Huh, had no idea, thanks for bringing that up. Obvious follow-up question: Say the insurance company is using a third-party that they buy some kind of individual "healthiness/sickness benchmark" from, that just so happens to be heavily derived from on this genetic information, which the health insurer never sees in raw - would that fall under this? Seems like an easy way to skirt this regulation, but i am obv NAL.

This is good, but also leads to the obvious follow up question of how stringently it has and will be enforced. It's also illegal to lose PII and credit info for millions of people but, well, here we are.

Also, parallel construction. Also, data laundering - you drop DNA test data into a business analytics third party, and two data brokers later this arrives at your insurance company as a personal profile "created from data about your shopping habits collected on-line and off-line", or something like this. Don't know for sure if that's actually happening, but I assume it is.

How far removed from genetic data does the data have to be so that insurance companies can use it? Can I start a business that analyzes genetic data for know risk factors and then sell only the risk factors to insurance companies?