On March 23, 2026, 23andMe updated their privacy policy with several small but notable changes. The company removed a sentence about a separate Medical Record Privacy Notice for Telehealth Services, changed references from '23andMe Research Institute' to simply '23andMe' in the policy's scope statement, and made a minor formatting adjustment to the mailing address. The removal of the Telehealth notice reference is the most significant change, as users who previously relied on that separate notice for their medical information protections may no longer be clearly directed to those protections.
The removal of the Telehealth Medical Record Privacy Notice reference means users who have shared sensitive health and medical data through 23andMe's clinical services are no longer explicitly informed of dedicated protections for that data. This is particularly significant given the sensitivity of genetic and medical information and the heightened legal protections that apply to it.
23andMe removed explicit mention of a separate Medical Record Privacy Notice that previously informed Telehealth users how their medical information would be used, disclosed, and maintained. This means users who have received or plan to receive Telehealth Services through 23andMe are no longer clearly directed to dedicated medical record privacy protections within this policy. You can contact 23andMe's Privacy Administrator at privacy@23andme.com to ask whether a Medical Record Privacy Notice still exists and how your medical data is being handled.
23andMe removed a sentence explicitly referencing a separate Medical Record Privacy Notice for Telehealth Services on March 23, 2026. This touches HIPAA obligations (45 CFR §164.520 — Notice of Privacy Practices) if 23andMe or its clinical partners qualify as covered entities or business associates. The entity name change from '23andMe Research Institute' to '23andMe' in the policy scope may reflect a corporate restructuring that could affect existing DPAs and vendor contracts. Compliance teams with 23andMe in their vendor stack should verify whether the Telehealth Medical Record Privacy Notice still exists independently and whether any HIPAA NPP obligations remain satisfied.
1. HIPAA — 45 CFR §164.520: Covered entities and business associates must provide a Notice of Privacy Practices. The removal of the reference to a separate Medical Record Privacy Notice for Telehealth Services raises the question of whether 23andMe or its licensed healthcare provider partners remain compliant with NPP distribution requirements. If clinical services are still offered, the NPP must still exist and be accessible.
Compliance intelligence locked
Obligation analysis, escalation trigger, board language, and recommended action.
Watcher: regulatory citations + obligations. Professional: full compliance memo.
ConductAtlas provides verified policy intelligence sourced directly from platform documents. All analysis is intended to support, not replace, legal and compliance review. Record CA-C-000062.
ConductAtlas Policy Archive Entity: 23andMe | Document: 23andMe Privacy Statement | Record: CA-C-000062 Captured: 2026-03-23 06:06:18 UTC URL: https://conductatlas.com/change/2026-03-23-23andme-23andme-privacy-statement-62/ Accessed: April 4, 2026
23andMe updated their Terms of Service on March 23, 2026, changing which users these terms apply to. The previous version …
Create a free account and add 23andMe to your watchlist. We'll email you the moment something changes.