BILL ANALYSIS �Ó
SENATE JUDICIARY COMMITTEE
Senator Noreen Evans, Chair
2013-2014 Regular Session
SB 222 (Padilla)
As Amended April 22, 2013
Hearing Date: April 30, 2013
Fiscal: Yes
Urgency: No
RD
SUBJECT
Genetic Information: Privacy
DESCRIPTION
This bill would enact the Genetic Information Privacy Act to
permit genetic information to be collected, stored, analyzed, or
disclosed only if the individual to whom the genetic information
pertains has provided a written authorization, except as
specified. This bill would specify the information that must be
included in the authorization and impose various civil penalties
to be paid to the individual to whom the information pertains
for a violation of the bill's provisions, as specified.
BACKGROUND
Genetic testing is a sophisticated technique used to test for
genetic disorders. More recently, direct-to-consumer genetic
testing has allowed individual consumers to provide genetic
samples in order to test for genetic disorders, identify their
ancestry, or take part in research studies. This testing,
however, has not come without controversy and concerns.
Separately, a 2010 report by the General Accounting Office
(GAO), entitled "Direct-to-Consumer Genetic Tests: Misleading
Test Results are Further Complicated by Deceptive Marketing and
Other Questionable Practices," found test results that were
"misleading and of no practical use. For example, GAO's donors
often received disease risk predictions that varied across the
four companies, indicating that identical DNA samples yield
contradictory results." (GAO, Highlights, Direct-to-Consumer
Genetic Tests: Misleading Test Results are Further Complicated
(more)
�
SB 222 (Padilla)
Page 2 of ?
by Deceptive Marketing and Other Questionable Practices (Jul.
22, 2010) [as of Apr.
4, 2013].) Furthermore, the GAO found egregious examples of
deceptive marketing, including two companies who "told GAO's
fictitious consumer that she could secretly test her fiancé's
DNA to 'surprise' him with test results," despite the fact that
surreptitious genetic testing is restricted in many states.
In 2009, two reporters from New Scientist demmonstrated that it
was possible to bypass and ignore consent requirements of
certain companies and submit someone else's DNA for testing.
Their article detailing the experience stated:
The terms and conditions for the deCODEme service state that
someone submitting DNA must have the legal authority to do so,
and that the sample must be taken from the cheek. We wanted
to test whether deCODEme is vulnerable to abuse from someone
prepared to ignore these terms, so Michael pipetted some of
Peter's DNA onto deCODEme's swabs and sent them off for
analysis under his own name. As far as Decode was concerned,
it was a sample of Michael's DNA taken by swabbing his own
cheek. . . . [The reporters submitted a sample to another
company.] This company also has terms and conditions
specifying that customers must have the necessary consents and
approvals to submit samples. Mimicking a hacker who would be
willing to ignore these terms, Michael submitted the amplified
DNA for scanning. . . . Both of these back-up plans worked.
Additionally, the Genetics and Public Policy Center has found
"[ten] states that restrict surreptitious collection, analysis,
and/or disclosure for both health- and non-health related
purposes, 15 states that restrict surreptitious testing for
health-related purposes only, six states with restrictions in
the context of court-ordered parentage proceedings, and two
states with employment-related restrictions only." (Genetics and
Public Policy Center, State laws pertaining to surreptitious DNA
testing (Jan. 21, 2009)
[as of Apr. 25, 2013].)
More generally, in October 2012, the Presidential Commission for
the Study of Bioethical Issues (an advisory panel of the
nation's leaders in medicine, science, ethics, religion, law,
and engineering) released a report recommending the adoption of
policies to help ensure privacy and security, as the field of
genomics advances, and urged federal and state governments to
�
SB 222 (Padilla)
Page 3 of ?
ensure a consistent floor of privacy protections covering whole
genome sequencing data regardless of how they were obtained.
(Press Release: President's Bioethics Commission Releases Report
on Genomics and Privacy (Oct. 11, 2012)
[as of Apr. 25, 2013].)
