By George Citroner
Privacy concerns arise as Amazon Clinic’s policy requires patients to grant complete access to their health information, sparking criticism from advocates.
Worries emerge over potential data sharing with third-party companies and targeted advertising.
Amazon Clinic Uses a Hybrid Primary Care Company
In 2022, Amazon made waves with its $3.9 billion acquisition of hybrid primary care provider One Medical, which offers both in-person and virtual care, for its new telehealth service. One Medical operates in 25 cities, collaborating with local hospitals and health systems to deliver specialized care, according to its website.
For an annual fee of $199, subscribers can access a telehealth platform featuring convenient virtual care, online appointment scheduling, and prescription renewals with insurance-covered service charges.
One Medical claims it distinguishes itself by providing more personalized attention to patients through reduced patient loads, enabling providers to dedicate ample time to each individual.
The company also says it extends its health care benefits to over 8,500 businesses, and select offices offer pediatrics, certified nutrition consultants, and walk-in lab services.
Patient Privacy Issue
To access Amazon Clinic’s services, customers must sign an authorization different from the familiar HIPAA authorization typically used in health care settings (pdf).
This Amazon Clinic authorization grants the company “complete” access to customers’ health information, raising concerns about potential privacy law violations, according to a letter addressed to Amazon CEO Andy Jassy from Sens. Peter Welch (D-Vt.) and Elizabeth Warren (D-Mass.) (pdf).
Welch and Warren noted that the authorization implies patient information may be redisclosed, thereby losing the protection offered by HIPAA, a federal law safeguarding patient health data. Additionally, the form lacks transparency regarding the sharing and future use of patient data.
The senators also requested that Amazon provide a sample contract with third-party providers used by Amazon Clinic enrollees and clarify if data are shared with law enforcement. “Amazon Clinic customers deserve to fully understand why Amazon is collecting their health care data and what the company is doing with it,” they wrote.
Health care clinics fall into one of the most heavily regulated sectors of data privacy in the United States, Cobun Zwefiel-Keegan, managing director of the International Association of Privacy Professionals (IAPP) in Washington, D.C., told The Epoch Times. He said clinics should comply with consumer privacy best practices, sector-specific state laws, and federal regulations like HIPAA.
“Patient records are rightly considered one of the most highly sensitive types of personal information and are therefore subject to some of the most rigorous standards for privacy and data security,” Zwefiel-Keegan said.
Amazon’s Response to Privacy Controversy
Amazon’s HIPAA authorization allows the retention of customer Protected Health Information (PHI), such as treatment plans and visits history, on behalf of Clinic customers to support their care, an Amazon spokesperson said in an email to The Epoch Times. “This authorization ensures that providers on Clinic can provide continuity of care,” the spokesperson added.
For instance, if a customer’s previous provider is unavailable upon the customer’s return to Amazon Clinic, the HIPAA authorization allows the retention and sharing of the customer’s PHI with the new provider. This facilitates efficient and effective treatment without requiring duplicate information or past visit history.
“We believe this allows for the best patient experience,” the Amazon spokesperson said. “Customers can revoke their HIPAA authorization at any time by visiting Clinic.Amazon.com/privacy.”
However, Sara Geoghegan, a lawyer at the national data privacy organization Electronic Privacy Information Center (EPIC), warned in an interview with The Washington Post that “Amazon has a history of using complicated, mazelike design features to keep users from exercising privacy-protective options,” adding that this might be the case here as well.
Amazon Reportedly Delaying Rollout Over Concerns
Amazon has reportedly delayed the launch of a significant expansion of its Amazon Clinic telemedicine service due to Warren’s and Welch’s concerns about the company’s privacy practices, as reported by Politico. According to the news outlet, it obtained an email from a source with direct knowledge of the situation, revealing that Amazon will postpone a promotional campaign for three weeks until July 19.
“Amazon is asking patients to turn over a ton of personal data to use their services,” Welch told Politico. “It can’t be that Big Tech companies can ask for a treasure trove of personal information to let you use their services but face no accountability for what they’ll do with it.”
Holding Companies Accountable
“Policymakers are trending toward expanding the definitions of health data and biometric data to reflect the expanding capacity to make health-related inferences about people, even from seemingly non-health data,” Zwefiel-Keegan said. “The spread of AI and the increasing ease with which datasets are combined across contexts means it is becoming easier to spin straw into data gold.”
He added that it was important for companies to implement enhanced safeguards for all health-related data. The trend in new state laws like Washington’s My Health My Data Act is to hold all companies, regardless of whether they provide health care services, to the same standards around any data that may be health-related.
“Companies are well advised to take note of this trend and implement enhanced safeguards for the wide range of health-related data,” Zwefiel-Keegan said.