On April 19, 2026, 23andMe updated their Privacy Statement to clarify that it applies to '23andMe Research Institute' rather than just '23andMe,' and added a notice that users who choose Telehealth Services have a separate Medical Record Privacy Notice governing their medical information. A minor formatting correction was also made to the mailing address. These changes mean that if you use 23andMe's telehealth features, there is now an additional privacy document you should be aware of that covers how your medical records are handled.
If you use 23andMe's Telehealth Services, a separate privacy document now governs how your medical records are used and disclosed — and you should read it. The entity name change to '23andMe Research Institute' may also affect how your data rights are enforced contractually.
If you use 23andMe's Telehealth Services, your medical information is now governed by a separate Medical Record Privacy Notice — not just the main Privacy Statement — which affects how your sensitive health data is used and disclosed. The company also formally rebranded the operating entity to '23andMe Research Institute' in the policy scope. You can seek out and review the separate Medical Record Privacy Notice on 23andMe's website if you use or plan to use their Telehealth Services.
23andMe updated its Privacy Statement on April 19, 2026 with three notable changes: (1) the policy scope was updated to reference '23andMe Research Institute' as the operating entity; (2) a new sentence was added disclosing that Telehealth Services users are subject to a separate Medical Record Privacy Notice; and (3) a minor address punctuation fix was made. The addition of a Telehealth-specific Medical Record Privacy Notice implicates HIPAA Notice of Privacy Practices requirements (45 CFR §164.520) and state health privacy laws. Compliance teams should confirm the referenced Medical Record Privacy Notice exists, is accessible, and meets all applicable disclosure standards. Action is required if your organization handles 23andMe data or offers Telehealth integrations.
1. HIPAA Notice of Privacy Practices (45 CFR §164.520): The reference to a separate Medical Record Privacy Notice for Telehealth Services suggests 23andMe or its licensed healthcare provider partners may qualify as covered entities or business associates. The Notice of Privacy Practices must meet specific content requirements under 45 CFR §164.520(b).
Compliance intelligence locked
Obligation analysis, escalation trigger, board language, and recommended action.
Watcher: regulatory citations + obligations. Professional: full compliance memo.
ConductAtlas provides verified policy intelligence sourced directly from platform documents. All analysis is intended to support, not replace, legal and compliance review. Record CA-C-000528.
ConductAtlas Policy Archive Entity: 23andMe | Document: 23andMe Privacy Statement | Record: CA-C-000528 Captured: 2026-04-19 06:10:20 UTC URL: https://conductatlas.com/change/2026-04-19-23andme-23andme-privacy-statement-528/ Accessed: April 22, 2026
On April 19, 2026, 23andMe updated its Terms of Service to narrow its geographic scope so that this version now …
On March 23, 2026, 23andMe updated their privacy policy with several small but notable changes. The company removed a sentence …
23andMe updated their Terms of Service on March 23, 2026, changing which users these terms apply to. The previous version …
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do…
Subscribe to Watcher for $9.99/mo to get email alerts the moment 23andMe updates their policies. Or try Professional free for 14 days.