Currently, federal and state laws offer various protections for
genetic testing. For example, in 2008, the federal government
enacted the Genetic Information and Nondiscrimination Act (GINA)
to prohibit discrimination in group health plan coverage and
employment based on genetic information. Last year, this
Committee approved SB 1267 (Padilla, 2012), similar to this
bill, which would have similarly permitted genetic information
to be obtained, analyzed, retained or disclosed only with the
written authorization of the individual to whom the information
pertains. That bill would have imposed the same civil penalties
as this bill, but also included several other important
requirements such as obtaining a new authorization for each new
use of the genetic information as well as the destruction of the
genetic information or DNA sample upon completion of the purpose
authorization was obtained that are not in this bill. SB 1267
passed this Committee, but ultimately died in the Senate
Appropriations Committee.
This bill is a renewed effort to permit genetic information to
be collected, stored, analyzed, or disclosed only where the
individual to whom the genetic information pertains has provided
a written authorization, except as specified, and subject to
various civil penalties.
CHANGES TO EXISTING LAW
Existing law , the California Constitution, provides that all
people have inalienable rights, including the right to pursue
and obtain privacy. (Cal. Const., art. I, Sec. 1.)
Existing law prohibits, under the State Confidentiality of
Medical Information Act (CMIA), providers of health care, health
care service plans, or contractors, as defined, from sharing
medical information without the patient's written authorization,
subject to exceptions, including among others, certain research.
(Civ. Code Sec. 56 et seq.)
Existing federal law , the Health Insurance Portability and
Accountability Act (HIPAA), specifies privacy protections for
patients' protected health information and generally provides
�
SB 222 (Padilla)
Page 4 of ?
that a covered entity, as defined (health plan, health care
provider, and health care clearing house), may not use or
disclose protected health information except as specified or as
authorized by the patient in writing. (45 C.F.R. Sec. 164.500
et seq.)
Existing law prohibits discrimination under the Unruh Civil
Rights Act and the Fair Employment and Housing Act (FEHA) on the
basis of genetic information. (Civ. Code Sec. 51 and Gov. Code
Sec. 12920 et seq.)
Existing federal law prohibits, under the Genetic Information
and Nondiscrimination Act (GINA), discrimination in group health
plan coverage and employment based on genetic information.
(Pub. Law 110-233.)
Existing law provides for the various penalties concerning the
disclosure of genetic tests. (Ins. Code Sec. 10149.1.)
This bill makes various legislative findings and declarations,
including, among others that the Legislature intends to enact
legislation that would:
ensure that genetic information is personal information that
is not collected, stored, or disclosed without the
individual's authorization;
provide protections for the collection, storage, and
authorized use of genetic information; and
promote the use of genetic information for legitimate reasons,
as specified.
This bill would provide that genetic information is protected by
the constitutional right of privacy and prohibit genetic
information from being collected, stored, analyzed, or disclosed
without the written authorization of the individual to whom the
information pertains. The authorization must among other
things:
specify the types of persons authorized to disclose
information about the individual;
specify the nature of the information authorized to be
disclosed;
state the name or functions of the person or entities
authorized to receive the information; and
specify the purposes for which the information is being
collected.
This bill would provide exceptions to the above authorization
�
SB 222 (Padilla)
Page 5 of ?
requirement for the following instances, as specified:
a law enforcement official in the execution of his or her
official duties consistent with existing law;
a hospital, laboratory, or physician carrying out
court-ordered tests for genetic information;
a licensed health care professional in medical emergencies;
a coroner or medical examiner in the execution of his or her
official duties consistent with existing law;
any screening of newborn infants required by state or federal
law.
if the information is in the form of deidentified data; and
for any person or entity covered and required to comply with
any of the following
o the HIPAA of 1996;
o the informed consent provision of the CMIA, as
specified;
o the informed consent provision of the Insurance Code, as
specified; or
o federal regulations, as specified.
This bill would provide for civil penalties to be paid to the
individual to whom the genetic information pertains under the
following circumstances:
any person who negligently violates the bill's authorization
requirement shall be assessed a civil penalty not to exceed
$1,000, plus court costs;
any person who willfully violates the bill's authorization
requirement shall be assessed a civil penalty in an amount not
less than $1,000 and not more than $5,000, plus court costs;
and
in addition to the above, a person who commits an act
described in the above two penalty provisions shall be liable
for all actual damages, including damages for economic,
bodily, or emotional harm which is proximately caused by the
act.
