Legal & Compliance
Genetic test result disclosures in therapy sessions, GINA, and the cloud AI scribe vendor archive: when HIPAA's reach meets GINA's gaps
Clients increasingly process life-altering genetic information inside therapy: BRCA hereditary cancer risk findings, Huntington's disease CAG repeat results, Lynch syndrome diagnoses, pharmacogenomic panel interpretations. When a therapist uses a cloud AI scribe to document those sessions, the vendor archive becomes a genetic information record subject to not only HIPAA but also the Genetic Information Nondiscrimination Act — a separate federal statute with its own protective framework and, critically, explicit coverage exclusions for life insurance, disability insurance, and long-term care insurance that HIPAA does not fill.
The genetic test result in the therapy transcript
Therapy has always been where clients process life-altering news — diagnoses, prognoses, losses, existential reckonings. In 2026, that category increasingly includes genetic test results. A client who received a positive BRCA1 result after a preventive genetic counseling referral may spend three or four consecutive therapy sessions processing the decision architecture she now faces: prophylactic bilateral mastectomy, oophorectomy timing, whether to tell her daughters, how to think about her risk profile versus her quality of life. A client who received a positive pre-symptomatic Huntington's disease result — knowing they will develop a fatal neurodegenerative disorder at an uncertain point in the future — may use therapy as the primary space in which they integrate this knowledge into a life that still has to be lived. A client whose psychiatrist ordered a pharmacogenomic panel (GeneSight, OneOme, or similar) and received a report indicating that a CYP2D6 poor metabolizer phenotype explains years of failed antidepressant trials may spend sessions processing both the clinical implications and the meaning of having carried unexplained treatment resistance for a decade.
These are not incidental disclosures. They are sustained, substantive, clinically significant conversations about the client's genetic status, hereditary risk, and the implications of that risk for the client's medical decisions, reproductive choices, family relationships, and life planning. When a cloud AI scribe captures these sessions, the vendor archive contains not only the client's mental health PHI but also a detailed, verbatim transcript of their genetic test results, genetic risk factors, familial mutation status, and family pedigree context. For the foundational analysis of what cloud AI scribes capture and retain at the vendor level, see our analysis of what cloud AI scribes actually send to vendor servers.
This post analyzes what makes genetic information in the therapy session transcript structurally distinct from other categories of PHI: the parallel framework of the Genetic Information Nondiscrimination Act, the specific coverage gaps that GINA's architecture creates, the family implication problem, and the five adversarial proceedings that reach the vendor archive specifically because genetic information triggers regulatory and legal pathways that general PHI does not.
HIPAA and GINA: two statutes, one vendor archive, different coverage boundaries
HIPAA treats genetic information as a subcategory of protected health information. The HITECH Act's amendments and HHS regulations implementing certain GINA provisions clarified that genetic information may not be used by health plans as a basis for adverse benefit determinations and that genetic information in electronic records is subject to HIPAA's security rule requirements. The cloud AI scribe vendor holds the session transcript containing genetic test result disclosures as PHI subject to the vendor's business associate agreement. The BAA restricts what the vendor can do with the data. HIPAA's minimum necessary standard, breach notification requirements, and security rule apply. For the foundational analysis of what a BAA does and does not cover, see our analysis of what a BAA actually covers and what it does not.
The Genetic Information Nondiscrimination Act of 2008 operates separately. GINA has two titles with different coverage. GINA Title I prohibits health insurance issuers from using genetic information in underwriting — setting premiums, determining eligibility, or requiring genetic testing as a condition of coverage. GINA Title I applies to group health plans, health insurance issuers in individual markets, and Medicare supplement insurers. GINA Title II prohibits covered employers, employment agencies, labor organizations, and training programs from using genetic information in employment decisions — hiring, firing, pay, job assignments, promotions, or any other term of employment.
