CALIFORNIA LEGISLATURE 20232024 REGULAR SESSION Senate Bill No. 1250Introduced by Senator NguyenFebruary 15, 2024 An act to amend Section 56.184 of the Civil Code, relating to privacy. LEGISLATIVE COUNSEL'S DIGESTSB 1250, as introduced, Nguyen. Privacy: genetic testing: newborn screening.Existing law, the Genetic Information Privacy Act, requires a direct-to-consumer genetic testing company, as defined, to provide a consumer with certain information regarding the companys policies and procedures for the collection, use, maintenance, and disclosure, as applicable, of genetic data, and to obtain a consumers express consent for collection, use, or disclosure of the consumers genetic data, as specified. Existing law also requires a direct-to-consumer genetic testing company to implement and maintain reasonable security procedures and practices to protect a consumers genetic data against unauthorized access, destruction, use, modification, or disclosure, and to develop procedures and practices to enable a consumer to access their genetic data and to delete their account and genetic data, as specified. Existing law excludes from its provisions the California Newborn Screening Program, among other activities subject to specified state and federal laws.This bill would apply the requirements of the Genetic Information Privacy Act to the California Newborn Screening Program beginning on January 1, 2025.Existing law imposes certain requirements for contracts between a direct-to-consumer genetic testing company and a service provider, as defined, including that the contract prohibits the service provider from retaining, using, or disclosing the biological sample, extracted genetic material, genetic data, or any information regarding the identity of the consumer, for any purpose other than for the specific purpose of performing the services specified in the contract for the business.This bill would, for contracts entered into before January 1, 2025, apply the requirements of the act to the contract when altered, modified, renewed, or extended on or after January 1, 2025.Existing law requires actions for relief pursuant to the Genetic Information Privacy Act to be prosecuted exclusively by the Attorney General, a district attorney, county counsel, city attorney, or city prosecutor, as specified, in the name of the people of the State of California upon their own complaint or upon the complaint of a board, officer, person, corporation, or association or upon a complaint by a person who has suffered injury in fact and has lost money or property as a result of the violation of the act.Because the bill would require local officials to perform additional duties, the bill would impose a state-mandated local program.The California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions establish procedures for making that reimbursement.This bill would provide that, if the Commission on State Mandates determines that the bill contains costs mandated by the state, reimbursement for those costs shall be made pursuant to the statutory provisions noted above.The California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions establish procedures for making that reimbursement.This bill would provide that, if the Commission on State Mandates determines that the bill contains costs mandated by the state, reimbursement for those costs shall be made pursuant to the statutory provisions noted above.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: YES Local Program: YES Bill TextThe people of the State of California do enact as follows:SECTION 1. Section 56.184 of the Civil Code is amended to read:56.184. (a) The provisions of this chapter shall not reduce a direct-to-consumer genetic testing companys duties, obligations, requirements, or standards under any applicable state and federal laws for the protection of privacy and security.(b) In the event of a conflict between the provisions of this chapter and any other law, the provisions of the law that afford the greatest protection for the right of privacy for consumers shall control.(c) This chapter shall not apply to any of the following:(1) Medical information governed by the Confidentiality of Medical Information Act, Part 2.6 (commencing with Section 56), or to protected health information that is collected, maintained, used, or disclosed by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the federal Health Information Technology for Economic and Clinical Health Act (Public Law 111-5).(2) A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56)) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the federal Health Information Technology for Economic and Clinical Health Act, Title XIII of the federal American Recovery and Reinvestment Act of 2009 (Public Law 111-5), to the extent that the provider or covered entity maintains, uses, and discloses genetic information in the same manner as medical information or protected health information, as described in paragraph (1).(3) A business associate of a covered entity governed by the privacy, security, and data breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the federal Health Information Technology for Economic and Clinical Health Act, Title XIII of the federal American Recovery and Reinvestment Act of 2009 (Public Law 111-5), to the extent that the business associate maintains, uses, and discloses genetic information in the same manner as medical information or protected health information, as described in paragraph (1).