This bill would also provide that any person who willfully or
negligently violates the bill's authorization requirement and
the violation results in economic, bodily, or emotional harm to
the individual to whom the genetic information pertains is
guilty of a misdemeanor punishable by a fine not to exceed
$10,000.
This bill would make each violation of the bill is a separate
and actionable offense.
�
SB 222 (Padilla)
Page 6 of ?
This bill would provide definitions for "deidentified data,"
"DNA sample," "genetic characteristic," "genetic information,"
"genetic service," "genetic test," and "person."
COMMENT
1. Stated need for the bill
According to the author:
We have laws to protect the privacy of our financial
information, our medical records, and even the books we check
out from the local library. SB 222 would extend California
privacy protections to a person's genetic material and
information. We need genomic privacy protections because there
is nothing more personal than a person's DNA. Analysis of
genetic material can allow for early detection of disease long
before symptoms become apparent. Genetic markers can also
suggest propensity for diseases that may or may not ever
develop.
While genomics continues to lead to important medical
discoveries, genetic information can also be misused in ways
that could harm individuals and their families. Such examples
include, but are not limited to: conducting paternity tests
without a court order or the consent of all parties, using
genetic information collected surreptitiously to harm a
personal enemy or competitor, collecting DNA without consent
to determine genealogical history.
[ . . . ] This bill would protect individuals from the
unauthorized collection, storage, analysis and use of their
genetic information while encouraging the authorized use of
genetic information for legitimate reasons, including health
care, research and educational purposes, as the field of
genomics advances.
2. Informed consent and privacy protections
Under this bill, genetic information could be collected, stored,
analyzed, or disclosed only if the individual to whom the
information pertains has provided a written authorization that
meets specified requirements. That authorization would not be
required, however, if one of the bill's included exceptions
applies. (See Comment 3.) Violations of the written
authorization requirement would result in various penalties and
civil liability that parallel existing provisions under the
�
SB 222 (Padilla)
Page 7 of ?
Insurance Code and the State Confidentiality of Medical
Information Act.
a. The informed consent requirements in SB 1267 are missing
from this bill
This bill currently requires that the authorization meet
certain requirements, including that it be in clear language
of at least 14 point type; be dated and signed; specify the
types of persons authorized to disclose information about the
individual; specify the nature of the information authorized
to be disclosed; state the name or functions of the person or
entities authorized to receive the information; specify the
purposes for which the information is being collected; and
specify the length of time for which the authorization shall
be valid.
From a policy standpoint, permitting genetic information to be
collected, stored, analyzed, or disclosed provided that the
individual to whom the genetic information pertains has given
his or her consent raises the question of how best to ensure
that an individual is making a fully informed decision before
providing consent to another party to use such private
information. Because DNA is unique to every individual, and
could potentially even be linked back to the individual after
being "deidentified" (see Comment 6), it is important that
people know where their information is going, for what
purposes it is being used, and what happens to their
information after that purpose is fulfilled.
To this end, this bill requires that the authorization specify
the following: the types of persons authorized to disclose
information about the individual, the purposes for which the
information is being collected, and the length of time that
the authorization shall remain valid. That provision is
important because it would allow a party to indicate limits on
the use of his or her information for commercial, research, or
other purposes. For example, in some cases, a consumer may
want to give his or her genetic information only for a limited
purpose such as testing for genetic disorders or risks or
ancestry, but not want it shared with others or used for any
other purpose. The written authorization required would allow
the individual to do so.
At the same time, however, this bill leaves out important
notices that SB 1267 was amended to provide within the written
authorization and which was approved by this Committee last
�
SB 222 (Padilla)
Page 8 of ?
year. Namely, in addition to the above, SB 1267 would have
required that the authorization contain certain information
aimed at helping the individual to make a decision and direct
the use of his or her genetic information. This information
included, among other things: a statement that the
authorization shall remain valid for as long as it takes to
carry out the purpose; a notification that the individual has
the right to limit the purpose for which his or her genetic
information is used; a notification that once the purpose is
fulfilled, the genetic information and sample must be
destroyed; and, whether the genetic information will remain
identifiable or be made non-identifiable. That bill also
required a separate authorization for each new use-thereby
avoiding blanket authorizations.
