The biggest risks lurking inside your at-home DNA and health tests
Follow ZDNET: Add us as a preferred source on Google.
ZDNET's key takeaways
- At-home DNA and health tests may not be covered by HIPAA.
- Genetic data can expose you or relatives and create insurance risks.
- FDA review and follow-up care vary widely.
The kit arrives. It isn't big.
You get it out of the mailbox and bring it to your counter. It's printed in fun, friendly colors.
Swab. Spit. Prick your finger. Mail it back. Soon, you'll learn something new about yourself: your hormones, your fertility, your cancer risk, your predisposition to Alzheimer's, your metabolism, your food sensitivities, or even your entire genome.
That's the lure of at-home ("direct-to-consumer") DNA and health testing. Late at night, from your phone, you can order just about any test to take at home, whether you're uninsured, curious, or simply anxious about what secrets your body may be hiding.
Before ordering one myself, though, I did a little Googling.
At first, I was looking for simple answers. Was the test FDA reviewed? Was the company covered by HIPAA? Would a doctor explain the results? The more I read, the less simple it became. FDA language was rare, and when it appeared, it was usually tied to a specific test, report, or collection kit — not necessarily the whole company or service.
Some companies said they're HIPAA-compliant; others did not. Almost all cited CLIA-certified or CAP-accredited labs, but those are just lab quality standards. Counseling and follow-up care varied widely, too. That sent me deeper into the fine print: Could my information be shared with law enforcement, or used for ads or research?
The answer was in the policies most people never read. But I did, for 10 companies.
Everlywell, LetsGetChecked, Labcorp OnDemand, Nebula Genomics / DNA Complete, Nucleus, SiPhox, myLAB Box, CircleDNA, SelfDecode, and 23andMe. I contacted every company I mentioned for comment. I also spoke to 12 experts in bioethics, genetics, HIPAA and health care law, FDA regulation, consumer privacy, and cybersecurity, though I quoted only six of them.
My health data may not be protected the way I assume
My first risk? It's not the lancet, swab, or tube I'm using to collect my biological sample. It starts earlier, when I order the test and likely assume that, because the company handles health-related data, my information is protected like any other medical record.
In the US, HIPAA, the Health Insurance Portability and Accountability Act of 1996, protects personal health information, or PHI, when it is created, maintained, or transmitted by covered entities and their business associates. It's not a blanket privacy law for everyone.
Also: What you give up when you put on a smartwatch or ring
Anya Prince, the David H. Vernon professor in law at the University of Iowa College of Law, studies health and genetic privacy. Prince told ZDNET the main question is whether a company is covered by HIPAA. "DTC labs may not count as covered entities," said Prince. "The health information they have . . . would be governed by a company's privacy policy rather than considered PHI."
When I looked at popular at-home DTC companies, I was surprised to find several uses of HIPAA language and some gaps.
Everlywell said it is "committed to safeguarding your personally identifiable health information" under HIPAA. Labcorp said it's "required by law to maintain the privacy of health information" under HIPAA. Nucleus told me it's "HIPAA-compliant." SiPhox said it has "HIPAA-grade security," and myLAB Box said the information and samples tied to its kits are "covered" under HIPAA.
For the others, I couldn't find a current public page confirming that the company is HIPAA-compliant or covered by HIPAA.
Julian Gage, founder of Engage Compliance and an outsourced data protection officer for DTC health and genetic testing companies, told ZDNET that "HIPAA-grade" and "HIPAA-compliant" claims are marketing language, "not protection."
"HIPAA-grade encryption is a statement about a security setting," said Gage. "It says nothing about whether HIPAA actually applies to you or what the company can do with your results."
For instance, he explained that when a DTC company routes an order through a doctor or telehealth network, that clinician or network may be a HIPAA-covered entity, and the slice of data it creates and keeps may fall under HIPAA. But that does not necessarily bring the testing company, or the full consumer transaction, under HIPAA. "You can end up with one thin layer protected and the rest living under the terms you tapped through at checkout," Gage said.
Also: How I used Airtable to swap my daily fast-food habit with 5-minute meal planning
He said the biggest misconception is that people "assume mailing a sample to a private company gives them the same shield as handing it to their own doctor."
The fine print says who else can see my data
By the 10th privacy policy, certain terms start to blur: advertising, marketing, affiliates, partners, third parties, targeting, analytics, research, de-identified, aggregated. They're easy to skim past. But these terms reveal who can see my information.
LetsGetChecked said it may use my "personal information" to provide "marketing, including targeted marketing on third party sites such as social media websites," and, with consent, may share it with "third parties for advertising purposes." It also said it "may include de-identified Genetic Data in our research databases," which may be accessible and downloadable by third parties.
