I might be wrong, but I don't think a genetic sequencer is something that's easy to build in your garage without anyone knowing. So if loose hair is not PHI but the information that the owner of that hair has or not a genetic disorder is PHI, we could say that the PHI starts once the genome of a human is sequenced from a tissue sample. So, yes, anyone who has a genetic sequencer must have the same level of security as a doctor's office. That doesn't seem like a terrible requirement.
it's not impossible to do DNA sequencing in your garage- either by buying a sequencer on ebay, or implementing your own. However, most of the data you'd generate wouldn't be that useful, instead, I think you could make a spotted microarray, which was one of the early examples of DIY process automation in biology (around 2000), that could be turned to nefarious uses with much less time and capital.
But the data revealed in analyzing the DNA (e.g. if you have a genetic disorder) should be PHI.
It's odd how something could go from "not PHI" to "now this is PHI" just by processing something like a piece of hair.
"At what point does it turn into PHI" would be a difficult question to answer.
IMO protection of DNA related data deserves something different than HIPAA.