Direct-to-consumer DNA testing kits such as 23andMe and allow consumers to learn about their risks of developing certain diseases and investigate their family tree by submitting their DNA sample containing their genetic information.  These tests have become very popular because they are convenient, inexpensive, and easy to use.  However, they also raise privacy concerns regarding how an individual’s genetic information is being used by third parties. To address these privacy concerns, federal and state laws have been enacted to control who has access to individuals’ genetic information.  Without legal protections in place, genetic information could be used to exclude individuals from obtaining insurance, limit their coverage amount, and increase insurance premiums.

Federal Laws Protecting Genetic Information

Federal laws currently provide some protection for an individual’s genetic information.  The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) prohibits health insurers from making health insurance coverage decisions based on an individual’s genetic information. In addition to HIPAA, the Genetic Information Nondiscrimination Act of 2008, protects individuals against discrimination based on their genetic information with respect to health insurance and employment decisions.

Florida Laws Protecting Genetic Information

Florida has expanded its existing state protections for an individual’s genetic information. On July 1, 2020, Florida amended Section 627.4301, Florida Statutes, to expand the ban on health insurers canceling, limiting, or denying coverage, or establishing differentials in premium rates, based on genetic information to include life, disability, and long-term care insurers.

Furthermore, on October 1, 2021, Florida enacted the Protecting DNA Privacy Act (the “PDPA”), which amends Section 760.40, Florida Statutes and creates Section 817.5655 prohibiting the collection, analysis, disclosure, retention or sale of an individual’s DNA sample and the results of a DNA analysis without express written consent and imposing criminal penalties for specified violations.

Express Consent

Unless, an exception applies, express written consent must be obtained before collecting, analyzing, disclosing, retaining or selling a patient’s DNA sample or results. The PDPA requires the following for “express consent”:

  • A clear and prominent disclosure to the patient regarding the manner of collection, use, retention, maintenance, or disclosure of the DNA sample or results; and
  • An authorization by the patient (or legal guardian or authorized representative) evidenced by an affirmative action demonstrating an “intentional decision.”

One consent form can cover multiple specified purposes.



The PDPA provides several exceptions to obtaining express written consent.  For example, the PDPA does not apply when the DNA sample or analysis is utilized for criminal investigations and prosecutions, complying with legal processes and federal law, determining paternity, conducting quality assessments and improvement activities, or conducting research pursuant to specified federal requirements.

One of the most important exceptions for health care practitioners is that the PDPA does not apply when the DNA sample or analysis is used for the medical diagnosis and treatment of a patient when express consent was obtained by a physician who collected the specimen or when the analysis is performed by a CLIA-certified laboratory.

Criminal Penalties

The PDPA establishes four new crimes related to the unlawful use of DNA ranging from a first-degree misdemeanor to a second-degree felony.  Collecting or retaining another person’s DNA sample with the intent to perform a DNA analysis would constitute a first-degree misdemeanor. Submitting another person’s DNA sample for analysis, performing the analysis, or disclosing the results would constitute a third-degree felony. Selling or transferring another person’s DNA sample or the results of another person’s DNA analysis to a third party, regardless of whether the DNA sample was originally collected, retained, or analyzed without express consent would constitute a second-degree felony.

It is important to note that each occurrence constitutes a separate violation and a separate penalty.  Penalties range from one year in jail and a $1,000 fine to 15 years in jail and a $15,000 fine.

If there is any doubt whether express consent is required in a particular circumstance, it is best to obtain the consent.


If you have any questions, please reach out to Elizabeth Shaw at


Article by Elizabeth Shaw as appeared in “Medical Professionals Jacksonville and the Beaches Magazine” Published September 2021

This article is for educational purposes only and is not intended to constitute legal advice.