Fine print on at-home DNA tests: key risks to know

The appeal is simple: a small kit arrives, you swab, spit, or prick a finger, mail it back and soon learn about hormones, ancestry, disease risk or even your whole genome. I dug into the fine print for 10 companies, including Everlywell, LetsGetChecked, Labcorp OnDemand, Nebula Genomics, Nucleus, SiPhox, myLAB Box, CircleDNA, SelfDecode and 23andMe, because the ease of ordering masks complex legal and privacy questions.

One major risk is assuming your results are protected like a medical record. HIPAA covers health information only when handled by certain covered entities or their business associates, and direct-to-consumer labs often fall outside that shield. Terms such as “HIPAA-compliant” or “HIPAA-grade” are commonly used as marketing language and do not necessarily mean the company’s data practices are subject to HIPAA protections.

Privacy policies frequently allow sharing with affiliates, partners, advertisers or researchers, sometimes using “de-identified” or “aggregated” data.

at-home dna, direct-to-consumer, genetic testing, ancestry results, disease risk, whole genome, hipaa compliance, privacy policy, de-identified data, data sharing