HIPAA compliance in direct-to-consumer (DTC) genetic testing

Companies must use HIPAA compliant emails when sending genetic test results to healthcare providers or covered entities to protect sensitive health information.

What is direct-to-consumer (DTC) genetic testing?

According to Medline Plus, “Direct-to-consumer genetic testing provides people access to their genetic information without necessarily involving a healthcare provider or health insurance company in the process.

Many companies currently offer direct-to-consumer genetic tests for a variety of purposes. The most popular tests use a limited set of genetic variations to make predictions about certain aspects of health, provide information about common traits, and offer clues about a person’s ancestry.”

Typically, specimen collection kits are sold online. After the kit is sent, the customer gathers the specimen, usually a cheek swab or saliva, and mails it back to the company. After the test is done, results are uploaded to a secure website that is only accessible by the company and the consumer. According to the AMA, DTC genetic test types can include: 

• “Carrier testing for diseases such as cystic fibrosis and hemochromatosis
• Pharmacogenomic testing
• Testing for predisposition to complex diseases such as hereditary cancers, cardiovascular disease and depression
• Whole exome or genome sequencing
• Testing to determine ancestry”

Patient privacy

Generally, DTC genetic testing is only covered by the Genetic Information Nondiscrimination Act (GINA) and not HIPAA, since genetic testing companies are not considered covered entities.

Consumer Reports states, “Though GINA provides substantial protections, it is limited in scope and focuses on discrimination based off information, not the protection of the information once it is in possession of the company.” 

While there is some ambiguity, the HIPAA Omnibus Rule amended HIPAA to include genetic information in the definition of protected health information (PHI).

So, although HIPAA is traditionally associated with healthcare institutions, its principles are equally relevant in DTC genetic testing. Providers and genetic testing companies should safeguard PHI, including genetic data and personal details, to protect patient privacy and mitigate legal risks.

Go deeper: The intersection of HIPAA, GINA, and secure communication

Challenges in DTC Genetic Testing

• Complex data sets: DTC genetic testing involves a multifaceted data lifecycle, from sample collection to analysis and storage. So, DTC companies must adhere to HIPAA regulations, safeguarding protected health information (PHI) when transmitting PHI during these stages.
• Informed consent: In the context of DTC genetic testing, companies must ensure transparent consent processes, acknowledging the unique privacy implications of genetic information.
• Third-party relationships: Collaborations with third-party vendors for data analysis or storage necessitate stringent vetting to ensure HIPAA compliance and robust agreements to safeguard PHI.

Strategies for ensuring HIPAA compliance

• Data security protocols: Companies should implement encryption, access controls, and regular security audits to protect genetic and personal data against unauthorized access or breaches.
• Transparent communication: Clearly articulate privacy policies and data usage practices in simple language to help consumers or patients make informed decisions about their genetic information.
• Comprehensive training initiatives: Educate employees about HIPAA regulations and privacy best practices to ensure compliance and accountability within the organization.
• HIPAA compliant communication: Companies must use secure platforms, like Paubox, that offer encryption and authentication mechanisms to safeguard the transmission of sensitive genetic and personal information.
• Continuous monitoring and adaptation: Companies must conduct regular assessments of internal processes and systems to identify and address vulnerabilities or non-compliance issues.
  
  

Incorporating HIPAA compliant emails

As consumer demand for genetic exploration grows, companies must implement secure communication practices, like HIPAA compliant emails. This protects sensitive genetic information during transmission and at rest, mitigating the risk of unauthorized access or breaches. 

HIPAA compliant platforms, like Paubox, allow DTC genetic testing companies to share genetic information with covered entities while protecting consumer PHI. More specifically, using these platforms can help ensure the secure transmission of test results, maintain compliance with HIPAA regulations, and safeguard the privacy of individuals' health data throughout the communication process.

FAQs

Are DTC genetic testing results covered by HIPAA?

Generally, no. While protected health information (PHI) includes genetic information and is therefore covered by HIPAA, DTC genetic testing results are not automatically covered by HIPAA because they are not typically maintained by healthcare providers, health plans, or healthcare data clearinghouses.

Can DTC genetic testing companies share results with covered entities?

Yes, they can share results with covered entities, such as healthcare providers, but their communication must be HIPAA compliant to secure consumer PHI during transmission and at rest.

Read also: What is a covered entity?

What are the risks of non-compliance with HIPAA?

HIPAA violations can result in penalties, fines, legal consequences, and reputational damage for DTC genetic testing companies.

Go deeper: What are the penalties for HIPAA violations?