application or service.
Renumbered and Amended by Chapter 327, 2023 General Session
13-60-105 - Prohibited disclosures.
A direct-to-consumer genetic testing company may not disclose a consumer’s genetic data without the consumer’s written consent to:
(1) an entity that offers health insurance, life insurance, or long-term care insurance; or
(2) an employer of the consumer.
Renumbered and Amended by Chapter 327, 2023 General Session
13-60-106 - Enforcement powers of the attorney general.
(1) The attorney general may enforce this part.
(2) The attorney general may initiate a civil enforcement action against a person for violating this part.
(3) In an action to enforce this part, the attorney general may recover: actual damages to the consumer;costs;attorney fees; and$2,500 for each violation of this part.
Renumbered and Amended by Chapter 327, 2023 General Session
Genetic Testing and Procedure Privacy Act
13-60-203 - Definitions.
As used in this part:
(1) “Blood relative” means an individual’s biologically related: parent;grandparent;child;grandchild;sibling;uncle;aunt;nephew;niece; orfirst cousin.
(2) “DNA” means: deoxyribonucleic acid, ribonucleic acid, and chromosomes, which may be analyzed to detect heritable diseases or conditions, including the identification of carriers, predicting risk of disease, or establishing a clinical diagnosis; orproteins, enzymes, or other molecules associated with a genetic process, which may be modified, replaced in part or whole, superseded, or bypassed in function by a health or medical procedure.
(3) “DNA sample” means any human biological specimen from which DNA can be extracted, or DNA extracted from such specimen.
(4) “Employer” means the same as that term is defined in Section 34A-2-103.
(5) “Genetic analysis” or “genetic test” means the testing, detection, or analysis of an identifiable individual’s DNA that results in information that is derived from the presence, absence, alteration, or mutation of an inherited gene or genes, or the presence or absence of a specific DNA marker or markers.”Genetic analysis” or “genetic test” does not mean:a routine physical examination;a routine chemical, blood, or urine analysis;a test to identify the presence of drugs or HIV infection; ora test performed due to the presence of signs, symptoms, or other manifestations of a disease, illness, impairment, or other disorder.
(6) “Genetic procedure” means any therapy, treatment, or medical procedure that is intended to: add, remove, alter, activate, change, or cause mutation in an individual’s inherited DNA; orreplace, supersede, or bypass a normal DNA function.
(7) “Health care insurance” means the same as that term is defined in Section 31A-1-301.
(8) “Private genetic information” means any information about an identifiable individual that:is derived from: the presence, absence, alteration, or mutation of an inherited gene or genes; orthe presence or absence of a specific DNA marker or markers; andhas been obtained: from a genetic test or analysis of the individual’s DNA;from a genetic test or analysis of the DNA of a blood relative of the individual; orfrom a genetic procedure.”Private genetic information” does not include information that is derived from:a routine physical examination;a routine chemical, blood, or urine analysis;a test to identify the presence of drugs or HIV infection; ora test performed due to the presence of signs, symptoms, or other manifestations of a disease, illness, impairment, or other disorder.
Renumbered and Amended by Chapter 327, 2023 General Session
13-60-204 - Restrictions on employers.
(1) Except as provided in Subsection (2), an employer may not in connection with a hiring, promotion, retention, or other related decision: access or otherwise take into consideration private genetic information about an individual;request or require an individual to consent to a release for the purpose of accessing private genetic information about the individual;request or require an individual or the individual’s blood relative to submit to:a genetic test; ora genetic procedure; orinquire into or otherwise take into consideration the fact that an individual or the individual’s blood relative has:taken or refused to take a genetic test; orundergone or refused to undergo a genetic procedure.
(2) Notwithstanding Subsection (1), an employer may seek an order compelling the disclosure of private genetic information held by an individual or third party pursuant to Subsection (2)(b) in connection with:an employment-related judicial or administrative proceeding in which the individual has placed his health at issue; oran employment-related decision in which the employer has a reasonable basis to believe that the individual’s health condition poses a real and unjustifiable safety risk requiring the change or denial of an assignment.An order compelling the disclosure of private genetic information pursuant to this Subsection (2) may only be entered upon a finding that: other ways of obtaining the private information are not available or would not be effective; andthere is a compelling need for the private genetic information which substantially outweighs the potential harm to the privacy interests of the individual.An order compelling the disclosure of private genetic information pursuant to this Subsection (2) shall: limit disclosure to those parts of the record containing information essential to fulfill the objective of the order;limit disclosure to those persons whose need for the information is the basis of the order; andinclude such other measures as may be necessary to limit disclosure for the protection of the individual.
