The HIPAA Gap in Direct-to-Consumer Genetic Privacy

1. Introduction

Each year, over 100 million individuals use 23andMe and other direct-to-consumer (DTC) genetic testing kits (Henry). This rapid advancement has created controversy regarding a significant regulatory gap in health information privacy. Currently, genetic information collected by healthcare providers falls under the protections of the Health Insurance Portability and Accountability Act (HIPAA), while identical genetic information collected by DTC genetic testing companies like 23andMe exists largely outside this regulatory framework. This paper argues that consumer health data collected by DTC genetic testing companies should be subject to HIPAA regulations to ensure consistent privacy protection for sensitive genetic information regardless of the collecting entity. The current regulatory framework creates an arbitrary distinction based not on the nature of the information (which remains equally sensitive in both contexts) but solely on the entity collecting it. This paper will (1) examine the legal basis for extending HIPAA to DTC genetic testing companies, identify the appropriate governmental bodies responsible for implementing this change, and (3) address the main counterarguments.

2. Background and Current Regulatory Framework

Under current regulations, HIPAA’s privacy protections apply only to “covered entities” and their “business associates” (HIPAA, 100 Stat. 1936). Covered entities include healthcare providers and healthcare clearinghouses. The Department of Health and Human Services (HHS), the agency responsible for enforcing HIPAA rules, defines protected health information as “individually identifiable information” that is held or processed by a covered entity (HHS, 2025). Despite handling the same sensitive genetic information, DTC genetic testing companies do not qualify as covered entities under HIPAA because they provide services directly to consumers without healthcare provider involvement. 

This regulatory gap creates a situation where identical genetic information receives different levels of legal protection based solely on who collects it. When collected through healthcare providers, genetic information is protected by HIPAA’s Privacy Rule. This regulation limits disclosure and requires patient consent for most uses beyond original treatment and healthcare operations (HIPAA, 100 Stat. 1936). However, when collected by DTC companies, this same genetic information is primarily regulated by the companies’ privacy policies and the Federal Trade Commission’s (FTC) enforcement authority over unfair or deceptive practices—a reactive rather than proactive approach (McGeveran). 

Genetic information is uniquely sensitive personal data. It reveals information not only about the individual, but also their biological relatives. DTC genetic tests analyze markers for disease predisposition, carrier status for recessive conditions, and other health-related traits—data that meets the definition of “health information” under HIPAA as well as the Department of Health and Human Services (HIPAA, 100 Stat. 1936). Companies like 23andMe and Ancestry provide health reports that include risk assessments for conditions like Alzheimer’s disease, Parkinson’s disease, and certain cancers (“How it Works, 23andMe). This information would undoubtedly be protected under HIPAA if collected in a clinical setting. 

3. Counterargument #1: HIPAA Extension to DTC Genetic Testing

HIPAA focuses on the nature of the information rather than exclusively on the entity collecting it. The definition of “health information” in 45 CFR § 160.103 includes “information that relates to the past, present, or future physical or mental health or condition of an individual” (45 CFR § 160.103). The genetic analysis provided by DTC companies meets this definition as they analyze disease risks and health conditions. 

Opponents argue that HHS attempting to extend HIPAA to DTC genetic testing companies is an impermissible expansion of administrative authority (Rothstein). HHS’s authority to interpret HIPAA has previously stemmed from the principle of Chevron deference, established in Chevron U.S.A v. Natural Resources Defense Council (Chevron v. NRDC), which granted federal agencies leeway to interpret ambiguous statutory language. However, this decision was overruled in 2024 after Loper Bright Enterprises v. Raimondo (Virelli). The decision held that courts must use independent judgment in deciding an agency's statutory authority rather than deferring to agency interpretations. However, this does not eliminate the possibility of HHS extending HIPAA to DTC genetic companies. 

