As more Americans sidestep doctors’ offices to order lab tests and genetic screenings online, privacy experts warn that the new trove of sensitive health data could end up in the hands of companies selling certain types of insurance, lenders, employers, or law enforcement.
Patients’ health data are typically protected under the Health Insurance Portability and Accountability Act, or HIPAA. But that federal law only applies to hospitals, physician practices, and other entities involved in coordinating or paying for patient care. The new breed of startups that sell blood panels and genetic tests — typically not covered by health insurance — directly to consumers aren’t always considered medical providers as defined by the law.
“These tests kind of feel like medical tests, but they may not always be covered by HIPAA,” said Anna Wexler, an assistant professor of medical ethics at the University of Pennsylvania who has studied direct-to-consumer health companies’ privacy practices. “Many of these companies do exist outside of the traditional medical environment.”
As more people rush to direct-to-consumer health tests driven by a desire to catch cancer before symptoms emerge or to find out if they are at risk for Alzheimer’s, experts say it’s conceivable that banks and insurers could use any health data they can to mitigate their own risks. That could impact financial products such as loans, life insurance, short-term health insurance used by gig workers and those between jobs, and long-term health insurance that pays for nursing home stays.
“If you don’t agree [to share the data], you don’t get the policy, you don’t get the bank loan, whatever you’re applying toward,” said Mark Rothstein, director of translational bioethics at UC Irvine.
Function Health, for example, which offers over 100 tests for an annual subscription fee of $365, says on its website that it is “not a laboratory or medical provider.” The startup, co-founded by health secretary Robert F. Kennedy Jr. ally Mark Hyman, says it “does not offer medical advice, laboratory services, a diagnosis, medical treatment, or any form of medical opinion, through our services or otherwise,”
If someone’s taken a full-body scan or a genetic risk assessment, for instance, it’s not far-fetched or clearly illegal for an employer conditionally offering a job requiring certain physical traits to “get access to [the test results] and see that their [potential] employee, who they want to hire, is not healthy or has some abnormal scan information,” Wexler said. “Those could be used to make employment decisions.”
As more patients order lab tests online, doctors don’t know what to do with the results
Function, and other direct-to-consumer health test companies such as Prenuvo and Hims also say in their privacy policies that they’ll share sensitive health records in response to valid requests from law enforcement like a court-ordered subpoena. (At the time of publication, these companies did not clarify which circumstances would be considered valid and which would be denied.)
While there haven’t been any recent high-profile instances of health data from direct-to-consumer lab tests and screenings leading to discrimination, experts say it’s still early days.
“We simply do not know how these test results could be used in an unintended way that could lead to discrimination,” said Tara Sklar, faculty director of the Health Law and Policy Program at University of Arizona Law.
How at-home tests can drive up insurance
Current laws generally stop basic health plans from ratcheting up premiums or denying coverage based on a person’s medical history or genetic risk assessments, and federal health data privacy laws bar doctors and health plans from sharing medical data outside the health care system without permission. The Genetic Information Nondiscrimination Act also stops basic health plans and employers with more than 15 employees from denying or adjusting coverage based on genetic data.
However, companies selling life insurance, disability insurance, and short- and long-term medical insurance are exempt from those laws, and are allowed to access sensitive health information as part of the policy underwriting process. And these companies are now assessing how they can best use the data from consumer genetic screening and blood tests to better manage their own risk, said Scott Leavitt, president and general agent of Gem State Financial Group, a vendor in Boise, Idaho, that contracts with 45 other insurance companies to sell long-term care, life, and disability insurance.
Recent congressional efforts to roll back parts of the Affordable Care Act could also eliminate or ease privacy protections for health insurance, and as some states push less restrictive privacy laws, people may find their insurance coverage more impacted by the health data they share with consumer companies depending on where they live, legal experts told STAT.
“We don’t know what the future holds,” Leavitt told STAT. The deluge of new health tests means “we’re gonna get more data, which is good. However, that data could also affect you [differently] as the rules change and the states change their laws.”
Legally, individual insurance companies can set their own policies on how heavily consumer health tests impact coverage for certain types of insurance, he added. “Some companies are very proactive. Some are more old school, and just say, ‘We’re going to wait until the law tells us what we can and can’t do.’”
