At-home DNA test risks run deeper than the fine print most consumers scroll past at checkout. A review of 10 direct-to-consumer (DTC) health and genetic testing companies, their privacy policies, and conversations with a dozen experts in bioethics, genetics, HIPAA law, and cybersecurity reveals a market where protections vary widely, regulatory language can mislead, and some of the most sensitive data a person can generate sits in legal territory that federal law barely touches.
When HIPAA Does Not Apply to Your Health Data
The first misconception is often the most consequential. Many consumers expect that sending a biological sample to a company handling health data means that data is protected under HIPAA, the Health Insurance Portability and Accountability Act of 1996. It is not, necessarily.
Anya Prince, the David H. Vernon professor in law at the University of Iowa College of Law, told ZDNET that DTC labs may not qualify as HIPAA-covered entities. ‘The health information they have … would be governed by a company’s privacy policy rather than considered PHI,’ she said.
Julian Gage, founder of Engage Compliance and an outsourced data protection officer for DTC health and genetic testing companies, told ZDNET that terms such as ‘HIPAA-grade security’ are marketing language, not legal protection. ‘HIPAA-grade encryption is a statement about a security setting,’ Gage said. ‘It says nothing about whether HIPAA actually applies to you or what the company can do with your results.’
When a DTC company routes an order through a telehealth network, Gage explained, that clinician may be a HIPAA-covered entity and a slice of the data may fall under the law. But that does not bring the testing company or the full consumer transaction under HIPAA. ‘You can end up with one thin layer protected and the rest living under the terms you tapped through at checkout,’ he said.
How At-Home DNA Test Risks Extend to Insurance and Law Enforcement
The Genetic Information Nondiscrimination Act (GINA), passed in 2008, prohibits health insurers and employers from using genetic data against consumers. Under Title I, health insurers cannot deny coverage or raise premiums based on genetic information; those protections are administered jointly by the Departments of Labor, Health and Human Services, and the Treasury, according to the Equal Employment Opportunity Commission (EEOC). Title II makes it unlawful for employers to request or require genetic information from employees.
But GINA has clear gaps. Prince noted that the law does not regulate how life, long-term care, and disability insurers use genetic information. Laura Hercher, director of student research in the Human Genetics Graduate Program at Sarah Lawrence College and a genetic counsellor, told ZDNET it is far from clear whether life and long-term-care insurers will start using genetic test history to screen out higher-risk applicants. In most states, she said, ‘they could.’
The National Human Genome Research Institute notes an additional carve-out: while TRICARE, the US military health programme, cannot use genetic data for underwriting, GINA’s employment protections do not extend to the military itself, leaving service members’ eligibility outside the law’s shield.
Law enforcement access adds another dimension. Every privacy policy reviewed included language permitting disclosure in response to valid court orders, subpoenas, or warrants. 23andMe’s policy stated the company ‘will not provide information to law enforcement unless required by law to comply with a valid court order, subpoena, or search warrant,’ but that carve-out still allows compelled disclosure.
The 23andMe Bankruptcy and 15 Million Customer Records
The limits of policy-based protection became concrete when 23andMe filed for bankruptcy. The company holds genetic information on approximately 15 million customers, and as a University of Colorado medical ethicist noted in analysis published by CU Anschutz, that data is shielded only by 23andMe’s privacy policy, not federal law. A new owner could access it under terms different from those customers originally accepted.
Hercher told ZDNET that terms of service ‘can and do change over time’ and there are ‘no laws’ that guarantee DNA data privacy. Understanding at-home DNA test risks, then, means accounting not just for a company’s current policy but for who might own that policy in the future.
De-Identification Offers Less Cover Than It Appears
Even where companies commit to anonymising data before sharing it, the protection has limits. Gage told ZDNET that ‘once data is de-identified to the legal standard, it drops out of most privacy rules entirely, and the company can use, share, or sell it without asking you again.’
Dr. Avi Rubin, director of the Health and Medical Security Lab at Johns Hopkins University, added that ‘when coupled with publicly available data, anonymized data sets can often have private information inferred and revealed.’ Your DNA, as Rubin noted, cannot be changed the way a password can. De-identification, in other words, does not neutralise the at-home DNA test risks that stem from data re-use.
FDA Review Varies by Test, Not by Company
Regulatory claims in this market are test-specific, not company-wide. LetsGetChecked received FDA marketing authorisation for its Simple 2 Test via the De Novo premarket review pathway, making it the first FDA-authorised home sample collection test for chlamydia and gonorrhea, according to an FDA press release. The agency cited an estimated 1.6 million cases of chlamydia and more than 700,000 cases of gonorrhea in the United States in 2021 alone. That authorisation covers one test; it says nothing about the company’s full catalogue.
Dr. Robert Green, a professor of medicine in genetics at Harvard Medical School, told ZDNET that CLIA certification and CAP accreditation, the lab-quality standards almost all DTC companies cite, are ‘minimal standards’ and say little about the quality of interpretation.
Before ordering any kit, Gage recommended reading privacy policies for the words ‘third parties, partners and the word “sell”,’ along with retention, deletion, sample destruction, and bankruptcy provisions. ‘If those parts read as vague,’ he said, ‘the vagueness is your answer.’
When 23andMe’s bankruptcy sale completes, that answer will be tested in a way 15 million customers never anticipated.