GINA's critical exclusion, stated explicitly in the statute, is that GINA Title I does not apply to life insurance, disability insurance, or long-term care insurance. Life insurers, disability insurers, and long-term care insurers are not prohibited by federal law from using genetic information in underwriting decisions. A life insurer that obtains a client's BRCA1 positive status — through any lawful or unlawful pathway — is not restricted by GINA from using that information to deny coverage, increase premiums, or exclude hereditary cancer conditions from coverage. Some states have enacted genetic privacy laws that extend protections to these insurance categories, but state coverage is inconsistent and the federal floor does not exist for these products.
The intersection of these two statutes around the cloud AI scribe vendor archive creates a specific pattern of coverage and exposure. HIPAA covers the data as PHI and restricts the vendor's disclosures. But if the vendor's archive is accessed through a breach, a third-party aggregator relationship, an improper disclosure, or a legal process exception, the genetic information it contains flows into downstream contexts where GINA's framework applies — but only to some of those downstream contexts and not to life, disability, or long-term care insurance underwriting.
The family implication problem: non-consenting relatives in the vendor archive
Genetic information has a property that no other category of PHI shares: it is simultaneously personal and familial. A client's BRCA1 pathogenic variant is not only information about the client — it is information about all of the client's biological relatives who share the maternal or paternal line from which the variant descends. By Mendelian inheritance, approximately half of first-degree relatives (parents, siblings, children) carry the same variant. A client who discloses their BRCA1 positive status in a therapy session also reveals, by necessary implication, the genetic risk status of family members who are not parties to the therapeutic relationship and who have not entered any relationship — informed consent, BAA, or otherwise — with the cloud AI scribe vendor.
Therapy sessions about genetic test results typically include extensive family pedigree content. A client processing a BRCA1 positive result will discuss which relatives were also tested, which tested positive, which declined testing, which had cancer diagnoses consistent with the hereditary risk pattern, and which are deciding whether to pursue prophylactic interventions. A client processing a Huntington's disease positive result will discuss which parent or grandparent died of the disease, which siblings chose to test and what their results were, and whether their own children are considering pre-symptomatic testing. All of this content enters the cloud AI scribe vendor archive as verbatim session transcript.
The relatives whose genetic status and testing decisions are described in these sessions are not clients. They have no HIPAA relationship with the therapist and no BAA relationship with the vendor. The vendor's business associate agreement covers the client's PHI — but the family members' genetic information, embedded in the client's session transcript, is present in the vendor archive as a factual matter regardless of those relatives' consent or awareness. This family implication creates adversarial exposure for relatives who never knew their genetic status was in a cloud vendor's business record system, because legal proceedings about the client's genetic information may produce the vendor archive in discovery — and the archive contains the relatives' status as well.
Five adversarial proceedings that reach the vendor archive specifically because of genetic information
1. GINA Title II employment discrimination claim: the vendor archive as evidence of what genetic information was accessible
GINA Title II prohibits employers from obtaining or using genetic information about employees or their family members. When an employer is alleged to have discriminated against an employee based on genetic information, the central factual dispute in both the EEOC investigation and any resulting civil litigation is: how did the employer obtain the genetic information, and what information specifically was obtained? A cloud AI scribe vendor holding therapy session transcripts that include the employee's genetic test result disclosures is a potential source of that answer.
EEOC investigations under GINA Title II proceed with compulsory process authority — the EEOC can issue subpoenas to obtain records relevant to the investigation. In civil litigation following an EEOC right-to-sue letter, Rule 45 civil subpoenas reach third-party business record custodians including cloud vendors. The HIPAA judicial proceedings exception at 45 CFR § 164.512(e) authorizes disclosure in response to court orders and qualifying subpoenas with appropriate assurances. If the investigation or litigation theory is that the employer accessed the employee's genetic information through a vendor breach, a data aggregation relationship, or a reference to genetic status in records the employer obtained through other discovery — the vendor archive of therapy sessions is potentially material to establishing what genetic information existed in identifiable, accessible form and when.