The American Academy of Actuaries told STAT that life insurance companies may have access to at-home testing results, including through databases that testing companies may share with insurance companies with permission from customers. Life insurance companies don’t currently use at-home genetic tests for policy underwriting, but any genetic information mentioned in medical records — which could include discussions customers had with their doctors about commercial test results — could potentially be used, the group said. (That group also emphasized that life insurance underwriting only takes into account data available at the time of application, and that only data that was hidden or misrepresented can change a policy after it’s issued.)
Kelly Loussedes, a senior vice president for public relations for the National Association of Benefits and Insurance Professionals, which represents long-term care insurance professionals, told STAT it was “monitoring the growing use of direct-to-consumer genetic and biomarker testing and encourages a thoughtful approach that prioritizes consumer protections, privacy, and transparency while ensuring coverage decisions remain fair and evidence-based.”
Several other health, disability, and life insurance industry groups STAT reached out to, such as AHIP, which includes some disability, life, and short- and long-term health insurance plans, either didn’t comment on the use of direct-to-consumer tests in specialty insurance, or directed inquiries to individual companies and trade groups for details on their policies. As of publication, most of those other companies and trade groups had not responded to requests for comment, including Metlife, New York Life, Massachusetts Mutual, and Aflac. Prudential Financial declined to comment, and a John Hancock spokesperson said the company “does not require completion of any direct-to-consumer test as a prerequisite of offering any of its products.”
Hims and Prenuvo clarified that they only share data with employers or insurers when authorized by customers.
Newer types of tests further complicate privacy protections.
As companies combine genetic and non-genetic information into proprietary, integrated risk reports and predictions (Function Health, for instance, sells risk reports for heart and brain health, combining blood biomarkers with genetic assessments) “consumer protections become murkier,” because they’re not explicitly outlined in existing data protection laws, meaning enterprising life, disability, or short-term insurers and some employers could potentially make a case for demanding them from the customers, or the companies selling them, Sklar said. While Function said it does not directly share data with third-party insurers, it did not respond to STAT’s request for clarification on privacy protections for risk scores.
“We live in a rapidly changing legal landscape” for health privacy, said Sara Geoghegan, senior counsel at the Electronic Privacy Information Center, a research and privacy advocacy group. Federal court rulings rejecting additional protections for reproductive care data, for instance, already constitute an “attack on health care and health privacy,” she added. In June, the U.S. District Court for the Northern District of Texas declared unlawful some Biden-era HIPAA modifications that would have specifically limited data sharing about reproductive health.
Weighing clinical benefits against risks
In their privacy policies and terms and conditions, Function, Prenuvo, and Hims all say that they are not considered medical providers in all circumstances and therefore not legally “covered entities” under HIPAA — meaning they are not required to comply with the strict data sharing restrictions outlined in that law. (Some of these companies have established their own medical groups that are governed by HIPAA, but the online platforms that customers order from are not legally considered medical providers. Hims also told STAT the company is technically not considered a covered entity because consumers pay for their services using cash rather than health insurance.)
While they also emphasized that they prioritized customers’ privacy, their policies all specified instances in which data may be shared outside the company: Function Health said mental and physical history, clinical notes, biomarkers, genetic data, and other sensitive factors may be shared with corporate affiliates, and via lawful requests from law enforcement or government agencies when appropriate. Hims and Prenuvo had similar policies. (Health plans and traditional medical providers are also allowed to share sensitive data with outside groups in certain circumstances, including some law enforcement requests.)
Taken together with open questions about the validity and accuracy of direct-to-consumer tests — especially risk predictions for conditions like Alzheimer’s or cancer, and which often involve proprietary calculations that aren’t clinically validated — genetic counselors and doctors tell STAT they’re advising consumers to weigh the benefits of ordering their own health tests against the potential insurance impact.
Tyler Stokes, a genetic counselor at the University of Maryland Medical Center’s Greenebaum Comprehensive Cancer Center, said she typically informs patients considering services like 23andMe that specialty insurance plans can currently use genetic tests to determine eligibility. “For someone who is healthy, who does not have cancer or does not have this increased, heightened risk, it might be worth taking that into consideration prior to doing a genetic test,” she said.
“Will you be OK if you can’t buy additional life insurance because something is found?” said Carolyn Applegate, a genetic counselor at the Johns Hopkins School of Medicine. “Exactly how far those protections go, and exactly what is and isn’t allowed under different circumstances” hasn’t really “been tested,” she added.
This story is part of a reporting fellowship managed by the Association of Health Care Journalists, with support from The Commonwealth Fund.