Geneology testing and HIPAA

Genealogy testing companies, which offer DNA testing services for ancestry and genealogical purposes, are not considered to be covered entities under HIPAA. There are, however, instances where a covered entity may make use of genealogy testing, which requires considerations relating to HIPAA requirements. 

Related: How to know if you're a covered entity

What is genealogy testing?

Genealogy testing, also known as DNA testing for ancestry or genealogical DNA testing, is a process that uses a person's DNA to trace their family heritage and uncover their genetic ancestry. This type of testing analyzes specific markers in an individual's DNA to provide insights into their ethnic origins and familial relationships. The tests are based on the fact that certain portions of our DNA are inherited from our ancestors and passed down through generations. There are different types of genealogy tests, including

1. Y-DNA testing: This test examines specific markers on the Y-chromosome, which is only passed from fathers to sons. It is primarily used to explore direct paternal lineages and trace one's father's paternal ancestry.
2. Mitochondrial DNA testing: This test analyzes the maternally inherited mitochondrial DNA. It traces the direct maternal lineage, allowing individuals to explore their mother's maternal ancestry.
3. Autosomal DNA testing: This test analyzes the DNA inherited from both parents and provides a broader picture of one's genetic ancestry. It can reveal information about ethnic admixture and distant relatives from all branches of the family tree.

What happens when a covered entity makes use of genealogy testing?

If a covered entity, such as a healthcare provider or health plan, decides to use genealogy testing for a patient, it could raise several ethical, legal, and privacy considerations. Note that genealogy testing for medical purposes, when used for diagnosing and treating medical conditions, differs from traditional genetic testing.

Genealogy testing is typically not considered medically necessary to diagnose or treat a patient's medical condition. Therefore, a covered entity would need a legitimate medical reason to justify genealogy testing. Beyond that, if the covered entity shares the patient's genetic data with a third-party genealogy testing company, they must disclose this information to the patient and obtain explicit consent for sharing the data.

The covered entity must adhere to all applicable laws and regulations governing the use of genetic information, such as the Genetic Information Nondiscrimination Act (GINA) in the United States, which protects individuals from genetic discrimination by health insurers and employers.

Protecting protected health information (PHI) when using genealogy testing

1. Choose reputable companies: If you're an individual seeking genealogy testing, research and select reputable genealogy testing companies that have strong privacy policies and security measures in place. Look for companies that are transparent about how they handle and protect genetic data.
2. Informed consent: If you're a healthcare organization or covered entity using genealogy testing for a patient, obtain informed consent from the individual before proceeding with the testing. Ensure the patient understands the purpose of the test, the potential implications, and the privacy risks involved.
3. Data encryption: Ensure that all genetic data, both at rest and during transmission, is encrypted to protect it from unauthorized access or interception.
4. Data de-identification: Whenever possible, de-identify genetic data to remove personally identifiable information (PII) from the results. This can add an extra layer of privacy protection.
5. Secure data storage: Store genetic data securely in a protected environment with measures in place to prevent data breaches and unauthorized access.\
6. Data retention policies: Establish data retention policies and only retain genetic data for as long as necessary to fulfill the intended purpose of the testing.
7. Transparent communication: Maintain secure communication with individuals whose genetic data is being tested, informing them how their data will be used and shared. Always make use of encrypted communication such as HIPAA compliant email. 

See also: What is the OCR (Office for Civil Rights)?