The adversarial dynamic operates in multiple directions. The employee's counsel may seek the vendor archive to document the specificity and timing of the disclosed genetic information as evidence supporting the discrimination claim. The employer's counsel may seek the vendor archive to characterize exactly what genetic information is at issue and to understand the full scope of what was potentially accessible. The vendor archive that contains a year of therapy session transcripts discussing the employee's genetic test results in detail is a more complete record of the employee's genetic status than any formal genetic test report — because the session transcript captures not only the result but the client's interpretation, family history, risk calculations, and planned medical decisions.
2. Life and disability insurance adverse underwriting: the coverage gap that GINA expressly leaves open
The life insurance gap in GINA is not an oversight or an ambiguity — it is a deliberate structural choice reflected in the statute's text. Congress explicitly carved out life insurance, disability insurance, and long-term care insurance from GINA Title I's underwriting prohibitions. The rationale was that these insurance products involve actuarial risk assessment that differs from health insurance, and that extending GINA to these products would require a different legislative framework. The result is that a life insurer who lawfully or unlawfully obtains a client's BRCA1 positive status faces no GINA prohibition on using that information in underwriting decisions at the federal level.
The pathway from the cloud AI scribe vendor archive to a life insurer is not necessarily an authorized disclosure. HIPAA's breach notification and security rules are designed to prevent unauthorized access. But the data loss landscape in 2026 involves cloud vendor breaches reaching data aggregation intermediaries, reidentification of de-identified datasets, and third-party data broker accumulation of health-adjacent information from multiple sources. A client who disclosed their BRCA1 status across multiple therapy sessions, whose therapist used a cloud AI scribe vendor with an unfavorable breach history or whose session transcripts were aggregated through a sub-BAA relationship, faces an exposure pathway to life insurance underwriting that GINA cannot close.
The practical significance: a client who applies for a substantial life insurance policy after receiving a positive BRCA1 result, who had therapy sessions about that result documented by a cloud AI scribe, is in a position where the cloud AI scribe vendor archive is a point of concentrated exposure to the specific risk that GINA's life insurance gap creates. Our analysis of disability insurance and therapy records addresses the disability insurance landscape in adversarial proceedings more broadly — but the genetic information dimension adds a statutory gap that does not apply to general mental health disclosures in disability insurance contexts.
3. Family law, estate, and probate proceedings using family pedigree content to establish non-consenting relatives' genetic status
Family law proceedings — divorce, custody, guardianship, estate disputes, paternity actions, and inheritance contests — increasingly involve genetic information as material evidence. When a client has processed genetic test results extensively in therapy and that therapy was documented by a cloud AI scribe, the vendor archive contains a detailed record of the client's family pedigree: which relatives carry hereditary mutations, which relatives have developed disease, which relatives' estate or inheritance may be affected by hereditary conditions, and which reproductive decisions the client made based on genetic risk.
In estate and probate proceedings, hereditary conditions affecting cognitive capacity are directly material to will validity and capacity determinations. A deceased client who carried a BRCA1 mutation may have a contested estate where family members allege undue influence or impaired capacity during the period when the will was executed. The cloud AI scribe vendor archive of that client's therapy sessions — if the sessions occurred during the contested period — may contain contemporaneous evidence of the client's decision-making capacity and the family dynamics around genetic risk that is more granular than formal medical records. For the analysis of how guardianship and conservatorship proceedings reach therapy records, see our analysis of guardianship, conservatorship, and capacity evidence in therapy records.
The family implication problem intensifies in this context. A sibling of the deceased who is contesting the estate, or a child of the deceased who is asserting a genetic condition affected their parent's capacity, may obtain the deceased client's therapy session vendor archive through estate discovery — and that archive contains the vendor's transcript of every session in which the client discussed their relatives' genetic status, testing decisions, and disease trajectories. Relatives whose genetic status was discussed in those sessions have not authorized this use of their health information.
