HIPAA Protections for Online Lab Tests: What You Need to Know

As more Americans sidestep doctors’ ⁣offices⁤ to order lab ⁢tests ‍adn⁢ genetic screenings online,privacy experts warn that the new ⁤trove of ⁢sensitive health ⁤data could end up in the hands of companies selling certain types of insurance,lenders,employers,or law enforcement. 

Patients’ health data are typically protected under the‌ Health Insurance Portability ⁢and Accountability Act,or HIPAA. But that federal law only applies to hospitals, physician practices, and other entities involved in coordinating ⁣or ‍paying for patient care. The new breed of startups that⁤ sell blood panels⁣ and genetic tests ⁣- typically not covered by health insurance – directly ⁢to consumers aren’t always considered medical providers as‍ defined by the law.”these tests kind of feel like medical tests, but they⁢ may not always be covered by HIPAA,” said Anna Wexler, an assistant professor of medical ethics at the ⁤University of Pennsylvania who‌ has ⁣studied direct-to-consumer health companies‘ ⁢privacy practices. “Many of these companies do exist outside of the customary medical ‌environment.”

As more people rush to direct-to-consumer health tests driven by a desire to catch cancer before ​symptoms emerge or to find out if they are at risk for Alzheimer’s, experts say it’s conceivable that banks and insurers could use any ⁣health data they can to mitigate ‌their own risks. That could​ impact financial ‌products ⁢such as loans, life insurance, short-term health‌ insurance used by gig workers and those between jobs, and long-term health insurance ⁣that ⁤pays for nursing ​home⁣ stays.

“If you don’t agree‍ [to share the data], you don’t get‍ the policy, you don’t‌ get the⁣ bank loan, whatever ⁤you’re applying ⁢toward,” ‌said Mark Rothstein, director of translational bioethics at UC Irvine.

Function Health, for example,⁣ which⁣ offers over​ 100 tests for an annual subscription fee ‌of $365, says on its website that it is “not a laboratory or medical provider.” The startup, co-founded by health secretary Robert F. Kennedy Jr. ally Mark Hyman, ​ says it “does not offer medical⁣ advice, laboratory services, a diagnosis, medical treatment, or ⁢any form of‍ medical ​opinion, through​ our services or otherwise,”

If someone’s taken a full-body scan or a​ genetic risk assessment, for instance, it’s not ⁤far-fetched or clearly illegal for ‌an employer conditionally offering⁣ a job ⁣requiring certain physical traits to “get access to [the test results] and see that their [potential] employee, who they want to ⁢hire, is not ‌healthy or has some abnormal ‌scan information,” Wexler ‌said. “those could be used to make employment decisions.”

Function, and other direct-to-consumer health test​ companies such as Prenuvo and hims also say in their privacy policies that they’ll share sensitive health records‌ in response to valid requests from law enforcement ⁤like a court-ordered subpoena. (At the

As companies combine genetic and non-genetic information into proprietary, integrated risk reports and⁣ predictions (Function Health, as an‌ example, sells risk⁣ reports for heart and brain health, combining blood biomarkers⁣ with genetic assessments) “consumer protections become murkier,” because they’re not explicitly outlined in existing data protection laws, meaning enterprising life, disability, ‍or short-term insurers and some employers could potentially make a case for demanding them from the customers, or the companies selling them, Sklar said. While‌ Function​ said it does not directly share data with ‍third-party insurers, ‌it did ‍not respond to STAT’s request for clarification on privacy protections for risk scores.

<

Okay, here’s a breakdown ⁣of the‍ key takeaways‌ from​ the provided text, focusing on the privacy and legal concerns ‌surrounding direct-to-consumer (DTC) health and genetic testing companies like Function, Prenuvo, and Hims:

1. Privacy Concerns & HIPAA Limitations:

* Not Fully Covered by HIPAA: These companies often​ argue they aren’t “covered entities” under HIPAA (Health ‍Insurance Portability and Accountability act) ​because ⁤they don’t always function as traditional‌ medical providers, and sometimes operate ​on a cash-pay basis. This means they aren’t legally required to adhere to HIPAA’s strict⁢ data sharing restrictions.
* ⁤‍ Data Sharing is Possible: ‍ Despite emphasizing privacy, their policies do allow for data sharing in certain situations:
* ​ With corporate affiliates.
* In response to⁣ lawful requests from law enforcement or government agencies.
* Recent Court ​Rulings: Federal court rulings ⁣are weakening reproductive health data protections, and a Texas court blocked biden-era HIPAA modifications aimed at strengthening those protections. This creates a​ broader vulnerability for health ⁣data privacy.

2.⁢ Legal and Regulatory‌ Landscape is Evolving & Uncertain:

* Attacks on Health Privacy: The court rulings are seen as “attacks on health care and health ⁣privacy.”
* ‍ Unclear Protections: The extent of legal protections for genetic information is still being “tested.” It’s unclear‌ how ⁢far those protections go in different circumstances.

3. Potential Insurance Impacts:

* Insurance Eligibility: Genetic test results can ‍be used by some‍ insurance companies (especially specialty plans) to determine eligibility or premiums.
*‍ Life Insurance: Results could potentially affect the ability ⁤to obtain life insurance.
*‍ ⁣ Weighing Risks & Benefits: Genetic counselors are advising patients to carefully⁤ consider the potential⁢ insurance implications before undergoing DTC⁢ genetic testing.

4. Accuracy & Validation of Tests:

* ⁢ Questionable Validity: There are open questions about the accuracy and clinical validation of some DTC tests,⁤ particularly those‌ predicting risks for⁣ complex conditions ⁢like Alzheimer’s or cancer.The calculations used are often proprietary and not fully vetted.

In ‌essence, the article highlights a growing ⁤concern that​ while DTC health​ and genetic testing offers convenience, ⁣it comes with meaningful privacy risks and potential unintended consequences related to insurance and data security, especially as the legal framework surrounding these technologies is still developing.