Given that the above elements were important factors in this
Committee's approval of SB 1267 last year, the author may wish
to consider adding amendments that would incorporate similar
components into this bill.
b. Other significant protections that were in SB 1267 are
missing from this bill
In addition to the information discussed above, SB 1267 also
included important measures that sought to ensure that the
person that obtains, analyzes, retains, or discloses this
information comports with certain requirements. Those
requirements included that:
the person may not obtain, analyze, retain, or disclose
the genetic information for any purpose other than the
purpose authorized by the individual to whom the
information pertains;
once the specific purpose authorized by the individual
to whom the genetic information pertains has been
fulfilled, the individual's genetic information and DNA
sample shall be destroyed;
the person shall permit an individual to revoke their
written authorization; and
the person shall provide an individual who has signed
the written authorization with a copy of that authorization
upon request.
Without those statutory mandates, any written authorization
form would have to notify the person providing their consent
with certain information relating to their rights and what
will happen with their genetic information, but the entity or
�
SB 222 (Padilla)
Page 9 of ?
person seeking to use the genetic information or DNA sample
would not be required to comply with those requirements under
the law.
In other words, while the bill would require that the written
authorization specify the purpose for which authorization is
granted, in the interest of protecting the privacy of
individuals even where consent is provided for specific
purposes, the bill should also, as a matter of law, restrict
the use of the information to the purpose for which it was
collected. This purpose limitation, in particular, is a
fundamental tenet of privacy law and appears in other statutes
where personal information-often name, address, or other
information that is arguably not as unique to an individual as
his or her DNA-is permitted to be shared or disclosed for a
particular purpose. (See, e.g., Fam. Code Sec. 17528; Pub.
Util. Code Secs. 8380, 8381; Veh. Code Secs. 1808.23, 21455.5,
40248.)
Given that the above elements were important factors in this
Committee's approval of SB 1267 last year, the author may wish
to consider adding amendments that would incorporate similar
components into this bill.
3. The exemptions to this bill's authorization requirements
are potentially problematic
Under this bill, genetic information cannot be collected,
stored, analyzed, or disclosed without the statutory
authorization described above, except in specified
circumstances. Similar to SB 1267 (Padilla, 2012), this bill
would create limited exceptions for, among others: a law
enforcement official in the execution of his or her official
duties consistent with existing law; a hospital, laboratory, or
physician carrying out court-ordered tests for genetic
information; and any screening of newborn infants required by
law. This bill, as recently amended, however, also includes
numerous other exceptions for which a party shall not be
required to comply with the written authorizations of this
bill-namely, where the data is deidentified or a person or
entity is otherwise covered by and complies with various
existing federal or state laws and regulations.
Staff notes that the broad exception for any and all information
that is in the form of deidentified data is problematic.
Potentially, this exception sought to make allowances for
�
SB 222 (Padilla)
Page 10 of ?
deidentified data that is already being used to conduct medical
research, but it does so in an arguably overbroad way to achieve
the public policy goal of promoting important research from
genetic information. An exception could be drawn much more
narrowly to mirror a similar exception in SB 1267, in order to
permit medical researchers to maintain access to that data for
research, while requiring that, moving forward, consent be
provided at least at the outset, for use of any newly collected
genetic data.
Staff also notes that the remaining exceptions for persons or
entities covered by and required to comply with specified acts
or sections of law raise significant issues. As noted by
several organizations in opposition, if the aim of the bill is
to target the surreptitious testing in the commercial context,
these exceptions do not go far enough. For example, the bill
does not appear to include an exception for scenarios in which
medical entities are required-by law-to share information with
public entities. This bill would prohibit the medical entity
from disclosing that information without a prior authorization,
and the public entity would be prohibited from collecting,
analyzing, storing, or sharing it. Moreover, staff notes that
the exceptions would arguably suggest that existing informed
consent provisions are sufficient to address the unique concerns
and issues raised by genome sequencing and genetic
research-which is debatable. As noted by, the Department of
Health and Human Services in a 2009 progress report, genetic
information raises unique ethical and legal issues that other
types of medical information may not:
A particular concern is that whole-genome scans will provide a
unique DNA identifier that could potentially be linked with
data obtained or stored in other contexts, which has
implications for consent and privacy. Thus, the issue of
informed consent should be revisited whether the evolving
research paradigm using large databases of genomic information
and the growth of personalized medicine challenges long-held
assumptions about informed consent.