Also: Wearables produce huge amounts of health data – and doctors are struggling to keep up
SiPhox said, "We do not sell your personal or health information," but also said, "Aggregate Data may be used for marketing insights and targeting." Nebula Genomics said it will "never disclose Genetic Data for research purposes," without my consent. But its privacy policy said my "de-identified or pseudonymized genetic or phenotypic information" may be shared with third parties for research.
These terms are not necessarily nefarious. Research can be valuable. But when my "de-identified" or "aggregated" data can also help with marketing and targeting? I take a moment. What am I consenting to, and is my information truly untraceable back to me?
"Your DNA is the most identifying thing about you, and researchers have shown more than once that supposedly de-identified genomes can be traced back to real people," Gage said. "Once data is de-identified to the legal standard, it drops out of most privacy rules entirely, and the company can use, share, or sell it without asking you again."
Dr. Avi Rubin, director of the Health and Medical Security Lab at Johns Hopkins University, told ZDNET that de-identifying data is an important step, but "it's important not to place too much trust in that process." Studies have shown, he said, that "when coupled with publicly available data, anonymized data sets can often have private information inferred and revealed."
In other words, de-identification is not a magic eraser. A Wired report from 2013 showed how researchers, even then, could use publicly accessible information, including genealogy databases, to identify "anonymous" participants in a large genomic study.
My genetic and health data may have consequences
Personal data can be sensitive. My genetic and health data? That's something else entirely. It's permanent, identifying, and familial. "Unlike your password, your DNA cannot be changed," said Rubin.
It says things not only about me, but potentially about relatives who never consented to a test. It can reveal parentage, inherited diseases, and risks with emotional, medical, and financial consequences.
Laura Hercher, director of student research in the Human Genetics Graduate Program at Sarah Lawrence College and a genetic counselor, told ZDNET it is far from clear if companies offering life or long-term-care insurance will start asking customers if they have done genetic testing for purposes of "ruling out higher-risk customers." But in most states, she said, "they could."
Prince, who also studies genetic discrimination, made a similar point about GINA, or the Genetic Information Nondiscrimination Act. The 2008 law does not regulate how "life, long-term care, and disability insurers use genetic information," Prince said. That means a person "could be denied these insurances or charged a higher premium" based on their test results.
Then there is the law enforcement question. Genetic genealogy has helped solve cold cases. It also raises privacy concerns: Does a company require a warrant, subpoena, or court order? Will it notify me? Could my relatives be implicated?
In my review of at-home DTC companies, law enforcement language appeared in every privacy policy I examined.
"We can't say it enough," 23andMe's privacy policy said. "[We] will not provide information to law enforcement unless required by law to comply with a valid court order, subpoena, or search warrant."
Every policy I reviewed included some language allowing disclosure in response to legal obligations or government requests, including subpoenas, court orders, warrants, public health obligations, and regulatory requirements.
What rights do I actually have?
Account deletion, sample retention, and sample destruction were three important issues for me. Could I close an account? Delete my genetic or health data? Would the company keep records anyway? Would the physical sample I mailed in be destroyed automatically or only if I asked?
That matters because, as Hercher told ZDNET, there are "no laws" that guarantee DNA data privacy. While terms of service matter, they "can and do change over time," she said.
The answers are often buried. LetsGetChecked said users can request that it "delete your information or destroy your sample," though it may refuse if "the information is still necessary" or if it still has "a legal basis to process the information or retain the sample." It also said samples are "securely destroyed after they are processed." CircleDNA said it will retain a sample for the maximum period permitted by law, "after which point it will be destroyed."
I had to hunt for these details, and I can't be sure if and when they'll change.
Is more accuracy, or regulation, needed?
At-home DNA and health tests are meant to be cheap and quick. But can the results be trusted? A lab can produce technically accurate data, but the consumer still needs to know what the data means, what it does not mean, and what to do next.
As I compared companies, I kept asking myself: The lab may be legitimate, but who will interpret the result for me? Dr. Robert Green, a professor of medicine in genetics at Harvard Medical School and a scientist who did a TED talk on genomic testing in babies, has concerns about whether some test results are accurate, properly interpreted, and connected to medical care.
"When somebody offers you a genetic test online, there's a question of quality," Green told ZDNET. "Is the test being done well? And by well, I don't just mean accurate. There would have to be an accurate interpretation as well." Green suggested some companies may even rely on automated interpretation systems that "miss tons of important" conditions.
Hercher seemed more concerned about regulation. "Most DTC genetic testing companies are not frauds — but I think buyer beware is still a good message," she said. "This isn't a heavily regulated industry."
