No, 23andMe isn’t HIPAA compliant.
23andMe isn’t HIPAA compliant because the Health Insurance Portability and Accountability Act (HIPAA) only applies to healthcare organizations and providers, such as physicians, insurance companies, hospitals, and applicable business associates. HIPAA doesn’t apply to private genetic testing and genealogy services, such as 23andMe and other similar businesses. These services aren’t considered covered entities.
Current HIPAA privacy laws were in place before genetic privacy became a concern. HIPAA laws don’t protect personal data shared with genealogy testing providers.
The collection of genetic information gives 23andMe more sensitive information than a healthcare provider or a doctor. Unfortunately, HIPAA doesn’t hold these genetic testing services to the same standard of confidentiality as covered entities.
Few restrictions are in place outside of HIPAA to protect genetic data. For example, the government might access genetic information in private or public databases if national security is at risk. Individuals who contribute DNA to 23andMe could face law enforcement scrutiny if a relative’s genetic data provides probable cause in a criminal investigation. (23andMe only releases clients’ information to law enforcement upon receipt of a court order).
23andMe also collects other information through social media and real-time tracking of online activity. The company uses this data for marketing. It also shares customer information for research, as long as customers consent to participate in its research efforts.