23&Me is not subject to HIPAA, unless they are acting as a health care provider, or business associate (not sure but I don't think they are in this context).
Most people misunderstand HIPAA, and think it applies in situations it doesn't. This is not a situation where HIPAA applies.
HIPAA is NOT a privacy law. It's a law that mandates portability of medical data, some details of which overlap with privacy.
"Emerging technologies such as genealogical databases (i.e. 23andme and Ancestry) as well as wearable devices and mHealth apps have created a new risk for data privacy that is not covered by HIPAA. These digital health tools are not covered entities therefore they are not required to protect the data they collect under HIPAA. The Department of Health and Human Services nor the Office of Civil Rights have purview over this data or any breach of the consumer's information. Any complaint regarding a breach of consumer's health data is rejected, as there is no controlling law currently for this type of data. Complaints of this type go to the Federal Trade Commission; however, many consumers are never aware that their information is breached, shared or sold to a third party because there is no breach notification requirement in place."
So while 23&me is not under HIPAA compliance rules, they are still under the purview of the FTC according to this. Which would mean that the FTC can examine their security posture and determine if it's adequate or what have you. Odds are they will just be slapped with a fine and back to business as usual. Which kind of makes me upset because we are dealing with DNA and ePHI whether they are HIPAA or not.
Most people misunderstand HIPAA, and think it applies in situations it doesn't. This is not a situation where HIPAA applies.
HIPAA is NOT a privacy law. It's a law that mandates portability of medical data, some details of which overlap with privacy.