(4) Scientific research or educational activities conducted by a public or private nonprofit postsecondary educational institution that holds an assurance with the United States Department of Health and Human Services pursuant to Part 46 of Title 45 of the Code of Federal Regulations, to the extent that the scientific research and educational activities conducted by that institution comply with all applicable federal and state laws and regulations for the protection of human subjects in research, including, but not limited to, the Common Rule pursuant to Part 46 (commencing with Section 46.101) of Title 45 of the Code of Federal Regulations, United States Food and Drug Administration regulations pursuant to Parts 50 and 56 of Title 21 of the Code of Federal Regulations, the federal Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g), and the Protection of Human Subjects in Medical Experimentation Act, Chapter 1.3 (commencing with Section 24170) of Division 20 of the Health and Safety Code.(5) The Before January 1, 2025, the California Newborn Screening Program authorized by Chapter 1 (commencing with Section 124975) of Part 5 of Division 106 of the Health and Safety Code.(6) Tests conducted exclusively to diagnose whether an individual has a specific disease, to the extent that all persons involved in the conduct of the test maintain, use, and disclose genetic information in the same manner as medical information or protected health information, as described in paragraph (1).(7) Genetic data used or maintained by an employer, or disclosed by an employee to an employer, to the extent that the use, maintenance, or disclosure of that data is necessary to comply with a local, state, or federal workplace health and safety ordinance, law, or regulation.(d) Nothing in this chapter shall be construed to affect access to information made available to the public by the consumer.(e) (1) Beginning on January 1, 2025, the requirements of this chapter shall apply to the California Newborn Screening Program authorized by Chapter 1 (commencing with Section 124975) of Part 5 of Division 106 of the Health and Safety Code.(2) Notwithstanding paragraph (1), for contracts entered into before January 1, 2025, the requirements of this chapter shall apply to the contract when altered, modified, renewed, or extended on or after January 1, 2025.SEC. 2. If the Commission on State Mandates determines that this act contains costs mandated by the state, reimbursement to local agencies and school districts for those costs shall be made pursuant to Part 7 (commencing with Section 17500) of Division 4 of Title 2 of the Government Code.
CALIFORNIA LEGISLATURE 20232024 REGULAR SESSION Senate Bill No. 1250Introduced by Senator NguyenFebruary 15, 2024 An act to amend Section 56.184 of the Civil Code, relating to privacy. LEGISLATIVE COUNSEL'S DIGESTSB 1250, as introduced, Nguyen. Privacy: genetic testing: newborn screening.Existing law, the Genetic Information Privacy Act, requires a direct-to-consumer genetic testing company, as defined, to provide a consumer with certain information regarding the companys policies and procedures for the collection, use, maintenance, and disclosure, as applicable, of genetic data, and to obtain a consumers express consent for collection, use, or disclosure of the consumers genetic data, as specified. Existing law also requires a direct-to-consumer genetic testing company to implement and maintain reasonable security procedures and practices to protect a consumers genetic data against unauthorized access, destruction, use, modification, or disclosure, and to develop procedures and practices to enable a consumer to access their genetic data and to delete their account and genetic data, as specified. Existing law excludes from its provisions the California Newborn Screening Program, among other activities subject to specified state and federal laws.This bill would apply the requirements of the Genetic Information Privacy Act to the California Newborn Screening Program beginning on January 1, 2025.Existing law imposes certain requirements for contracts between a direct-to-consumer genetic testing company and a service provider, as defined, including that the contract prohibits the service provider from retaining, using, or disclosing the biological sample, extracted genetic material, genetic data, or any information regarding the identity of the consumer, for any purpose other than for the specific purpose of performing the services specified in the contract for the business.This bill would, for contracts entered into before January 1, 2025, apply the requirements of the act to the contract when altered, modified, renewed, or extended on or after January 1, 2025.Existing law requires actions for relief pursuant to the Genetic Information Privacy Act to be prosecuted exclusively by the Attorney General, a district attorney, county counsel, city attorney, or city prosecutor, as specified, in the name of the people of the State of California upon their own complaint or upon the complaint of a board, officer, person, corporation, or association or upon a complaint by a person who has suffered injury in fact and has lost money or property as a result of the violation of the act.Because the bill would require local officials to perform additional duties, the bill would impose a state-mandated local program.The California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions establish procedures for making that reimbursement.This bill would provide that, if the Commission on State Mandates determines that the bill contains costs mandated by the state, reimbursement for those costs shall be made pursuant to the statutory provisions noted above.The California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions establish procedures for making that reimbursement.This bill would provide that, if the Commission on State Mandates determines that the bill contains costs mandated by the state, reimbursement for those costs shall be made pursuant to the statutory provisions noted above.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: YES Local Program: YES
CALIFORNIA LEGISLATURE 20232024 REGULAR SESSION
Senate Bill
No. 1250
Introduced by Senator NguyenFebruary 15, 2024
Introduced by Senator Nguyen
February 15, 2024
An act to amend Section 56.184 of the Civil Code, relating to privacy.
