[astura]

Absolutely positively nothing, their so-called "compliance" is strictly voluntary. That's why I'm calling them out on claiming that they are "HIPAA compliant."

If they were upfront I wouldn't give two fucks, I truly don't care. Like, I really really don't care. It's that they tried to lie is why I am called them out. They were caught with their pants down. I wouldn't be a thorn in their side if they were honest.

[29athrowaway]

Did they have a choice to become a HIPAA covered entity and decided not to do it? Or that was never a choice?

The problem here is that the HIPAA legislation is outdated. Another problem is that there's almost no regulation around selling data.

My true question is: what's the business model here?

a) offering this testing service (which to be honest, sounds pretty interesting and useful)

b) selling the data of unsuspecting customers ("the 23andme model")

[astura]

Sure, they could provide medical services and interface with health insurance companies, then they'd be a covered entity under HIPAA. They could employ medical staff to prescribe tests and provide test results to patients, then they'd be a covered entity under HIPAA.

I don't believe HIPAA is outdated, I believe that people just very much misunderstand it. The full title is "Health Insurance Portability and Accountability Act" - it's literally a bill to regulate health insurance companies, it was never meant to be more.

Congress could pass a general medical privacy bill tomorrow, yet they appear to be extremely uninterested in doing so, so they don't.

Their business model is probably just offering this testing service at the moment, but their weasely response when asked if their data was covered by HIPAA makes me think that they are keeping selling data on the back burner as an emergency option.