Yes, genetic testing is regulated in the United States, but the oversight is split across multiple federal agencies, state laws, and different rules depending on the type of test. No single authority controls the entire landscape. A test ordered by your doctor goes through different regulatory channels than a kit you buy online, and the protections around your genetic data vary depending on what kind of insurance company wants to see it.
Three Federal Agencies Share Oversight
The FDA, the Centers for Medicare and Medicaid Services (CMS), and the Federal Trade Commission (FTC) each regulate a different piece of the genetic testing process. The FDA treats genetic tests as a type of medical device, meaning test kit manufacturers need FDA approval before selling their products. CMS regulates the laboratories that actually run clinical genetic tests through a program called CLIA (Clinical Laboratory Improvement Amendments), which was established in 1988. The FTC steps in when companies make false claims about their services or mishandle consumer data.
This division of labor creates a meaningful gap: CMS verifies that a lab can accurately detect what it claims to detect (analytical validity), but there is no federal oversight of the clinical validity of most genetic tests. In other words, regulators check whether the lab correctly identified a genetic variant, but not necessarily whether that variant reliably predicts a health outcome.
What Labs Must Do to Run Genetic Tests
Most molecular genetic tests are classified as moderate or high complexity under CLIA. Labs performing these tests must hold a Certificate of Compliance from CMS or a Certificate of Accreditation from an approved organization. They’re required to establish quality systems covering accuracy, precision, analytical sensitivity, and analytical specificity.
For tests that aren’t FDA-cleared, the lab itself must establish its own performance specifications, including accuracy, precision, the reportable range of results, and reference intervals for normal values. Labs also have the option of evaluating their own testing programs at least twice a year through voluntary proficiency testing or by exchanging samples with other labs. New York State goes further than federal standards, requiring labs to include in their reports an interpretation of findings, the test’s technical limitations, suggestions for additional testing, and recommendations for genetic counselor referral when appropriate.
The Lab-Developed Test Loophole Is Closing
For decades, the FDA chose not to enforce its authority over laboratory-developed tests (LDTs), which are tests designed, manufactured, and used within a single lab rather than sold as commercial kits. This hands-off approach, called “enforcement discretion,” meant that thousands of genetic tests entered clinical use without the same premarket review that commercial test kits undergo.
That changed in May 2024, when the FDA published a final rule phasing out its enforcement discretion over LDTs. The rule took effect in July 2024 and rolls out in five stages over four years. In the first year, labs must begin reporting adverse events and maintaining complaint files. By year two, they need to register their tests and meet labeling requirements. Quality system compliance kicks in at year three. High-risk tests face premarket review requirements at three and a half years, and moderate- and low-risk tests follow at four years. This represents a major shift: labs that previously operated with minimal FDA scrutiny will eventually need to meet the same standards as commercial test manufacturers.
Direct-to-Consumer Tests Have Specific Approvals
If you’ve considered a home DNA kit, the regulatory picture is more defined than you might expect. The FDA has authorized specific direct-to-consumer genetic health risk reports, and 23andMe’s tests account for most of these approvals. The authorized tests cover a defined list of conditions, including carrier screening for Bloom syndrome, risk reports for late-onset Alzheimer’s disease, Parkinson’s disease, celiac disease, hereditary hemochromatosis, and selected BRCA1/BRCA2 variants linked to breast cancer risk. The FDA has also authorized pharmacogenetic reports that tell you how your body may process certain medications based on variants in drug-metabolizing genes.
Each authorization covers only specific genetic variants for specific conditions. A company can’t simply decide to offer a new health risk report without going through the FDA’s review process. The ancestry and trait reports that make up the fun, shareable side of consumer DNA testing operate under a different, less stringent framework than the health-related reports.
Privacy Protection Has a Major Gap
The Genetic Information Nondiscrimination Act (GINA), passed in 2008, provides two core protections. First, health insurers cannot use genetic information to determine eligibility, set premiums, or make coverage decisions. They also cannot require you to take a genetic test. Second, employers cannot use genetic information in hiring, firing, promotions, pay, or job assignments, and they cannot require genetic testing as a condition of employment.
The gap that catches many people off guard: GINA does not cover life insurance, long-term care insurance, or disability insurance. Companies selling these policies can, under federal law, ask about and use your genetic test results. About a dozen states have stepped in to fill this hole. Colorado, Connecticut, Delaware, Kansas, Maine, Minnesota, New Hampshire, New Mexico, New York, Oregon, Vermont, and Wisconsin have all enacted laws covering genetic discrimination in life, disability, and long-term care insurance. Massachusetts covers disability and long-term care. If you live outside these states, your genetic test results could affect your ability to get affordable life or long-term care coverage.
How the FTC Protects Your Genetic Data
The FTC’s role becomes relevant when companies mishandle your DNA data or mislead you about their privacy practices. In 2023, the FTC brought its first case focused on both the privacy and security of genetic information, charging that a company called 1Health.io (formerly Vitagene) left sensitive genetic and health data unsecured, deceived consumers about their ability to delete data, and retroactively changed its privacy policy without properly notifying users who had already submitted samples. The company had prominently advertised “rock-solid security” and claimed it didn’t store DNA results alongside identifying information. The FTC found these promises were not kept.
The resulting order required the company to pay $75,000 in consumer refunds, prohibited sharing health data with third parties without explicit consent, and mandated a comprehensive information security program. While $75,000 is a small penalty, the case put the broader industry on notice that retroactively changing privacy terms for already-collected genetic data violates federal trade law.
Medicare Coverage Creates De Facto Standards
Beyond safety and privacy regulation, Medicare’s coverage decisions shape which genetic tests become standard clinical practice. The MolDX program, run through CMS, requires labs to complete a technical assessment before their tests qualify for Medicare coverage. To pass, a test must include at least the minimum genetic content required for clinical decision-making for its intended use, backed by “definitive or well-established guidelines-based evidence.” Since most clinical labs need Medicare reimbursement to stay viable, this coverage review functions as an additional layer of quality control that goes beyond CLIA’s lab certification requirements.
How the EU Approach Differs
In the European Union, genetic tests fall under the In Vitro Diagnostic Regulation (IVDR), which classifies most cancer and genetic tests as Class C devices. Unlike the historical U.S. approach to lab-developed tests, EU regulations require that all devices above the lowest risk class undergo conformity assessment by a notified body, an independent organization authorized to evaluate compliance. Manufacturers of Class C and D devices must update their documentation at least once per year, and the requirements for clinical evidence and post-market surveillance are more stringent than under the EU’s previous rules. The result is a system where genetic tests face mandatory independent review before reaching the market, a standard the U.S. is now moving toward with its 2024 LDT rule but hasn’t yet fully implemented.