LEGISLATIVE COUNSEL'S DIGEST
## LEGISLATIVE COUNSEL'S DIGEST
SB 1250, as introduced, Nguyen. Privacy: genetic testing: newborn screening.
Existing law, the Genetic Information Privacy Act, requires a direct-to-consumer genetic testing company, as defined, to provide a consumer with certain information regarding the companys policies and procedures for the collection, use, maintenance, and disclosure, as applicable, of genetic data, and to obtain a consumers express consent for collection, use, or disclosure of the consumers genetic data, as specified. Existing law also requires a direct-to-consumer genetic testing company to implement and maintain reasonable security procedures and practices to protect a consumers genetic data against unauthorized access, destruction, use, modification, or disclosure, and to develop procedures and practices to enable a consumer to access their genetic data and to delete their account and genetic data, as specified. Existing law excludes from its provisions the California Newborn Screening Program, among other activities subject to specified state and federal laws.This bill would apply the requirements of the Genetic Information Privacy Act to the California Newborn Screening Program beginning on January 1, 2025.Existing law imposes certain requirements for contracts between a direct-to-consumer genetic testing company and a service provider, as defined, including that the contract prohibits the service provider from retaining, using, or disclosing the biological sample, extracted genetic material, genetic data, or any information regarding the identity of the consumer, for any purpose other than for the specific purpose of performing the services specified in the contract for the business.This bill would, for contracts entered into before January 1, 2025, apply the requirements of the act to the contract when altered, modified, renewed, or extended on or after January 1, 2025.Existing law requires actions for relief pursuant to the Genetic Information Privacy Act to be prosecuted exclusively by the Attorney General, a district attorney, county counsel, city attorney, or city prosecutor, as specified, in the name of the people of the State of California upon their own complaint or upon the complaint of a board, officer, person, corporation, or association or upon a complaint by a person who has suffered injury in fact and has lost money or property as a result of the violation of the act.Because the bill would require local officials to perform additional duties, the bill would impose a state-mandated local program.The California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions establish procedures for making that reimbursement.This bill would provide that, if the Commission on State Mandates determines that the bill contains costs mandated by the state, reimbursement for those costs shall be made pursuant to the statutory provisions noted above.The California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions establish procedures for making that reimbursement.This bill would provide that, if the Commission on State Mandates determines that the bill contains costs mandated by the state, reimbursement for those costs shall be made pursuant to the statutory provisions noted above.
Existing law, the Genetic Information Privacy Act, requires a direct-to-consumer genetic testing company, as defined, to provide a consumer with certain information regarding the companys policies and procedures for the collection, use, maintenance, and disclosure, as applicable, of genetic data, and to obtain a consumers express consent for collection, use, or disclosure of the consumers genetic data, as specified. Existing law also requires a direct-to-consumer genetic testing company to implement and maintain reasonable security procedures and practices to protect a consumers genetic data against unauthorized access, destruction, use, modification, or disclosure, and to develop procedures and practices to enable a consumer to access their genetic data and to delete their account and genetic data, as specified. Existing law excludes from its provisions the California Newborn Screening Program, among other activities subject to specified state and federal laws.
This bill would apply the requirements of the Genetic Information Privacy Act to the California Newborn Screening Program beginning on January 1, 2025.
Existing law imposes certain requirements for contracts between a direct-to-consumer genetic testing company and a service provider, as defined, including that the contract prohibits the service provider from retaining, using, or disclosing the biological sample, extracted genetic material, genetic data, or any information regarding the identity of the consumer, for any purpose other than for the specific purpose of performing the services specified in the contract for the business.
This bill would, for contracts entered into before January 1, 2025, apply the requirements of the act to the contract when altered, modified, renewed, or extended on or after January 1, 2025.
