People think of HIPAA as a generic cover-all medical privacy law for some reason.
It's not, not even close, It's a law that very narrowly applies mainly to insurance companies and healthcare entities that accept medical insurance.
As a general rule - if insurance is never involved HIPAA doesn't apply.
If you got a DNA test prescribed by your doctor for a diagnosis or even for genetic counseling then HIPAA applies. It's not the nature of the data, it's the nature of the organization dealing with the data.
I have no idea where this mass misunderstanding came from
No, personally identifiable health information can be shared/exchanged without HIPAA applying. For example if I email my grandma information about my cancer diagnosis, Gmail isn't HIPAA compliant and doesn't need to be just because some people might use it to talk about their health. Grandma is also free to share my health information with impunity, she is free to, say, forward it to my boss because grandma doesn't have to abide by HIPAA either because she's a grandma.
The privacy rule only applies covered entities. If a covered entity works with cloud provider, they sign a BAA. The cloud provider is not a covered entity.
It's not, not even close, It's a law that very narrowly applies mainly to insurance companies and healthcare entities that accept medical insurance.
As a general rule - if insurance is never involved HIPAA doesn't apply.
If you got a DNA test prescribed by your doctor for a diagnosis or even for genetic counseling then HIPAA applies. It's not the nature of the data, it's the nature of the organization dealing with the data.
I have no idea where this mass misunderstanding came from