(A Progress Report and Future Directions of the Secretary's
Advisory Committee on Genetics, Health, and Society, The
Integration of Genetic Technologies Into Health Care and Public
Health, January 2009, p. 8.)
Also of note, whether or not the existing law requirements are
sufficient in the medical treatment or research context is
�
SB 222 (Padilla)
Page 11 of ?
already the subject of studies, including an LAO report that the
author has reportedly requested. It may be prudent to assess
what the actual shortcomings are before drawing exceptions. It
may also be prudent to assess those shortcomings before assuming
that an additional consent process is needed.
This Committee may wish to reserve its right to review this bill
again if it continues through the process to ensure that
outstanding issues have been addressed.
4. Penalties
Under this bill, any offending giver, discloser, or receiver, of
information who violates the written authorization requirements
of this bill, would be subject to the penalties and liabilities
specified by the bill. Namely, any person who negligently
violates the written authorization requirement would be assessed
a civil penalty not to exceed $1000, plus court costs, as
determined by the court, which penalty and costs shall be paid
to the individual to whom the genetic information pertains. A
person who willfully violates the written authorization
requirement shall be assessed a penalty not less than $1,000 and
not to exceed $5,000, plus court costs, as determined by the
court, which penalty and costs shall be paid to the individual
to whom the genetic information pertains. In addition, under
this bill, any person who violates the requirements, whether
negligently or willfully, shall be liable to the person to whom
the genetic information pertains for all actual damages,
including damages for economic, bodily, and emotional harm that
is proximately caused by that act. The bill also contains a
misdemeanor, punishable by a fine not to exceed $10,000 where
the violation results in economic, bodily, or emotional harm to
the individual to whom the genetic information pertains-also
regardless of whether the violation was negligent or willful.
These penalties are based on existing Insurance Code Section
10149.1 and, in fact, mirror those provisions which relate to
the disclosure of test results for a genetic characteristic.
Under Section 10149.1, penalties are imposed when such a
disclosure is made to any third party in a manner which
identifies or provides identifying characteristics of the person
to whom the test results apply.
5. Definitions
The definitions contained in this bill have been changed in many
�
SB 222 (Padilla)
Page 12 of ?
respects from the definitions that were in SB 1267. Many of the
bill's definitions are drawn from various definitions in federal
or state law. Those definitions, however, were tailored for
specific areas of law-such as the employment discrimination or
insurance discrimination context. Those definitions are not as
applicable or appropriate in the context of this bill and could
cause confusion, if not potentially have adverse consequences in
terms of the application of the bill. There are also issues
with respect to redundant definitions (as is the case with
"genetic services" and "genetic tests"), or incomplete
definitions (as is the case with "DNA sample" and "genetic
characteristics"). Furthermore, the current definition for
deidentified data is arguably vague and unclear.
Even if the Committee were to approve this bill in current form,
the author may wish to consider amending the definitions to more
closely mirror the definitions in SB 1267 to otherwise add
clarity.
6. Unique issues raised by genetic information
While existing law is fairly established for medical and health
providers with respect to the sharing of medical information,
there may be considerations that are unique to genetic
information that is not raised by other types of medical
information.
While all medical information is personal and carries with it a
right to privacy, medical information in the context of genome
sequencing can present special challenges. For example, in a
recent article calling for a more nuanced approach in protecting
genetic privacy, it was commented that a group at Massachusetts
Institute of Technology was able to put names to samples of DNA
donated to research by cross-referencing information from public
databases. (Misha Angrist, Genetic Privacy Need a More Nuanced
Approach, Nature International Weekly Journal of Science (Feb.
6, 2013)
[as of Apr. 25, 2013].) While the potential
of "re-identification" raises privacy concerns, at the same
time, there may be public policy reasons in which the potential
gain in medical breakthroughs may warrant some measured risks.
