Utah and South Dakota advance genetic privacy rules with new 2026 laws

State lawmakers in South Dakota and Utah moved several genetic privacy measures forward in early 2026, with fast-moving state policies focused on direct-to-consumer genetic testing, genomic data handling, and foreign-adversary access to sequencing information.

What happened

Utah enacted HB 182, a law aimed at limiting foreign-adversary access to genetic sequencing information, and set its main effective date for January 1, 2028, while South Dakota enacted SB 49 to regulate direct-to-consumer genetic testing companies, with that law taking effect July 1, 2026. In Utah, H.B. 182 was sponsored by Rep. Walt Brooks, with Sen. Keven J. Stratton as the Senate sponsor, and it moved through multiple substitute versions before passage, showing that lawmakers were still refining the measure as it advanced.

The House Economic Development and Workforce Services Committee first recommended a substitute version on January 22 by an 8-0 vote, and the Senate Health and Human Services Standing Committee later replaced that version again and advanced it on February 3 by a 4-0 vote among members present, after Brooks presented the bill and supporters testified in favor.

The final enacted version was narrower and slower to take effect than an earlier substitute: an earlier comparison draft set the effective date at May 5, 2027, while the enrolled bill delayed it to January 1, 2028, and added a clinical-trial exemption for certain data gathered outside the United States or otherwise allowed under the DOJ Data Security Program.

South Dakota’s S.B. 49 followed a more traditional consumer-privacy track and came out of the Senate Judiciary Committee at the request of the attorney general. The Senate Judiciary amended and approved it 6-0-1 on January 20, while the House Judiciary amended and approved it 11-0-2 on March 2. The full House passed it 65-2 on March 4, the Senate concurred in the House amendments 34-0 on March 9, and Governor Larry Rhoden signed the bill on March 30, 2026.

What was said

In a press release, Attorney General Jackley notes, “Protecting DNA data is essential to safeguarding personal privacy and preventing misuse of the most sensitive information we have—our genetic blueprint. By ensuring common-sense protections, we are defending against threats of the sale of South Dakotans’ DNA that could compromise genetic privacy in South Dakota.”

Why it matters

Utah’s and South Dakota’s bills matter to healthcare organizations and other entities that deal with HIPAA-regulated data because genetic information now moves across both clinical and consumer channels, and the legal rules are not identical in each setting. A Journal of Law and the Biosciences article on genetic privacy notes that as clinicians handle more genetic information, “There is a greater possibility of breaches of privacy, confidentiality, and security,” which helps explain why states are adding targeted rules on top of existing federal protections.

Utah’s H.B. 182 affects healthcare organizations directly because it applies to many medical facilities registered to provide healthcare in Utah, as well as genomic research facilities, and it restricts the use of certain foreign-adversary-linked sequencers and software, bans storage of genetic sequencing data in a foreign adversary, limits remote access from those locations, requires reasonable encryption and access controls, and requires sworn compliance statements.

South Dakota’s S.B. 49 is narrower for HIPAA entities because it expressly exempts protected health information collected by a HIPAA covered entity or business associate, exempts genetic data used for medical screening, diagnosis, or treatment, and exempts hospitals and affiliated labs or facilities.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

FAQs

Does HIPAA fully protect genetic information?

HIPAA can protect genetic information when it is held by a covered entity or business associate, but it does not cover every company that collects or processes genetic data.

Are direct-to-consumer genetic testing companies always covered by HIPAA?

No. Many direct-to-consumer genetic testing companies fall outside HIPAA unless they are working on behalf of a covered entity or business associate.

Why are states passing genetic privacy laws?

States are responding to gaps in federal law by creating rules for consent, access, deletion, data sharing, security, and foreign access to genetic information.

Can genetic privacy laws affect healthcare organizations?

Yes. Some laws apply directly to healthcare providers, labs, research facilities, or vendors that store, analyze, or transfer genetic data.