The regulatory terminology around at-home DNA and health tests is confusing, too. "At-home" tells me where the sample is collected. "Direct-to-consumer" tells me how the test is marketed. FDA review and CLIA certification are entirely different labels, and neither guarantees my results.
Still, when I checked for FDA mentions across 10 companies, I found it to be sparse and test-specific. LetsGetChecked said the FDA granted it "marketing authorization" for the Simple 2 Test. 23andMe said it includes "FDA authorized reports" and lists dozens of health reports that "meet FDA requirements." Everlywell and myLAB Box cited FDA authorization for COVID-19-related testing.
Lab-quality claims were far more common in my review. Almost all cited CLIA-certified labs, CAP accreditation, or both.
But that does not mean a test or report has gone through FDA review, or that the result is clinically meaningful. CLIA is just a federal standard for laboratory quality, said Green. "CAP is a different standard" involving professional standards in pathology. Both, he said, are "minimal standards," and "CLIA certification doesn't say much about quality of interpretation."
Green acknowledged that more FDA oversight could make the market more consistent, but it could also slow innovation. He said genetic tests are "changing every week." If every adjustment required full FDA review, "that would be completely catastrophic for genetic testing," Green said. Still, the current market is hard to compare because "some are good quality and some are not."
Because quality varies, he said one of the first things he looks for is whether a company has the right expertise behind the test: "Do they have a chief medical officer who's a physician, who is a geneticist?" or "Do they have a laboratory director?"
The results are in… What next?
Professor Arthur L. Caplan, a bioethicist at NYU Grossman School of Medicine who has studied genetics in medicine for decades, suggested to ZDNET that the promise of at-home test results may outrun what consumers are able to interpret on their own.
"What's often sold is, 'take control of your health, be in charge,'" said Caplan. "You can't, because you're going to get information back that you need a master's degree to understand."
At-home DNA and health tests can let me skip a traditional health care provider and order without health insurance. But behind the scenes, is any medical care available or follow-up consultations? From what I found, it is far from consistent.
LetsGetChecked said users can get "a follow-up call from our clinical team to discuss any abnormalities." Labcorp OnDemand said its team may contact users about "abnormal or critical" results, but added that "the care coordination, itself, does not include medical advice." SiPhox said it is a "wellness-only service" and "is not designed to diagnose, prevent, or treat any disease."
Green said there are at-home tests that fall somewhere between traditional physician-ordered testing and pure direct-to-consumer testing. "There's also a whole lot of products that are in an intermediate scenario where a physician actually orders them," he said. "But it's not a physician you know or have seen or talked to."
So, if easy, affordable access to DNA and health testing is an upside, the downside may be what happens when I'm left to interpret my data largely on my own. Caplan indicated he was skeptical of treating at-home DNA results as clear medical advice.
"Companies will tell you we can test for complicated things like intelligence," Caplan said. "I think that's just not true." Many results are not diagnoses. "Frequently, they're just a presentation of possible risk," he said.
"Major health impacts still rely, I believe, primarily on the environment," he added, pointing to polluted water and air, food safety, and other conditions people live with every day. "There's a lot of diminishment of their role." Overemphasizing genes, he said, can shift responsibility back onto the individual. "It's kind of putting the blame for bad health on you because it's bad genes," Caplan said.
Green pushed back on the idea that receiving genetic information is harmful. His research, he told me, has found "surprisingly little evidence of psychosocial harm." People may become upset by a result, he said, but that distress is often "transient and mild."
"I do believe that we should be much more aggressive about offering genomic screening to both adults and children," he said. "Because our healthcare system is so lacking, so deficient in providing appropriate screening."
What to do before ordering a test
Before ordering an at-home DNA or health test, slow down and read the fine print.
These tests can be cheap, convenient, and useful, especially for people who are uninsured, underinsured, or far from specialists.
I'm not saying every at-home testing company is a data farm. But find out whether the company says its test is FDA authorized, cleared, or approved; what that means; and whether it applies to the whole test or just one report offered. Look for whether the lab is CLIA-certified or CAP-accredited, and ask who will interpret the results and whether any follow-up consultation is available.
Next, read the privacy and consent policies. Search for HIPAA, data sharing, advertising, research, de-identified and aggregated data, and law enforcement. Gage told me to look for "third parties, partners and the word 'sell,'" along with retention, deletion, sample destruction, acquisition, and bankruptcy. "If those parts read as vague," he said, "the vagueness is your answer."
So, can I trust an at-home DNA or health test?
Sometimes. Some may provide real insights, useful screening, and a cheaper path to information. But they also collect some of the most sensitive data a person can give away. Make your own checklist of the risks and benefits you care about most, then see if the test makes the cut. Personally, I found it really difficult to choose one that checked all of mine.