Follow ZDNET: Add us as a preferred source on Google.
ZDNET’s key takeaways
- At-home DNA and health tests may not be covered under HIPAA protections
- Your genetic data can put both you and your family members at risk, including for insurance discrimination
- FDA oversight levels and medical follow-up support differ significantly between companies
The testing kit arrives, and it’s surprisingly compact.
You pull it from your mailbox and set it on the cheerful, color-designed package on your kitchen counter.
Swab, spit, or do a quick finger-prick. Drop it in the mail. Soon, you’ll receive insights into your body: hormone levels, fertility status, Alzheimer’s risk, metabolism patterns, cancer predispositions, food sensitivities, or even your full genetic profile.
This is the appeal of direct-to-consumer (at-home) DNA and health screenings. At any hour, from your smartphone, you can request nearly any test—whether you’re uninsured, health-curious, or worried about hidden medical risks.
Before buying my own test, I did some online research.
Initially, straightforward questions guided my search: Is the test FDA-approved? Is the business HIPAA-compliant? Will a physician walk me through the findings? The more I read, the murkier the answers became. FDA references were infrequent and typically linked to a particular kit, report, or sample method—not the entire product line.
A few companies claimed HIPAA compliance; others made no such assertion. Nearly all mentioned using CLIA-certified and CAP-accredited labs, which only reflect laboratory quality, not overall privacy obligations. The extent of genetic counseling and follow-up medical guidance varied greatly. That led me deeper into their legal documents: Could my results be shared with police or used in marketing campaigns?
The truth was buried in privacy policies—which most people skip entirely. I read through all 10 of them.
The brands I investigated included: Everlywell, LetsGetChecked, Labcorp OnDemand, Nebula Genomics (also as DNA Complete), Nucleus, SiPhox, myLAB Box, CircleDNA, SelfDecode, and 23andMe. I reached out to each for comment, and consulted twelve specialists in bioethics, health privacy law, genetic regulation, FDA processes, and data security—though only six are directly quoted here.
My health data might not be protected the way I assume
The first risk isn’t the lancet, swab, or blood tube—it starts the moment I purchase the test. At that point, I might mistakenly believe that because the company handles health data, my results are safeguarded like a typical clinical record.
In the U.S., the Health Insurance Portability and Accountability Act (HIPAA), passed in 1996, protects health information when handled by certain “covered entities” and their business partners. It isn’t a universal privacy law for all businesses.
Also: What you surrender when you wear a smartwatch or ring
Anya Prince, David H. Vernon Professor of Law at the University of Iowa, specializes in health and genetic privacy. She explained to ZDNET that the key issue is whether a company qualifies as a “HIPAA-covered entity.” She added: “DTC labs may not fall into that category, so your data would be governed by the company’s privacy policy, not HIPAA regulations.”
When I examined leading DTC brands, I was surprised by inconsistent HIPAA claims and missing public documentation.
Everlywell stated it is “dedicated to protecting your personally identifiable health information” under HIPAA. Labcorp OnDemand affirmed it is “legally required to maintain the privacy of health information” per HIPAA. Nucleus confirmed it’s “HIPAA-compliant.” SiPhox described its safeguards as “HIPAA-grade security,” while myLAB Box said its sample and data handling are “covered” under HIPAA.
For the remaining firms, I could not locate clear, up-to-date public pages verifying HIPAA status.
Julian Gage, founder of Engage Compliance and data protection officer for multiple DTC health and genetic testing firms, told ZDNET that phrases like “HIPAA-grade” and “HIPAA-compliant” are primarily marketing tools—not legal guarantees.
Also: How I replaced my fast-food routine with five-minute meal prep using Airtable
<
“HIPAA-grade encryption refers to a specific security setting,” Gage explained. “It doesn’t confirm whether HIPAA applies to your interaction or how your data can actually be used.”
He provided an example: if a DTC test order goes through a telehealth provider, that doctor or service may qualify as a HIPAA-covered entity, meaning only the data they generate is protected—not necessarily the information collected by the DTC brand itself. “You can end up with just one thin layer protected, while everything else depends on the fine print you clicked through at purchase,” he noted.
According to Gage, the biggest misconception is assuming that mailing a biological sample to a private firm gives you the same privacy protection as submitting one directly to your own healthcare provider.
The legal details determine who else can access your information
By the time I reached my tenth privacy policy, certain words started to blur: “advertising,” “affiliates,” “partners,” “third parties,” “targeting,” “de-identified,” “aggregated,” “analytics.” These easy-to-overlook terms actually define exactly who can see—and potentially use—your sensitive data.
