Which regulatory agencies enforce this type of clause?

{'agency': 'HHS_OCR', 'reason': "HHS OCR enforces HIPAA Privacy and Security Rules applicable to 23andMe's telehealth service and any protected health information generated through clinical services coordinated through the platform.", 'complaint_url': 'https://www.hhs.gov/ocr/complaints/index.html'}

What is the severity of this clause?

ConductAtlas classifies this Telehealth and Medical Record Privacy Notice clause as medium severity. Severity reflects the magnitude of rights affected, the breadth of users impacted, and the degree of discretion the platform retains.

Telehealth and Medical Record Privacy Notice — 23andMe

Share 𝕏 Share in Share 🔒 PDF

What it is

If you use 23andMe's telehealth service, a completely separate privacy document — not this one — governs your medical records and clinical health information.

Consumer impact (what this means for users)

Users of 23andMe's telehealth services have their clinical medical information governed by a separate privacy notice that may include HIPAA-protected health information, creating a two-track privacy regime where the protections and data uses differ materially between the genetic testing service and the healthcare service. Consumers using both services should read both documents carefully.

Cross-platform context

See how other platforms handle Telehealth and Medical Record Privacy Notice and similar clauses.

Compare across platforms →

Need full compliance memos? See Professional →

Why it matters (compliance & risk perspective)

Medical information collected through 23andMe's telehealth service is subject to different (and likely HIPAA-governed) rules than your genetic testing data, and failing to read the separate Medical Record Privacy Notice could mean missing critical protections or limitations.

View original clause language

Should you choose to receive Telehealth Services coordinated through 23andMe, with clinical services provided through licensed healthcare providers, there is a separate Medical Record Privacy Notice that describes how your medical information is used, disclosed, and maintained.

Institutional analysis (Compliance & legal intelligence)

REGULATORY FRAMEWORK: The Telehealth service and associated Medical Record Privacy Notice likely engages HIPAA Privacy Rule (45 CFR Part 164) and the HIPAA Security Rule (45 CFR Part 164.300 et seq.), enforced by HHS Office for Civil Rights (OCR). The 21st Century Cures Act information blocking rules (45 CFR Part 171) may also apply to electronic health records generated through telehealth. State telehealth and medical privacy laws may impose additional requirements.

🔒

Compliance intelligence locked

Regulatory citations, enforcement risk, and due diligence action items.

Watcher $9.99/mo Professional $149/mo

Watcher: regulatory citations. Professional: full compliance memo.

Applicable agencies

Hhs Ocr

HHS OCR enforces HIPAA Privacy and Security Rules applicable to 23andMe's telehealth service and any protected health information generated through clinical services coordinated through the platform.
File a complaint →

Provision details

Document information

Document

23andMe Privacy Statement

Entity

23andMe

Document last updated

April 29, 2026

Tracking information

First tracked

April 27, 2026

Last verified

April 27, 2026

Record ID

CA-P-003469

Document ID

CA-D-00148

Evidence Provenance

Source URL

https://www.23andme.com/legal/privacy/

Wayback Machine

View archived versions →

SHA-256

dc3df5a6c7d5e8a0428d5086d3cf2f15f5072911b18402048166183c31b60dd4

Verified

✓ Snapshot stored ✓ Change verified

How to Cite

ConductAtlas Policy Archive
Entity: 23andMe | Document: 23andMe Privacy Statement | Record: CA-P-003469
Captured: 2026-04-27 13:30:15 UTC | SHA-256: dc3df5a6c7d5e8a0…
URL: https://conductatlas.com/platform/23andme/23andme-privacy-statement/telehealth-and-medical-record-privacy-notice/
Accessed: May 2, 2026

Classification

Severity

Medium

Telehealth and Medical Record Privacy Notice