4. State genetic privacy enforcement: where stricter statutes create private rights of action the federal framework does not provide
Several states have enacted genetic privacy statutes that are materially stricter than GINA and HIPAA. California's Confidentiality of Medical Information Act (CMIA) includes specific provisions for genetic test results that extend beyond HIPAA's general PHI framework. New York, Florida, Illinois, and other states have genetic privacy statutes with varying approaches to what constitutes prohibited genetic information disclosure, who has enforcement authority, and whether private individuals have a right of action for violations. Our analysis of state mental health privacy laws covers the broader landscape of state law protections that supplement or exceed HIPAA; genetic information provisions add another layer of that analysis.
A cloud AI scribe vendor data breach that exposes therapy session transcripts containing genetic test result disclosures may trigger both HIPAA breach notification requirements and state genetic privacy statute enforcement pathways that operate independently. In states with private rights of action under genetic privacy statutes, affected clients may have claims against the vendor that proceed under state law — claims with damages structures, discovery rights, and fee-shifting provisions that differ from HIPAA's enforcement framework. A therapy client in California whose BRCA1 positive status was disclosed in a vendor breach has potential claims under CMIA's genetic information provisions that exist independently of any federal HIPAA breach notification process.
State AG enforcement of genetic privacy statutes can also reach the cloud AI scribe vendor directly, as a business that collected and maintained genetic information about California or New York residents. The vendor's position as a business associate of the therapist does not insulate it from state law enforcement authority when state genetic privacy statutes impose independent obligations on data custodians holding genetic information.
5. Guardianship and conservatorship capacity proceedings for clients with hereditary neurodegenerative conditions
Clients who have received positive pre-symptomatic results for hereditary neurodegenerative conditions — Huntington's disease, early-onset familial Alzheimer's disease (PSEN1/PSEN2 variants), or hereditary frontotemporal dementia — commonly use therapy during the pre-symptomatic window to process their diagnosis and plan for the future while they retain full cognitive capacity. This pre-symptomatic period may last years or decades. The therapy sessions during this period contain uniquely valuable contemporaneous evidence of the client's decision-making capacity, autonomous preferences, and expressed wishes about healthcare, finances, and personal care — evidence that becomes significant when the client later loses capacity and guardianship or conservatorship proceedings commence.
Guardianship proceedings require courts to assess both the respondent's current capacity and, often, their prior expressed wishes for purposes of substituted judgment. The cloud AI scribe vendor archive of a client's therapy sessions during the pre-symptomatic period of a hereditary neurodegenerative condition may be the most contemporaneous, verbatim record of that client's autonomous decision-making available anywhere — more granular than formal advance directives, more contextually rich than healthcare proxy documents, and more temporally specific than evaluating physicians' retrospective accounts. For the analysis of how guardianship and conservatorship proceedings access therapy records, see our analysis of capacity evidence and therapy records in guardianship proceedings.
The parties in a contested guardianship proceeding may include the proposed ward's family members who disagree about care decisions, a professional guardian seeking appointment, an ombudsman or public guardian representing the ward's interests, and potentially the ward themselves with counsel. Any of these parties may issue process to the cloud AI scribe vendor to obtain the session archive containing the client's pre-symptomatic therapy discussions — which includes not only the client's expressed preferences but also detailed genetic information about the hereditary condition: CAG repeat count, penetrance considerations, expected disease trajectory, what the client understood about their prognosis. This information enters the guardianship record from the vendor archive, potentially made accessible to parties the client did not intend to receive it, through the same judicial proceedings exception that authorizes disclosure of any PHI in court proceedings. For the foundational analysis of subpoena authority reaching AI scribe vendors, see our analysis of whether an AI therapy note can be subpoenaed.
On-device processing and the genetic information risk it eliminates
On-device AI scribe processing eliminates the cloud AI scribe vendor archive as a separately reachable record set. When a therapist uses an on-device AI scribe — session audio transcribed and session note drafted entirely on a local device with no transmission to commercial cloud infrastructure — the vendor archive containing the genetic test result disclosures does not exist. The five adversarial proceedings described above reach the vendor archive specifically because the vendor holds the genetic information as an independently maintained commercial business record. When the vendor holds nothing, those proceedings find no responsive records at the vendor.