Renumbered and Amended by Chapter 327, 2023 General Session
13-60-205 - Restrictions on health insurers.
(1) Except as provided in Subsection (2), an insurer offering health care insurance may not in connection with the offer or renewal of an insurance product or in the determination of premiums, coverage, renewal, cancellation, or any other underwriting decision that pertains directly to the individual or any group of which the individual is a member that purchases insurance jointly: access or otherwise take into consideration private genetic information about an asymptomatic individual;request or require an asymptomatic individual to consent to a release for the purpose of accessing private genetic information about the individual;request or require an asymptomatic individual or the individual’s blood relative to submit to a genetic test;inquire into or otherwise take into consideration the fact that an asymptomatic individual or the individual’s blood relative has taken or refused to take a genetic test;request or require an individual or the individual’s blood relative to submit to a genetic procedure; orinquire into the results of a genetic procedure that an individual or the individual’s blood relative undergoes.
(2) An insurer offering health care insurance: may request information regarding the necessity of a genetic test, but not the results of the test, if a claim for payment for the test has been made against an individual’s health insurance policy;may request information regarding the necessity of a genetic procedure, including the results of the procedure, if a claim for payment for the procedure has been made against an individual’s health insurance policy;may request that portion of private genetic information that is necessary to determine the insurer’s obligation to pay for health care services where:the primary basis for rendering such services to an individual is the result of a genetic test; anda claim for payment for such services has been made against the individual’s health insurance policy;may only store information obtained under this Subsection (2) in accordance with the provisions of the Health Insurance Portability and Accountability Act of 1996; andmay only use or otherwise disclose the information obtained under this Subsection (2) in connection with a proceeding to determine the obligation of an insurer to pay for a genetic test or health care services, provided that, in accordance with the provisions of the Health Insurance Portability and Accountability Act of 1996, the insurer makes a reasonable effort to limit disclosure to the minimum necessary to carry out the purposes of the disclosure.
(3) An insurer may, to the extent permitted by Subsection (2), seek an order compelling the disclosure of private genetic information held by an individual or third party.An order authorizing the disclosure of private genetic information pursuant to this Subsection (2) shall:limit disclosure to those parts of the record containing information essential to fulfill the objectives of the order;limit disclosure to those persons whose need for the information is the basis for the order; andinclude such other measures as may be necessary to limit disclosure for the protection of the individual.
(4) Nothing in this section may be construed as restricting the ability of an insurer to use information other than private genetic information to take into account the health status of an individual, group, or population in determining premiums or making other underwriting decisions.
(5) Nothing in this section may be construed as: requiring an insurer to pay for genetic testing or a genetic procedure; orprohibiting the use of step-therapy protocols.
(6) Information maintained by an insurer about an individual under this section may be redisclosed: to protect the interests of the insurer in detecting, prosecuting, or taking legal action against criminal activity, fraud, material misrepresentations, and material omissions;to enable business decisions to be made about the purchase, transfer, merger, reinsurance, or sale of all or part of the insurer’s business; andto the commissioner of insurance upon formal request.
Renumbered and Amended by Chapter 327, 2023 General Session
13-60-206 - Private right of action.
(1) An individual whose legal rights arising under this part have been violated after June 30, 2003, may recover damages and be granted equitable relief in a civil action.Subsection (1)(a) does not create a legal right prior to the Legislature enacting the right under this part.
(2) Any insurance company or employer who violates the legal rights of an individual arising from this part shall be liable to the individual for each separate violation in an amount equal to: actual damages sustained as a result of the violation;$100,000 if the violation is the result of an intentional and willful act; orpunitive damages if the violation is the result of a malicious act; andreasonable attorneys’ fees.
Renumbered and Amended by Chapter 327, 2023 General Session
13-60-207 - Enforcement.
(1) Whenever the attorney general has reason to believe that any person is using or is about to use any method, act, or practice in violation of the provisions of this part, and that proceedings would be in the public interest, the attorney general may bring an action against the person to restrain or enjoin the use of such method, act, or practice.
(2) In addition to restraining or enjoining the use of a method, act, or practice, the court may, after June 30, 2003, require the payment of: a civil fine of not more than $25,000 for each separate intentional violation; andreasonable costs of investigation and litigation, including reasonable attorneys’ fees.
Renumbered and Amended by Chapter 327, 2023 General Session