The advent of 23andMe, ancestryDNA, and other direct-to- consumer genetic testing products permit patients, from the comfort of their own homes and personal computers, to identify and assess their unique risk of developing disease. For less than $200, these genetic testing companies claim to provide health in- sights. For example, 23andMe offers consumers "genetic health risk reports" that detect variants related to late-onset Alzheimer's disease, Parkinson's disease, alpha-1 antitrypsin deficiency, celiac disease, hereditary hemochromatosis, hereditary thrombophilia, and age-related macular degeneration. In March of 2018, the FDA authorized 23andMe to market its Personal Genome Service Genetic Health Risk Report for BRCA1/BRCA2 (Selected Variants).

According to the FDA,| the test is the first direct-to-consumer FDA approved test to report on three specific BRCA1 and BRCA2 breast cancer gene mutations. In its approval, the FDA clarified that the test only detects three out of more than 1,000 known BRCA mutations, meaning that a negative BRCA mutation result from 23andMe does not rule out the chance that consumers have a BRCA mutation.

Previously, genetic testing was made available only through the recommendation of a healthcare provider, and a healthcare provider was required to interpret the test results before passing them onto the individual. However, the FDA's approval of 23andMe BRCA testing allows consumers to order and perform genetic tests without needing to interact with a healthcare professional, indicating the potential expansion of genetic testing services to other applications and raising concerns about consent, privacy, and confidentiality.

The month after the FDA approved 23andMe's BRCA mutation testing, investigators in California utilized genetic data submitted through an online ancestry website to identify the Golden State Killer. According to reports, the detective's use of DNA had previously led to the wrong suspect. The use of genetic data for law enforcement purposes raises concerns about the privacy and confidentiality of genetic data submitted to websites like 23andMe. Patients may be surprised that current HIPAA regulations do not apply to companies that are not "covered entities" (health plans, health care clearinghouses, and most health care providers) or "business associates." If de-identified data is used for research or other purposes, HIPAA does not apply to that information, either, so long as it cannot be traced back to the original patient. See 45 C.F.R. §§45 C.F.R. §§ 164.502(d)(2), 164.514(a) and (b). Further, there is no general legal prohibition on re-identification of individuals from their genetic data.

A spokeswoman for FamilyTreeDNA.com, which operates the website used by police to identify the Golden State Killer, reported that they had not been contacted by law enforcement to con- sent to the use of genetic data for such purposes. Company officials stated that "[w]hile [they] take ... customers' privacy and confidentiality extremely seriously, [they] support ethically and legally justified uses of groundbreaking advancements of scientific research in genetics and genealogy.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.