�
SB 222 (Padilla)
Page 13 of ?
Thus, even though the concerns with maintaining privacy exist in
any other medical information context, the requirements or
precautions necessary to protect a person's right to make
informed choices and to keep information from the wrong hands
may face great challenges in the context of genetic information.
7. Opposition to this bill
Stanford (comprised of Stanford University; Stanford Hospital
and Clinics and Lucile Packard Children's Hospital University of
California), writes in opposition, raising two main points: (1)
Information-sharing in the health care and biomedical research
industries is highly complex and is already regulated
extensively at the federal and state levels. Stanford notes,
among other things, that the State's health information privacy
law data base yields over 1,000 California statutory provisions
in a search for medical privacy, and many of these laws relate
to protecting health information such as family medical history
and other health information that this bill seeks to address;
and (2) Stanford is concerned about the bill's over-breadth
given both its broad application both in terms of the entities
it applies to and its application to all DNA samples and all
genetic information. Stanford argues that creating universal
rule subject to listed exceptions is a "dangerous approach" as
many other California laws "protect privacy and permit
information-sharing based on the Legislature's deliberate
balancing of interests" and as it is difficult to identify every
person or entity that merits an exception.
Stanford offers examples of problems that this bill would raise
for their entity, and similar entities. One such example is
where hospitals are currently require to report cancer patient
information to the State cancer registry and that information is
not fully deidentified. Stanford writes that "[e]xisting
federal and state laws permit and even require such reporting,
but this bill would appear to require the State registry to
obtain individuals' authorization before the registry collected,
stored, or analyzed any genetic information, including family
medical history." This burden of the written authorization,
they argue, could fall on them to obtain given that the state's
registry does not have a relationship with individual patients.
Stanford also believes the current language would require that
individuals' would have to sign an authorization before they
could collect, analyze or store their own information which they
have a long-standing right to access. Finally, Stanford
�
SB 222 (Padilla)
Page 14 of ?
provides an example whereby the Centers for Disease Control and
Prevention (CDC) would need patient's written authorization to
obtain this medical information pursuant to public health laws.
Stanford argues that "[t]hese examples underscore that health
information sharing is highly complex. These existing broad
array of California and national laws balance privacy interests
with data-sharing for appropriate purposes. This bill would
have serious unintended consequences through its over-breadth
and universal approach, with limited listed exceptions."
In opposition to this bill, the University of Southern
California (USC) argues, that "[w]hile the recent bill language
exempts certain entities, the language as drafted proposes to
codify a universal approach for all others. Such an approach
could result in the omission of a person and/or entity that
deserves an exception (or an unexpected exception that results
from future treatment/research advancements) and subject that
entity to severe future civil penalties." USC also concurs on
the concerns outlined Stanford's letter, concluding that the
current bill language "would create serious consequences for all
California research universities, medical facilities, and the
biotech industry."
USC suggests that if the author's interest is to focus on
"addressing the surreptitious testing companies, which provides
a number of discreet DNA testing services," they would recommend
that the bill language "affirmatively outline who is being
regulated and what is being protected. This would ensure that
the Senator's specific goal is met while also avoiding having to
identify exceptions omitted in this bill through countless
future legislative efforts."
The above concerns have also been echoed by the University of
California.
Support : None Known
Opposition : California Hospital Association; Lucile Packard
Children's Hospital University of California; Stanford
University; Stanford Hospital and Clinics
HISTORY
Source : Author
�
SB 222 (Padilla)
Page 15 of ?
Related Pending Legislation : None Known Prior Legislation :
SB 1267 (Padilla, 2012), See Background.
SB 559 (Padilla, Ch. 261, Stats. 2011) prohibited discrimination
on the basis of genetic information under the Unruh Civil Rights
Act and Fair Employment and Housing Act.
SB 482 (Padilla, 2009) was introduced to relate to
direct-to-consumer genetic testing. Under existing law, the
Department of Public Health has required direct-to-consumer
genetic testing companies to be licensed as clinical
laboratories. SB 482, would have specifically provided that
such companies are not clinical labs and therefore not subject
to requirements for those laboratories, and would have instead
created a separate regulatory scheme. That bill died in this
Committee.
**************