LetsGetChecked disclosed that it might use your personal information for “targeted advertising, including on third-party websites like social media” and, with your consent, share it with “third parties for marketing.” It also noted that “anonymized genetic data” could be included in its research databases—available to outside parties.
Also: Wearables collect vast amounts of health data—but doctors aren’t equipped to handle it all
SiPhox stated: “We do not sell your personal or health information,” yet added, “Aggregate data may be used for marketing analysis and audience targeting.” Nebula Genomics promised never to share your genetic data for research without permission—but acknowledged that “de-identified or pseudonymized genetic or phenotypic data” might still be provided to third parties for studies.
These practices aren’t inherently malicious; research benefits society. But when “de-identified” data also fuels targeted ads, it raises valid questions: Am I truly untrackable? And what am I really agreeing to?
“Your DNA is one of the most personally identifiable things about you—and research has demonstrated, repeatedly,”
“De-identified genomes can often be linked back to real individuals,” Gage warned. “Once data meets legal de-identification standards, it’s no longer covered by most privacy regulations — meaning the company can freely use, share, or sell it without notifying you again.”
According to Dr. Avi Rubin, director of the Health and Medical Security Lab at Johns Hopkins University, de-identification is a valuable step — but it shouldn’t be blindly trusted. As he explained to ZDNET, research consistently demonstrates that “anonymized data, when combined with publicly available datasets, can frequently lead to the reconstruction and exposure of private details.”
In short, de-identification isn’t a foolproof solution. A 2013 Wired investigation revealed that researchers were already capable of cross-referencing public records — including genealogy databases — to identify supposedly “anonymous” participants in a major genomic study.
My genetic and health data could carry lasting consequences
Some personal information is sensitive. Genetic and health data goes far beyond that — it’s permanent, uniquely identifying, and extends to family members. “Your DNA can’t be reset like a password,” Rubin emphasized.
It reveals information not only about me but also relatives who never agreed to testing. It can uncover parentage, hereditary conditions, and health predispositions — each carrying emotional, medical, and financial implications.
Laura Hercher, director of student research in the Genetics Graduate Program at Sarah Lawrence College and a practicing genetic counselor, noted uncertainty over whether life and long-term-care insurers might begin screening applicants based on their genetic testing history to exclude those at higher risk. However, she pointed out, “in most states, they’d be permitted to do so.”
Prince, who also studies genetic discrimination, echoed this concern regarding GINA — the Genetic Information Nondiscrimination Act. He explained that while the 2008 law was a landmark, it does not restrict how “life, long-term care, or disability insurers handle genetic information.” This gap means someone could be denied coverage or face elevated premiums based on their genetic test results.
Then comes the law enforcement dimension. Genetic genealogy has helped crack cold cases, yet it also stirs privacy concerns: Does the company require a warrant, subpoena, or court order? Will users be notified? Could my relatives be pulled into an investigation?
Every direct-to-consumer company I reviewed included law enforcement language in their privacy policies.
23andMe’s policy stated plainly: “[We] will not share information with law enforcement unless legally compelled by a valid court order, subpoena, or search warrant.”
All policies examined contained clauses allowing data disclosure when faced with legal mandates or official requests — encompassing subpoenas, court orders, warrants, public health directives, and regulatory obligations.
What rights do I actually have?
Three key concerns for me were account deletion, sample retention, and sample destruction. Could I close my account? Remove my genetic and health data? Would records still persist regardless? Would the physical DNA sample I mailed be automatically destroyed, or only upon request?
These questions matter because, as Hercher told ZDNET, there are “no specific laws” guaranteeing DNA data privacy. While terms of service offer some protection, she noted they “frequently change without notice.”
Details on these points are often hard to locate. LetsGetChecked stated users may request that it “delete information or destroy samples,” though the company reserves the right to decline if “the information remains necessary” or if “a legal basis exists to retain or process the data.” They also confirmed samples are “securely destroyed after processing.” CircleDNA mentioned retention “for the maximum legal period” followed by mandatory destruction.
Uncovering these answers required significant digging — and there’s no guarantee these policies won’t shift.
Do we need more accuracy or stricter regulation?
At-home DNA and health tests promise convenience and affordability. But how reliable are the results? A lab may generate technically precise data, yet consumers still need clarity on what the results mean, what they don’t mean, and what steps to take next.
Across every company comparison I made, one question lingered: The lab may be legitimate, but who will personally interpret my results for me? Dr. Robert Green, a Harvard Medical School genetics professor and speaker on genomic testing in infants, expressed concerns about whether certain test results are accurate, properly contextualized, or meaningfully tied to medical guidance.
“Ordering a genetic test online raises serious quality questions,” Green told ZDNET. “Is the test performed well? And by ‘well,’ I don’t just mean precise — interpretation must also be sound.” He cautioned that some providers rely on automated analysis systems that “overlook numerous critical conditions.”
