The laws and regulations around genetic information seem to be (intentionally?) easy to misread.
Health and Human Services has a FAQ page[1] which states:
> genetic information is health information protected by the Privacy Rule. Like other health information, to be protected it must meet the definition of protected health information: it must be individually identifiable and maintained by a covered health care provider, health plan, or health care clearinghouse.
However, according to many other sources[2][3], the interpretation of these rules DOES NOT apply to companies like 23&Me. I assume the company is not considered "a covered health care provider, health plan, or health care clearinghouse", but (again) the HHS definitions are (intentionally?) vague/misleading[4].
I suppose you need to be very familiar with regulatory law to actually make sense of this junk. (I don't know the history of these regulations and carve-outs, but the tin-foil-hat part of me wants to blame lobbyists/legal-corruption for the lack of common-sense and simply worded regulations.)
I think the problem is that HIPAA is less strict than the zeitgeist believes. Makes perfect sense since your family doctor will have you sign an acknowledgement yearly. The reality is that health data is for sale from all kinds of vendors including pharmacies. As long as it’s “not identifiable” it’s fair game. My work health plan uses a separate “pharmacy benefit manager” to end run around the restrictions on what it can do with that data.
Health and Human Services has a FAQ page[1] which states:
> genetic information is health information protected by the Privacy Rule. Like other health information, to be protected it must meet the definition of protected health information: it must be individually identifiable and maintained by a covered health care provider, health plan, or health care clearinghouse.
However, according to many other sources[2][3], the interpretation of these rules DOES NOT apply to companies like 23&Me. I assume the company is not considered "a covered health care provider, health plan, or health care clearinghouse", but (again) the HHS definitions are (intentionally?) vague/misleading[4].
I suppose you need to be very familiar with regulatory law to actually make sense of this junk. (I don't know the history of these regulations and carve-outs, but the tin-foil-hat part of me wants to blame lobbyists/legal-corruption for the lack of common-sense and simply worded regulations.)
[1] https://www.hhs.gov/hipaa/for-professionals/faq/354/does-hip...
[2] https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6813935/
[3] https://lawforbusiness.usc.edu/direct-to-consumer-generic-te...
[4] https://www.hhs.gov/hipaa/for-professionals/covered-entities...