What remains is the therapist's formally written session note — the document the therapist prepared and maintains in their own records system. That note reflects the therapist's professional judgment about what level of genetic detail serves the clinical record. A therapist documenting a session about a client's BRCA1 positive result might write that the client processed significant emotional distress about hereditary cancer risk and explored decision-making frameworks for prophylactic interventions, without transcribing the specific variant designation, the numeric risk percentages the client cited, the names of relatives who tested positive, or the client's sister's decision about whether to test. The cloud AI scribe vendor's verbatim archive of the same session contains all of those specifics — the genetic nomenclature, the family members' names and genetic status, the pedigree that reveals the hereditary line — in the vendor's separately maintained business records.
The GINA life insurance gap is inoperative when no vendor archive exists. A life insurer who might use genetic information obtained through a vendor breach or aggregation pathway cannot obtain what the vendor does not hold. The family implication problem does not reach third-party legal proceedings through vendor discovery when the vendor archive is absent. State genetic privacy enforcement actions against cloud vendors cannot proceed when there is no vendor holding the genetic information. The guardianship proceeding seeking contemporaneous capacity evidence from a vendor archive finds a vendor with no responsive records.
The therapist's own record — their formally written, deliberately composed session notes — remains available for legitimate legal process directed at the therapist or the therapist's records system. That process involves the therapist directly, where the therapist has counsel, receives notice, and can evaluate HIPAA exceptions, state privilege claims, and court-ordered disclosure in a deliberate way. The separately held vendor archive, which the therapist cannot supervise or control once it exists in commercial cloud infrastructure, creates a second pathway to the client's genetic information that the on-device architecture closes by design.
Practical considerations for therapists whose clients process genetic test results in session
HIPAA is necessary but not sufficient for genetic information. The BAA a therapist signs with a cloud AI scribe vendor addresses HIPAA's requirements for PHI. It does not address the GINA life insurance gap, the family implication problem, state genetic privacy statutes with independent enforcement authority, or the downstream consequences for non-consenting relatives whose genetic status is embedded in the session transcript. A therapist who has verified their vendor's HIPAA compliance has satisfied one necessary condition for genetic information protection — not all of the conditions that matter.
The family implication problem is structurally different from other PHI disclosures. When a client discloses their own mental health history, substance use, or trauma, that disclosure is about the client. When a client discloses that their mother carries BRCA1, or that their brother tested positive for HD, or that their father died of early-onset Alzheimer's disease, those disclosures contain genetic health information about people who are not the client, who have not consented to the therapeutic or vendor relationship, and who cannot exercise HIPAA rights with respect to the vendor holding their genetic information as embedded content in the client's session transcript.
Documentation practices for genetic disclosures warrant deliberate professional judgment. A therapist who uses an on-device AI scribe and writes their own formal session notes retains professional control over what genetic detail enters the clinical record. A therapist who uses a cloud AI scribe produces a verbatim archive that is as specific as the session itself. For sessions in which clients process detailed genetic test results, pharmacogenomic panels, or hereditary risk profiles, the gap between a professionally composed note and a verbatim vendor transcript is a gap in the level of genetic information deposited into commercial business records reachable through the adversarial proceedings described above.
The GINA life insurance gap is not hypothetical for clients making major financial decisions during the processing period. A client who received a positive BRCA1 result and is considering prophylactic surgery may simultaneously be in a life stage where life insurance is a significant financial planning consideration — covering a mortgage, a young family, or an estate plan. The period during which they are processing the genetic result in therapy is the same period during which the cloud AI scribe vendor archive is being populated with the most detailed record of their genetic status. The intersection of those two facts — a client in active financial life planning and an active genetic disclosure archive — is the specific context in which the GINA life insurance gap carries operational significance.
Frequently asked questions
Does GINA protect genetic information disclosed during therapy sessions from life insurance companies?