Even without Chevron deference, HHS could still make a compelling case for including DTC genetic testing companies under HIPAA by drawing on the statute’s purpose. Courts would likely consider the agency’s interpretation under the Skidmore framework, which allows courts to consider an agency’s expertise and reasoning without requiring deference (Rossi). The key difference between the two doctrines is that Chevron required courts to defer to reasonable agency interpretations of ambiguous statutes. However, Skidmore merely permits courts to give weight to agency views based on their persuasiveness. Thus, HHS’s expertise and consistency of interpretation would still be relevant factors in a court’s analysis. 

Further, in American Hospital Association v. Becerra (2022), the Supreme Court reaffirmed that agencies have significant discretion to interpret statutes when the text contains ambiguities (Shauku). The definition of “healthcare provider” in 45 CFR § 160.103 includes anyone who “furnishes, bills, or is paid for health care in the normal course of business” (5 CFR § 160.103). When DTC genetic testing companies provide health related genetic analysis, they are arguably “furnishing healthcare” under a reasonable interpretation of this definition, arguably placing them within HHS’ existing statutory authority. 

3. Governmental Responsibility for Implementation

The Department of Health and Human Services (HHS), particularly its Office for Civil Rights (OCR), is the primary federal agency responsible for implementing HIPAA regulations for DTC genetic testing companies. However, the most direct and comprehensive approach would require Congressional action to amend HIPAA. Legislative action could take two forms: (1) amending the definition of “covered entity” in the HIPAA statute to explicitly include DTC genetic testing companies; or (2) creating a new category of regulated entities specific to consumer genetic testing. 

There is precedent for expanding federal HIPAA regulations to address technological developments. While the original HIPAA legislation did specifically enumerate covered entities, later amendments show Congress' intent to adapt the law to evolving technologies. The HITECH Act of 2009 significantly expanded HIPAA’s reach, extending direct liability to business associates and creating new breach notification requirements (Burde). If nothing else, this expansion of rights shows Congress’ recognition that health information requires specialized privacy protections regardless of how it is collected. 

5. Counterargument #2: Commercial Speech and First Amendment Concerns

Some legal scholars have raised constitutional concerns about restrictions on the use and disclosure of genetic information. They argue that regulations limiting how companies can use or share legitimately obtained information could pose impermissible restrictions on commercial speech under the First Amendment. In Sorrell v. IMS Health Inc, the Supreme Court struck down a Vermont law restricting the sale of pharmacy records. As a result, the case established heightened scrutiny for content based restrictions on the disclosure of information (Bhagwat). 

Under the Central Hudson test for commercial speech regulations, the government must demonstrate that restrictions directly advance a substantial governmental interest and are not more extensive than necessary (Stern). Opponents argue that extending HIPAA’s use and disclosure limitations to DTC genetic testing could fail this test, particularly if less restrictive alternatives (such as enhanced consent requirements) could address privacy concerns. 

However, courts have generally upheld HIPAA’s privacy restrictions against First Amendment challenges. In Citizens for Health v. Leavitt, the Third Circuit rejected a constitutional challenge to the HIPAA Privacy Rule, finding that it represented a reasonable balance between privacy interests and other concerns (Clement). The court specifically noted that health information protections serve substantial governmental interests that justify limited speech restrictions. Extending these protections to functionally identical genetic information held by DTC companies would likely survive similar constitutional scrutiny, especially since regulations would focus on informed consent requirements rather than outright prohibitions on speech. 

7. Conclusion 

The current regulatory framework creates an artificial distinction in privacy protection for genetic information based solely on who collects it, rather than the nature of the information itself. As demonstrated throughout this paper, DTC genetic testing companies handle the same sensitive health information as traditional healthcare providers, yet operate outside HIPAA’s protective framework. In this way, extending HIPAA to cover DTC genetic companies is a necessary evolution of health privacy law. Despite challenges to agency authority following the Loper Bright decision, there remains a path forward through either Congressional action or careful regulatory interpretation under the Skidmore framework. Further, the HITECH Act’s expansion of HIPAA in 2009 provides clear precedent for adapting the law to address emerging technologies. Lastly, Constitutional concerns about commercial speech restrictions are outweighed by the substantial governmental interest in protecting sensitive genetic information, as courts have consistently upheld HIPAA’s privacy framework against First Amendment challenges. Without action to address this regulatory void, the government risks perpetuating a double standard that leaves DTC genetic test users vulnerable, creating a double helix, double standard in privacy protection.