Hercher’s worry leaned more toward oversight. “Most DTC genetic testing companies aren’t scams — but buyer beware remains solid advice,” she said. “This industry operates with minimal regulation.”
The regulatory jargon around at-home DNA and health tests adds further confusion. “At-home” describes where the sample is gathered; “direct-to-consumer” describes how the product is sold. FDA review and CLIA certification are entirely separate designations — neither assures the value of your specific results.
However, upon checking 10 companies for FDA references, I found mentions were sparse and highly specific to individual tests. LetsGetChecked noted receiving FDA “marketing authorization” for its Simple 2 Test. 23andMe highlighted “FDA-authorized reports” and listed numerous health reports that “comply with FDA requirements.” Everlywell and myLAB Box referenced FDA authorization limited to COVID-19 testing.
Claims about lab quality were far more widespread. Nearly every company cited CLIA certification, CAP accreditation, or both.
Yet this doesn’t mean every test undergoes FDA scrutiny or produces clinically significant results. As Green explained, CLIA represents merely a federal baseline for lab quality. “CAP is a different professional standard rooted in pathology.” Together, he said, they represent “floor-level requirements,” adding that “CLIA certification reveals little about the quality of test interpretation.”
Green agreed that greater FDA oversight could help standardize the market, though it might also stifle progress. He pointed out that genetic testing is “evolving constantly.” Requiring comprehensive FDA review for every update “would devastate genetic testing,” he said. Still, the current landscape is difficult to navigate because “quality varies widely — some providers are strong, others are not.”
Due to this inconsistency, Green said one of the first things he checks inside a company is whether it has
Is there qualified medical oversight behind the testing process? For example, do they employ a chief medical officer who is both a physician and a geneticist? Or is there a licensed laboratory director? These are important questions to consider.
The results are in… What comes next?
Professor Arthur L. Caplan, a bioethicist at NYU Grossman School of Medicine with decades of experience in genetic medicine research, warned in an interview with ZDNET that while companies market at-home tests as empowering tools for personal health control, the reality is often more complex. “Many consumers end up receiving data so detailed,” he explained, “that understanding it properly typically requires advanced scientific training.”
At first glance, these kits appear convenient—you bypass doctors, skip insurance, and get answers fast. But once results arrive, medical support varies widely. Some services offer follow-up calls for abnormal findings; others explicitly disclaim any diagnostic or treatment role. For instance, LetsGetChecked promises clinical review of unusual outcomes, Labcorp OnDemand may flag critical results but avoids offering formal medical guidance, and SiPhox clearly states its service supports wellness only—it does not diagnose conditions.
Green pointed out a gray area: many of these tests involve a physician placing the order, but it’s rarely your own doctor—you’ve likely never spoken with them.
So if affordability and accessibility are clear benefits, the real concern emerges when interpreting complex genomic data without expert help. Caplan stressed that at-home DNA results should not be treated as definitive medical diagnoses. “Claims like ‘we can test for intelligence’ are scientifically unfounded,” he clarified. Most outputs indicate probability or risk levels—not certainty. Even if genes play a role in health, Caplan emphasized that environmental factors—like air quality, safe water, diet, and living conditions—often carry greater influence. Overfocusing on genetics can unfairly shift blame onto individuals: “It frames poor health as your fault because of ‘bad genes,’ which ignores broader societal issues.”
However, Green countered that receiving genetic information isn’t inherently harmful. His studies show minimal lasting psychological distress from learning genetic risks—any upset tends to be short-lived and mild. He advocates broader genomic screening for adults and children, arguing that our healthcare system fails to provide adequate preventive care otherwise.
What to do before ordering a test
Before purchasing any at-home DNA or health test, take time to read details carefully. While these kits—often inexpensive and easy to use—can offer valuable insights, especially for those without insurance or easy access to specialists, they come with trade-offs.
Not every company mishandles your data, but check whether their test has FDA authorization (and what that actually covers), whether their lab meets CLIA or CAP standards, and who interprets your results—and offers follow-up consultation. Also, review privacy policies thoroughly: look for mentions of HIPAA compliance, data sharing with third parties, research use, advertising, de-identified datasets, and law enforcement access. Gage advises searching for terms like “sell,” “partners,” “retention,” “deletion,” and “sample destruction.” Vague language usually means your data may not be as protected as you’d hope.
So can you trust these tests? Sometimes. Certain products deliver real health value, useful early warnings, and lower-cost access to critical information. But they also collect among the most intimate data imaginable. Weigh what matters most to you—privacy, accuracy, support—and decide accordingly. For me personally, finding one company that met all my standards proved extremely difficult.