Existing law requires actions for relief pursuant to the Genetic Information Privacy Act to be prosecuted exclusively by the Attorney General, a district attorney, county counsel, city attorney, or city prosecutor, as specified, in the name of the people of the State of California upon their own complaint or upon the complaint of a board, officer, person, corporation, or association or upon a complaint by a person who has suffered injury in fact and has lost money or property as a result of the violation of the act.
Because the bill would require local officials to perform additional duties, the bill would impose a state-mandated local program.
The California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions establish procedures for making that reimbursement.
This bill would provide that, if the Commission on State Mandates determines that the bill contains costs mandated by the state, reimbursement for those costs shall be made pursuant to the statutory provisions noted above.
The California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions establish procedures for making that reimbursement.
This bill would provide that, if the Commission on State Mandates determines that the bill contains costs mandated by the state, reimbursement for those costs shall be made pursuant to the statutory provisions noted above.
## Digest Key
## Bill Text
The people of the State of California do enact as follows:SECTION 1. Section 56.184 of the Civil Code is amended to read:56.184. (a) The provisions of this chapter shall not reduce a direct-to-consumer genetic testing companys duties, obligations, requirements, or standards under any applicable state and federal laws for the protection of privacy and security.(b) In the event of a conflict between the provisions of this chapter and any other law, the provisions of the law that afford the greatest protection for the right of privacy for consumers shall control.(c) This chapter shall not apply to any of the following:(1) Medical information governed by the Confidentiality of Medical Information Act, Part 2.6 (commencing with Section 56), or to protected health information that is collected, maintained, used, or disclosed by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the federal Health Information Technology for Economic and Clinical Health Act (Public Law 111-5).(2) A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56)) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the federal Health Information Technology for Economic and Clinical Health Act, Title XIII of the federal American Recovery and Reinvestment Act of 2009 (Public Law 111-5), to the extent that the provider or covered entity maintains, uses, and discloses genetic information in the same manner as medical information or protected health information, as described in paragraph (1).(3) A business associate of a covered entity governed by the privacy, security, and data breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the federal Health Information Technology for Economic and Clinical Health Act, Title XIII of the federal American Recovery and Reinvestment Act of 2009 (Public Law 111-5), to the extent that the business associate maintains, uses, and discloses genetic information in the same manner as medical information or protected health information, as described in paragraph (1).(4) Scientific research or educational activities conducted by a public or private nonprofit postsecondary educational institution that holds an assurance with the United States Department of Health and Human Services pursuant to Part 46 of Title 45 of the Code of Federal Regulations, to the extent that the scientific research and educational activities conducted by that institution comply with all applicable federal and state laws and regulations for the protection of human subjects in research, including, but not limited to, the Common Rule pursuant to Part 46 (commencing with Section 46.101) of Title 45 of the Code of Federal Regulations, United States Food and Drug Administration regulations pursuant to Parts 50 and 56 of Title 21 of the Code of Federal Regulations, the federal Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g), and the Protection of Human Subjects in Medical Experimentation Act, Chapter 1.3 (commencing with Section 24170) of Division 20 of the Health and Safety Code.(5) The Before January 1, 2025, the California Newborn Screening Program authorized by Chapter 1 (commencing with Section 124975) of Part 5 of Division 106 of the Health and Safety Code.(6) Tests conducted exclusively to diagnose whether an individual has a specific disease, to the extent that all persons involved in the conduct of the test maintain, use, and disclose genetic information in the same manner as medical information or protected health information, as described in paragraph (1).(7) Genetic data used or maintained by an employer, or disclosed by an employee to an employer, to the extent that the use, maintenance, or disclosure of that data is necessary to comply with a local, state, or federal workplace health and safety ordinance, law, or regulation.(d) Nothing in this chapter shall be construed to affect access to information made available to the public by the consumer.(e) (1) Beginning on January 1, 2025, the requirements of this chapter shall apply to the California Newborn Screening Program authorized by Chapter 1 (commencing with Section 124975) of Part 5 of Division 106 of the Health and Safety Code.(2) Notwithstanding paragraph (1), for contracts entered into before January 1, 2025, the requirements of this chapter shall apply to the contract when altered, modified, renewed, or extended on or after January 1, 2025.SEC. 2. If the Commission on State Mandates determines that this act contains costs mandated by the state, reimbursement to local agencies and school districts for those costs shall be made pursuant to Part 7 (commencing with Section 17500) of Division 4 of Title 2 of the Government Code.