No. GINA Title I's prohibition on using genetic information in insurance underwriting explicitly excludes life insurance, disability insurance, and long-term care insurance. GINA applies only to health insurance issuers. If genetic test results disclosed in a therapy session enter a cloud AI scribe vendor archive and that archive is accessed through a breach, aggregator, or improper disclosure pathway, GINA does not prohibit a life insurer from using that genetic information in underwriting decisions. Some states extend genetic privacy protections to these insurance categories, but state coverage is inconsistent and the federal floor does not exist for life, disability, and long-term care insurance products.
Is genetic information in a therapy session transcript treated differently than other PHI under HIPAA?
HIPAA treats genetic information as a category of PHI and includes certain GINA-adjacent provisions that restrict health plans from using genetic information for adverse benefit determinations. However, HIPAA's treatment of genetic information as PHI does not replicate GINA's employment discrimination protections, does not extend to the life insurance gap, and does not address the family implication problem — the fact that a client's genetic test result inherently reveals genetic information about biological relatives who are not parties to the therapeutic relationship and have not consented to the vendor relationship. HIPAA covers the data as the client's PHI; GINA covers specific discriminatory uses; the two statutes protect overlapping but distinct risks.
Can a cloud AI scribe vendor archive be subpoenaed in a GINA employment discrimination proceeding?
Yes, through EEOC investigation compulsory process and Rule 45 civil subpoena in federal court GINA Title II proceedings. If an employer is alleged to have obtained genetic information about an employee, the EEOC investigation or resulting civil litigation will seek to establish what genetic information was accessible and through what pathway. A cloud AI scribe vendor holding therapy session transcripts that include the employee's genetic test result disclosures is a third-party business record custodian reachable through compulsory process. HIPAA's judicial proceedings exception at 45 CFR § 164.512(e) authorizes disclosure in civil proceedings in response to court orders and qualifying subpoenas with appropriate assurances.
Does genetic information disclosed in therapy create privacy risks for the client's biological relatives?
Yes. Genetic information about the client inherently reveals genetic information about biological relatives. A BRCA1 pathogenic variant in the client means that approximately half of the client's first-degree biological relatives carry the same variant. A Huntington's disease CAG repeat count reveals the familial line. The therapy session transcript in the cloud AI scribe vendor archive captures not only the client's own genetic test result but also any family pedigree discussion — which relatives were tested, which tested positive or negative, which declined testing. Relatives who are not parties to the therapeutic relationship have no direct legal relationship with the vendor, but their genetic status is present in the vendor archive as embedded content in the client's session transcript.
Does on-device AI scribe processing eliminate the genetic information risk created by cloud AI scribe vendor archives?
Yes, for the vendor archive portion. When a therapist uses an on-device AI scribe — session audio transcribed and session note drafted entirely on a local device with no transmission to cloud infrastructure — the vendor archive does not exist. GINA Title II proceedings seeking the source of an employer's access to genetic information, life insurance underwriting using genetic information from vendor breaches or aggregators, family law proceedings seeking family pedigree content from session transcripts, state genetic privacy enforcement actions, and guardianship proceedings requiring contemporaneous capacity evidence all find no responsive records at the cloud AI scribe vendor, because the vendor holds nothing. The therapist's formally written session notes remain the record — notes that the therapist drafted using professional judgment about what level of genetic detail serves the clinical record.
This post is educational analysis of how genetic test result disclosures in therapy sessions interact with the Genetic Information Nondiscrimination Act, HIPAA, state genetic privacy statutes, and the cloud AI scribe vendor archive as an independently maintained commercial business record. It is not legal advice. The applicability of GINA Title I and Title II, HIPAA exceptions, state genetic privacy statutes, and discovery authority to specific client situations depends on the facts, the relevant jurisdiction, and the applicable regulatory frameworks. Therapists with questions about documentation practices for sessions involving genetic test result disclosures, the implications of cloud AI scribe vendor archives for clients with hereditary conditions, or the intersection of GINA and HIPAA in clinical practice should consult qualified legal counsel with health law, genetic privacy, and clinical documentation expertise.