If you use 23andMe's telehealth services, your medical information is governed by a separate Medical Record Privacy Notice, not this main Privacy Statement.
This analysis describes what 23andMe's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The provision operationalizes compliance with HIPAA and state medical privacy laws by creating a distinct governance framework for telehealth-derived medical records, which have different regulatory treatment than genetic or wellness data. This separation acknowledges that medical records created through clinical services operate under heightened privacy standards compared to direct-to-consumer genetic testing data.
The updated privacy statement no longer explicitly directs users to a separate Medical Record Privacy Notice for telehealth services or explains that medical information collected through telehealth is governed by different privacy rules. Previously, the policy stated that users choosing telehealth services coordinated through 23andMe would find healthcare privacy protections described in a separate notice. That reference is now absent from the main privacy statement. Users seeking privacy information specific to telehealth services will need to determine independently whether a separate notice exists or contact 23andMe directly using the provided contact information.
View change record →The updated privacy statement no longer explicitly discloses a separate Medical Record Privacy Notice that previously described how medical information is used, disclosed, and maintained for telehealth services. Users who receive telehealth services coordinated through 23andMe may now lack clear notice of which privacy framework governs their medical records, since the reference to that parallel notice has been removed. The organizational scope change from '23andMe Research Institute' to '23andMe' narrows the explicitly named entities responsible for the policy, though operational impact depends on how these entities actually function.
View change record →Consumers using telehealth services through 23andMe should review the separate Medical Record Privacy Notice to understand how their medical data is handled, as the main privacy policy does not fully govern that data. Failure to review both documents may leave consumers unaware of key rights.
How other platforms handle this
Information You Provide may include sensitive personal information, as defined under applicable state privacy laws. We process such information in accordance with applicable law, such as to provide the Services and other permitted purposes under state privacy laws, like the California Consumer Priva...
Depending on where you live, you may have certain rights regarding your personal information. These rights may include the right to know what personal information we have collected about you, the right to delete your personal information, the right to correct inaccurate personal information, the rig...
Depending on where you live, you may have certain rights regarding your personal information, including: the right to know what personal information we have collected about you; the right to delete personal information we have collected from you; the right to correct inaccurate personal information;...
Monitoring
23andMe has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
The bifurcated privacy framework — with a separate Medical Record Privacy Notice for telehealth — may implicate HIPAA Privacy Rule requirements for covered entities or business associates, and compliance teams should verify whether the telehealth provider relationship creates BAA obligations.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The provision operationalizes compliance with HIPAA and state medical privacy laws by creating a distinct governance framework for telehealth-derived medical records, which have different regulatory treatment than genetic or wellness data. This separation acknowledges that medical records created through clinical services operate under heightened privacy standards compared to direct-to-consumer genetic testing data.
Consumers using telehealth services through 23andMe should review the separate Medical Record Privacy Notice to understand how their medical data is handled, as the main privacy policy does not fully govern that data. Failure to review both documents may leave consumers unaware of key rights.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by 23andMe.