The people of the State of California do enact as follows:
## The people of the State of California do enact as follows:
SECTION 1. Section 56.184 of the Civil Code is amended to read:56.184. (a) The provisions of this chapter shall not reduce a direct-to-consumer genetic testing companys duties, obligations, requirements, or standards under any applicable state and federal laws for the protection of privacy and security.(b) In the event of a conflict between the provisions of this chapter and any other law, the provisions of the law that afford the greatest protection for the right of privacy for consumers shall control.(c) This chapter shall not apply to any of the following:(1) Medical information governed by the Confidentiality of Medical Information Act, Part 2.6 (commencing with Section 56), or to protected health information that is collected, maintained, used, or disclosed by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the federal Health Information Technology for Economic and Clinical Health Act (Public Law 111-5).(2) A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56)) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the federal Health Information Technology for Economic and Clinical Health Act, Title XIII of the federal American Recovery and Reinvestment Act of 2009 (Public Law 111-5), to the extent that the provider or covered entity maintains, uses, and discloses genetic information in the same manner as medical information or protected health information, as described in paragraph (1).(3) A business associate of a covered entity governed by the privacy, security, and data breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the federal Health Information Technology for Economic and Clinical Health Act, Title XIII of the federal American Recovery and Reinvestment Act of 2009 (Public Law 111-5), to the extent that the business associate maintains, uses, and discloses genetic information in the same manner as medical information or protected health information, as described in paragraph (1).(4) Scientific research or educational activities conducted by a public or private nonprofit postsecondary educational institution that holds an assurance with the United States Department of Health and Human Services pursuant to Part 46 of Title 45 of the Code of Federal Regulations, to the extent that the scientific research and educational activities conducted by that institution comply with all applicable federal and state laws and regulations for the protection of human subjects in research, including, but not limited to, the Common Rule pursuant to Part 46 (commencing with Section 46.101) of Title 45 of the Code of Federal Regulations, United States Food and Drug Administration regulations pursuant to Parts 50 and 56 of Title 21 of the Code of Federal Regulations, the federal Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g), and the Protection of Human Subjects in Medical Experimentation Act, Chapter 1.3 (commencing with Section 24170) of Division 20 of the Health and Safety Code.(5) The Before January 1, 2025, the California Newborn Screening Program authorized by Chapter 1 (commencing with Section 124975) of Part 5 of Division 106 of the Health and Safety Code.(6) Tests conducted exclusively to diagnose whether an individual has a specific disease, to the extent that all persons involved in the conduct of the test maintain, use, and disclose genetic information in the same manner as medical information or protected health information, as described in paragraph (1).(7) Genetic data used or maintained by an employer, or disclosed by an employee to an employer, to the extent that the use, maintenance, or disclosure of that data is necessary to comply with a local, state, or federal workplace health and safety ordinance, law, or regulation.(d) Nothing in this chapter shall be construed to affect access to information made available to the public by the consumer.(e) (1) Beginning on January 1, 2025, the requirements of this chapter shall apply to the California Newborn Screening Program authorized by Chapter 1 (commencing with Section 124975) of Part 5 of Division 106 of the Health and Safety Code.(2) Notwithstanding paragraph (1), for contracts entered into before January 1, 2025, the requirements of this chapter shall apply to the contract when altered, modified, renewed, or extended on or after January 1, 2025.
SECTION 1. Section 56.184 of the Civil Code is amended to read:
