| The laws and regulations around genetic information seem to be (intentionally?) easy to misread. Health and Human Services has a FAQ page[1] which states: > genetic information is health information protected by the Privacy Rule. Like other health information, to be protected it must meet the definition of protected health information: it must be individually identifiable and maintained by a covered health care provider, health plan, or health care clearinghouse. However, according to many other sources[2][3], the interpretation of these rules DOES NOT apply to companies like 23&Me. I assume the company is not considered "a covered health care provider, health plan, or health care clearinghouse", but (again) the HHS definitions are (intentionally?) vague/misleading[4]. I suppose you need to be very familiar with regulatory law to actually make sense of this junk. (I don't know the history of these regulations and carve-outs, but the tin-foil-hat part of me wants to blame lobbyists/legal-corruption for the lack of common-sense and simply worded regulations.) [1] https://www.hhs.gov/hipaa/for-professionals/faq/354/does-hip... [2] https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6813935/ [3] https://lawforbusiness.usc.edu/direct-to-consumer-generic-te... [4] https://www.hhs.gov/hipaa/for-professionals/covered-entities... |