Patients seeking convenience and lower costs should also be afforded the full protection of federal and state information privacy laws. Last year Amazon launched a low-cost healthcare service to provide virtual care for more than 20 common health conditions including Covid, allergies and high blood pressure. Are Amazon’s potential healthcare customers fully aware of their health privacy rights?
Clinic Walks Fine Line Around HIPAA
A recent article in the Washington Post explains how the new Amazon Clinic comes with a hidden cost – patient privacy. In order to sign up for its service, patients are required to consent to an “authorization“. According to the article:
This Amazon form is asking for something more extraordinary: “use and disclosure of protected health information.” It authorizes Amazon to have your “complete patient file” and notes that the information “may be re-disclosed,” after which it “will no longer be protected by HIPAA.”
Amazon Clinic’s privacy page explains on the one hand that Amazon “is committed to maintaining your privacy and we take our responsibility for safeguarding your Protected Health Information (PHI) very seriously. The Health Insurance Portability and Accountability Act (HIPAA) governs how Amazon Clinic may use and disclose PHI, including information like medication history, medical conditions, and treatment plan information.”
On the other hand a little further down, the Clinic’s privacy page has an “authorization” a patient is required to accept before receiving any care. This authorization grants Amazon broad rights to use and disclose the patient’s protected health information.
Business Associates are Required to Follow HIPAA
Amazon’s privacy page explains that the Clinic is not a healthcare provider – in other words, it’s not a HIPAA “covered entity” and is instead a service provider to the healthcare providers, in other words, the Clinic is a HIPAA “business associate“.
Amazon customers who need healthcare are using the Clinic to refer them to providers. Amazon receives protected health information from customers and transmits it to providers. Amazon explains that the authorization allows the Clinic to use and disclose the PHI to 1) coordinate healthcare services for customers and 2) to update customer information to facilitate services from other providers.
The Clinic authorization needs to be read together with the intricate terms of several other Amazon legal policies, including its Conditions of Use, Terms and Conditions, and its Privacy Notice.
The fundamental problem is that once patients agree to the mandatory authorization, they agree their health information may no longer be protected by HIPAA.
Consumer Privacy Rights are Also Protected by States and the FTC
Although Amazon Clinic’s practices may technically comply with HIPAA, they are also subject to state consumer protection and privacy laws and other federal consumer protection laws.
The Federal Trade Commission (FTC) protects consumers from deceptive or unfair business practices and from unfair methods of competition. Consumers’ privacy rights come under its authority and the FTC has been paying more attention to health privacy claims that fall outside of HIPAA. For example, the FTC has its own Health Breach Notification Rule and has used it to investigate GoodRx another online healthcare company that is not a HIPAA covered entity. That investigation resulted in a $1.5 million settlement payment by GoodRx for deceptive practices.
The Future of Privacy in Healthcare
Whether Amazon Clinic is allowed to continue collecting, using and disclosing patient information may depend on stronger protections from HHS, the FTC and the state attorneys general that enforce consumer protection and privacy laws. Another deterrent could be lawsuits if a significant healthcare data breach occurs. A similar trend is happening in the case of website pixel tracking used by healthcare and big tech companies. Google and Meta are both defending class action lawsuits related to pixel trackers.
The average typical busy customer looking for cost savings and convenience may not complain. If they understand what they’re giving up and decide they don’t want to, they can simply log out. More likely though, they are confused by the mixed messages on the Clinic’s privacy page, which in an early section reassures that privacy is important, but in related documents qualifies the extent of privacy protections.
The Clinic’s authorization leads to a thicket of legalese that customers will find extremely difficult to understand. Privacy experts have voiced concerns. We will keep you informed as the story unfolds.