### SECTION 1.
56.184. (a) The provisions of this chapter shall not reduce a direct-to-consumer genetic testing companys duties, obligations, requirements, or standards under any applicable state and federal laws for the protection of privacy and security.(b) In the event of a conflict between the provisions of this chapter and any other law, the provisions of the law that afford the greatest protection for the right of privacy for consumers shall control.(c) This chapter shall not apply to any of the following:(1) Medical information governed by the Confidentiality of Medical Information Act, Part 2.6 (commencing with Section 56), or to protected health information that is collected, maintained, used, or disclosed by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the federal Health Information Technology for Economic and Clinical Health Act (Public Law 111-5).(2) A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56)) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the federal Health Information Technology for Economic and Clinical Health Act, Title XIII of the federal American Recovery and Reinvestment Act of 2009 (Public Law 111-5), to the extent that the provider or covered entity maintains, uses, and discloses genetic information in the same manner as medical information or protected health information, as described in paragraph (1).(3) A business associate of a covered entity governed by the privacy, security, and data breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the federal Health Information Technology for Economic and Clinical Health Act, Title XIII of the federal American Recovery and Reinvestment Act of 2009 (Public Law 111-5), to the extent that the business associate maintains, uses, and discloses genetic information in the same manner as medical information or protected health information, as described in paragraph (1).(4) Scientific research or educational activities conducted by a public or private nonprofit postsecondary educational institution that holds an assurance with the United States Department of Health and Human Services pursuant to Part 46 of Title 45 of the Code of Federal Regulations, to the extent that the scientific research and educational activities conducted by that institution comply with all applicable federal and state laws and regulations for the protection of human subjects in research, including, but not limited to, the Common Rule pursuant to Part 46 (commencing with Section 46.101) of Title 45 of the Code of Federal Regulations, United States Food and Drug Administration regulations pursuant to Parts 50 and 56 of Title 21 of the Code of Federal Regulations, the federal Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g), and the Protection of Human Subjects in Medical Experimentation Act, Chapter 1.3 (commencing with Section 24170) of Division 20 of the Health and Safety Code.(5) The Before January 1, 2025, the California Newborn Screening Program authorized by Chapter 1 (commencing with Section 124975) of Part 5 of Division 106 of the Health and Safety Code.(6) Tests conducted exclusively to diagnose whether an individual has a specific disease, to the extent that all persons involved in the conduct of the test maintain, use, and disclose genetic information in the same manner as medical information or protected health information, as described in paragraph (1).(7) Genetic data used or maintained by an employer, or disclosed by an employee to an employer, to the extent that the use, maintenance, or disclosure of that data is necessary to comply with a local, state, or federal workplace health and safety ordinance, law, or regulation.(d) Nothing in this chapter shall be construed to affect access to information made available to the public by the consumer.(e) (1) Beginning on January 1, 2025, the requirements of this chapter shall apply to the California Newborn Screening Program authorized by Chapter 1 (commencing with Section 124975) of Part 5 of Division 106 of the Health and Safety Code.(2) Notwithstanding paragraph (1), for contracts entered into before January 1, 2025, the requirements of this chapter shall apply to the contract when altered, modified, renewed, or extended on or after January 1, 2025.
56.184. (a) The provisions of this chapter shall not reduce a direct-to-consumer genetic testing companys duties, obligations, requirements, or standards under any applicable state and federal laws for the protection of privacy and security.(b) In the event of a conflict between the provisions of this chapter and any other law, the provisions of the law that afford the greatest protection for the right of privacy for consumers shall control.(c) This chapter shall not apply to any of the following:(1) Medical information governed by the Confidentiality of Medical Information Act, Part 2.6 (commencing with Section 56), or to protected health information that is collected, maintained, used, or disclosed by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the federal Health Information Technology for Economic and Clinical Health Act (Public Law 111-5).(2) A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56)) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the federal Health Information Technology for Economic and Clinical Health Act, Title XIII of the federal American Recovery and Reinvestment Act of 2009 (Public Law 111-5), to the extent that the provider or covered entity maintains, uses, and discloses genetic information in the same manner as medical information or protected health information, as described in paragraph (1).(3) A business associate of a covered entity governed by the privacy, security, and data breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the federal Health Information Technology for Economic and Clinical Health Act, Title XIII of the federal American Recovery and Reinvestment Act of 2009 (Public Law 111-5), to the extent that the business associate maintains, uses, and discloses genetic information in the same manner as medical information or protected health information, as described in paragraph (1).