Bipartisan senators have reintroduced the Genomic Data Protection Act, targeted at providing additional protections for genetic data not covered under HIPAA.
Early in March 2025, Senators Bill Cassidy (R-LA) and Gary Peters (D-MI) reintroduced the Genomic Data Protection Act (GDPA) in the U.S. Senate. The bill aims to regulate the collection, use, and disclosure of genetic data by direct-to-consumer (DTC) genetic testing companies. Unlike HIPAA covered entities, DTC genetic testing companies operate under a patchwork of state laws, leading to inconsistent privacy protections across the country.
Some states, such as Nebraska and Virginia, have enacted laws requiring privacy policies and consumer consent for data collection, retention, and disclosure, while states like Ohio and Mississippi lack such protections. The GDPA was initially introduced in the last Congress but failed to advance. It has now been referred to the Senate Committee on Commerce, Science, and Transportation for further review.
The bill builds on proposals from Sen. Cassidy’s February 2024 white paper, which suggested expanding HIPAA protections to cover health data collected by non-HIPAA-regulated entities, specifically including genetic data. If passed, GDPA would require DTC companies to provide consumers with access to their genomic data, allow them to delete their accounts, and request the destruction of biological samples, except in cases where data retention is legally required.
Building on foundational legislation like the Genetic Information Nondiscrimination Act (GINA), which was first introduced in 1995 by Rep. Louise Slaughter and Sen. Olympia Snowe. GINA’s 13-year legislative journey culminated in its 2008 signing by President George W. Bush, establishing protections against genetic discrimination in employment and health insurance.
However, gaps persisted in regulating direct-to-consumer genetic testing companies and third-party data brokers. In February 2024, Sen. Bill Cassidy (R-LA) released a white paper advocating stricter oversight of these entities, citing state-level regulatory fragmentation. This groundwork led to Cassidy and Sen. Gary Peters (D-MI) introducing the GDPA in late 2024, but it stalled before Congress adjourned.
The GDPA introduces the following provisions:
Senator Cassidy noted, “Americans want to know what happens to their data after an at-home DNA test. Let’s give them control over their own genomic data. It should be private if they want it to be.”
According to Senator Peters. “American citizens should have the right to control how their unique health and genetic information is being used and stored. This bill would give consumers the power to access their personal genomic data, delete it from a company’s platform, and ultimately destroy it if they choose.”
Related: HIPAA Compliant Email: The Definitive Guide (2025 Update)
Genomic data in healthcare is primarily protected by HIPAA, which classifies genetic information as protected health information (PHI) when maintained by covered entities (e.g., providers, insurers). GINA prohibits genetic discrimination in employment and health insurance but does not regulate data privacy directly.
HIPAA’s Privacy Rule restricts disclosure of identifiable genetic information without authorization but does not protect de-identified data. Covered entities must ensure security, provide access rights, and notify breaches. However, HIPAA does not apply to DTC genetic testing companies unless they handle PHI.