References 

Bhagwat, Ashutosh. "Sorrell v. IMS Health: Details, Detailing, and the Death of Privacy." Vt. L. Rev. 36 (2011): 855.https://heinonline.org/HOL/LandingPage?handle=hein.journals/vlr36&div=43&id=&page=

Burde, Howard. "The HITECH act: an overview." AMA Journal of Ethics 13.3 (2011): 172-175.https://journalofethics.ama-assn.org/article/hitech-act-overview/2011-03

Chevron U.S.A., Inc. v. Natural Resources Defense Council, Inc. 467 U.S. 837. Supreme Court of the United States. 1984. Justia, supreme.justia.com/cases/federal/us/467/837/. Accessed 13 Apr. 2025.

"Citizens for Health v. Leavitt." Global Health and Human Rights Database, www.globalhealthrights.org/citizens-for-health-v-leavitt/. Accessed 13 Apr. 2025.

Clement, Paul D., et al. Brief for the Respondent in Opposition. Citizens for Health v. Leavitt, U.S. Supreme Court, 2006, No. 05-1311. U.S. Department of Justice, www.justice.gov/osg/brief/citizens-health-v-leavitt-opposition.

Henry, Tanya Albert. "Protect sensitive individual data at risk from DTC genetic tests." American Medical Association. Retrieved February 13 (2021): 2022. https://www.ama-assn.org/practice-management/hipaa/protect-sensitive-individual-data-risk-dtc-genetic-tests

"How It Works." 23andMe, www.23andme.com/howitworks/. Accessed 13 Apr. 2025.

McGeveran, William, and Caroline Schmitz. "General-purpose privacy regulation and translational genomics." Journal of Law, Medicine & Ethics 48.1 (2020): 142-150.

Prince, Anya, and Michael Waterstone. "The Genetic Information Nondiscrimination Act (GINA) 2008." Genetic Discrimination. Routledge, 2014. 114-127.https://www.taylorfrancis.com/chapters/edit/10.4324/9780203674299-10/genetic-information-nondiscrimination-act-gina-2008-anya-prince-michael-waterstone

"Privacy." U.S. Department of Health & Human Services, www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html. Accessed 13 Apr. 2025.

Rothstein, Mark A. "HIPAA Privacy Rule 2.0." Journal of Law, Medicine & Ethics, vol. 41, no. 2, 2013, pp. 525-528. https://journals.sagepub.com/doi/10.1111/jlme.12060

Rossi, Jim. "Respecting Deference: Conceptualizing Skidmore Within the Architecture of

Chevron." Wm. & Mary L. Rev. 42 (2000): 1105.https://heinonline.org/HOL/LandingPage?handle=hein.journals/wmlr42&div=38&id=&page=

Shauku, A. K. "American Hospital Association v. Becerra on Administrative Power Over Health Care Funding." SCOTUS 2022: Major Decisions and Developments of the US Supreme Court. Cham: Springer International Publishing, 2022. 109-116. https://link.springer.com/chapter/10.1007/978-3-031-18468-0_10

Stern, Nat. "The Stubborn Survival of the Central Hudson Test for Commercial Speech." Seattle UL Rev. 45 (2021): 647.https://heinonline.org/HOL/LandingPage?handle=hein.journals/sealr45&div=22&id=&page=

The Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, 100 Stat. 1936 https://www.govinfo.gov/content/pkg/PLAW-104publ191/pdf/PLAW-104publ191.pdf

Virelli, Louis J., and Richard W. Murphy. "The Death of Chevron: Loper Bright Enterprises v. Raimondo, 144 S. Ct. 2244."https://heinonline.org/HOL/LandingPage?handle=hein.journals/admreln49&div=48&id=&page=