(4) Scientific research or educational activities conducted by a public or private nonprofit postsecondary educational institution that holds an assurance with the United States Department of Health and Human Services pursuant to Part 46 of Title 45 of the Code of Federal Regulations, to the extent that the scientific research and educational activities conducted by that institution comply with all applicable federal and state laws and regulations for the protection of human subjects in research, including, but not limited to, the Common Rule pursuant to Part 46 (commencing with Section 46.101) of Title 45 of the Code of Federal Regulations, United States Food and Drug Administration regulations pursuant to Parts 50 and 56 of Title 21 of the Code of Federal Regulations, the federal Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g), and the Protection of Human Subjects in Medical Experimentation Act, Chapter 1.3 (commencing with Section 24170) of Division 20 of the Health and Safety Code.(5) The Before January 1, 2025, the California Newborn Screening Program authorized by Chapter 1 (commencing with Section 124975) of Part 5 of Division 106 of the Health and Safety Code.(6) Tests conducted exclusively to diagnose whether an individual has a specific disease, to the extent that all persons involved in the conduct of the test maintain, use, and disclose genetic information in the same manner as medical information or protected health information, as described in paragraph (1).(7) Genetic data used or maintained by an employer, or disclosed by an employee to an employer, to the extent that the use, maintenance, or disclosure of that data is necessary to comply with a local, state, or federal workplace health and safety ordinance, law, or regulation.(d) Nothing in this chapter shall be construed to affect access to information made available to the public by the consumer.(e) (1) Beginning on January 1, 2025, the requirements of this chapter shall apply to the California Newborn Screening Program authorized by Chapter 1 (commencing with Section 124975) of Part 5 of Division 106 of the Health and Safety Code.(2) Notwithstanding paragraph (1), for contracts entered into before January 1, 2025, the requirements of this chapter shall apply to the contract when altered, modified, renewed, or extended on or after January 1, 2025.
56.184. (a) The provisions of this chapter shall not reduce a direct-to-consumer genetic testing companys duties, obligations, requirements, or standards under any applicable state and federal laws for the protection of privacy and security.(b) In the event of a conflict between the provisions of this chapter and any other law, the provisions of the law that afford the greatest protection for the right of privacy for consumers shall control.(c) This chapter shall not apply to any of the following:(1) Medical information governed by the Confidentiality of Medical Information Act, Part 2.6 (commencing with Section 56), or to protected health information that is collected, maintained, used, or disclosed by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the federal Health Information Technology for Economic and Clinical Health Act (Public Law 111-5).(2) A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56)) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the federal Health Information Technology for Economic and Clinical Health Act, Title XIII of the federal American Recovery and Reinvestment Act of 2009 (Public Law 111-5), to the extent that the provider or covered entity maintains, uses, and discloses genetic information in the same manner as medical information or protected health information, as described in paragraph (1).(3) A business associate of a covered entity governed by the privacy, security, and data breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the federal Health Information Technology for Economic and Clinical Health Act, Title XIII of the federal American Recovery and Reinvestment Act of 2009 (Public Law 111-5), to the extent that the business associate maintains, uses, and discloses genetic information in the same manner as medical information or protected health information, as described in paragraph (1).(4) Scientific research or educational activities conducted by a public or private nonprofit postsecondary educational institution that holds an assurance with the United States Department of Health and Human Services pursuant to Part 46 of Title 45 of the Code of Federal Regulations, to the extent that the scientific research and educational activities conducted by that institution comply with all applicable federal and state laws and regulations for the protection of human subjects in research, including, but not limited to, the Common Rule pursuant to Part 46 (commencing with Section 46.101) of Title 45 of the Code of Federal Regulations, United States Food and Drug Administration regulations pursuant to Parts 50 and 56 of Title 21 of the Code of Federal Regulations, the federal Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g), and the Protection of Human Subjects in Medical Experimentation Act, Chapter 1.3 (commencing with Section 24170) of Division 20 of the Health and Safety Code.(5) The Before January 1, 2025, the California Newborn Screening Program authorized by Chapter 1 (commencing with Section 124975) of Part 5 of Division 106 of the Health and Safety Code.(6) Tests conducted exclusively to diagnose whether an individual has a specific disease, to the extent that all persons involved in the conduct of the test maintain, use, and disclose genetic information in the same manner as medical information or protected health information, as described in paragraph (1).(7) Genetic data used or maintained by an employer, or disclosed by an employee to an employer, to the extent that the use, maintenance, or disclosure of that data is necessary to comply with a local, state, or federal workplace health and safety ordinance, law, or regulation.(d) Nothing in this chapter shall be construed to affect access to information made available to the public by the consumer.(e) (1) Beginning on January 1, 2025, the requirements of this chapter shall apply to the California Newborn Screening Program authorized by Chapter 1 (commencing with Section 124975) of Part 5 of Division 106 of the Health and Safety Code.(2) Notwithstanding paragraph (1), for contracts entered into before January 1, 2025, the requirements of this chapter shall apply to the contract when altered, modified, renewed, or extended on or after January 1, 2025.
56.184. (a) The provisions of this chapter shall not reduce a direct-to-consumer genetic testing companys duties, obligations, requirements, or standards under any applicable state and federal laws for the protection of privacy and security.
(b) In the event of a conflict between the provisions of this chapter and any other law, the provisions of the law that afford the greatest protection for the right of privacy for consumers shall control.
(c) This chapter shall not apply to any of the following:
(1) Medical information governed by the Confidentiality of Medical Information Act, Part 2.6 (commencing with Section 56), or to protected health information that is collected, maintained, used, or disclosed by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the federal Health Information Technology for Economic and Clinical Health Act (Public Law 111-5).
(2) A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56)) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the federal Health Information Technology for Economic and Clinical Health Act, Title XIII of the federal American Recovery and Reinvestment Act of 2009 (Public Law 111-5), to the extent that the provider or covered entity maintains, uses, and discloses genetic information in the same manner as medical information or protected health information, as described in paragraph (1).
(3) A business associate of a covered entity governed by the privacy, security, and data breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the federal Health Information Technology for Economic and Clinical Health Act, Title XIII of the federal American Recovery and Reinvestment Act of 2009 (Public Law 111-5), to the extent that the business associate maintains, uses, and discloses genetic information in the same manner as medical information or protected health information, as described in paragraph (1).
(4) Scientific research or educational activities conducted by a public or private nonprofit postsecondary educational institution that holds an assurance with the United States Department of Health and Human Services pursuant to Part 46 of Title 45 of the Code of Federal Regulations, to the extent that the scientific research and educational activities conducted by that institution comply with all applicable federal and state laws and regulations for the protection of human subjects in research, including, but not limited to, the Common Rule pursuant to Part 46 (commencing with Section 46.101) of Title 45 of the Code of Federal Regulations, United States Food and Drug Administration regulations pursuant to Parts 50 and 56 of Title 21 of the Code of Federal Regulations, the federal Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g), and the Protection of Human Subjects in Medical Experimentation Act, Chapter 1.3 (commencing with Section 24170) of Division 20 of the Health and Safety Code.
(5) The Before January 1, 2025, the California Newborn Screening Program authorized by Chapter 1 (commencing with Section 124975) of Part 5 of Division 106 of the Health and Safety Code.
(6) Tests conducted exclusively to diagnose whether an individual has a specific disease, to the extent that all persons involved in the conduct of the test maintain, use, and disclose genetic information in the same manner as medical information or protected health information, as described in paragraph (1).
(7) Genetic data used or maintained by an employer, or disclosed by an employee to an employer, to the extent that the use, maintenance, or disclosure of that data is necessary to comply with a local, state, or federal workplace health and safety ordinance, law, or regulation.
(d) Nothing in this chapter shall be construed to affect access to information made available to the public by the consumer.
(e) (1) Beginning on January 1, 2025, the requirements of this chapter shall apply to the California Newborn Screening Program authorized by Chapter 1 (commencing with Section 124975) of Part 5 of Division 106 of the Health and Safety Code.
(2) Notwithstanding paragraph (1), for contracts entered into before January 1, 2025, the requirements of this chapter shall apply to the contract when altered, modified, renewed, or extended on or after January 1, 2025.
SEC. 2. If the Commission on State Mandates determines that this act contains costs mandated by the state, reimbursement to local agencies and school districts for those costs shall be made pursuant to Part 7 (commencing with Section 17500) of Division 4 of Title 2 of the Government Code.
SEC. 2. If the Commission on State Mandates determines that this act contains costs mandated by the state, reimbursement to local agencies and school districts for those costs shall be made pursuant to Part 7 (commencing with Section 17500) of Division 4 of Title 2 of the Government Code.
SEC. 2. If the Commission on State Mandates determines that this act contains costs mandated by the state, reimbursement to local agencies and school districts for those costs shall be made pursuant to Part 7 (commencing with Section 17500) of Division 4 of Title 2 of the Government Code.
### SEC. 2.