Editorial: Will Amazon Clinic Put Patient Privacy at Risk?

By | November 28, 2022

Amazon has launched a new service that connects patients with doctors – Amazon Clinic. This should come as no surprise given Amazon’s recent acquisitions and the company’s stated ambitions healthcare market. The new service promises to deliver convenience combined with affordability, but Amazon’s latest healthcare venture sets warning bells ringing about patient privacy.

Amazon’s Journey into Healthcare

Amazon is the ultimate disruptor. The company started as an online bookseller and cornered that market, then transitioned into a portal that connects the world with every conceivable product they could want, all of which are available through an easy-to-use website that delivers everything faster than most of its competitors. Amazon products are usually cheaper than the competition and the company is well known for putting the consumer first. Order late one day and your purchases will be with you the next. It is not possible to overstate how successful the company has been. Amazon is now generating revenues of $140 billion a quarter, and that success turned its founder, Jeff Bezos, into the world’s richest man, a position he held from 2017 to 2021.

In 2006, Amazon launched its cloud computing platform, Amazon Web Services (AWS), which has helped many healthcare organizations with their digital transformations, and in recent years, Amazon has been taking greater strides into the lucrative healthcare market. In 2017, Amazon created a healthcare-focused tech lab, 1492, then in 2018 launched its cloud-based service, Amazon Comprehend Medical, which extracts healthcare data from text such as doctors’ notes and clinical trial reports.

Amazon partnered with Berkshire Hathaway and JPMorgan Chase to create the non-profit healthcare organization, Haven, which sought to improve access to primary care for those companies. Haven was later shut down and was replaced by the Amazon Care program for its staff, which provides online and face-to-face medical services. Amazon started rolling out that telemedicine service to employers around the country, although in August announced that it would be shutting down the service by the end of the year as it was not a sustainable solution for its enterprise customers.

Acquisitions of PillPack and One Medical Cement Move into Healthcare

Amazon’s move into healthcare took a major step forward with the $753 million acquisition of the online pharmacy PillPack in 2019, as the retailer looked to crack the prescription market. Amazon Pharmacy was launched in 2020, which offers Amazon Prime members free delivery for their pharmacy orders, packaged to make it easier for patients to remember when to take their medications.

This year, Amazon announced its intention to acquire the primary healthcare organization One Medical in a deal reportedly worth $3.9bn. One Medical provides a membership-based service offering in-person visits and virtual care and currently has around 815,000 members. This deal, if it completes, will cement Amazon’s place in the healthcare sphere.

Amazon’s planned acquisition of One Medical has sent alarm bells ringing throughout the healthcare industry and beyond. Privacy advocates are terrified about Amazon gaining access to large amounts of sensitive medical data and how that data will be used. There are fears that this most sensitive of data could be manipulated and exploited by Amazon in ways that may not become clear for many years to come.

In August, following the announcement about One Medical, Senator Josh Hawley (R-MO) wrote to the Federal Trade Commission (FTC) calling for the FTC to investigate the deal due to privacy and security concerns. Hawley stated that Amazon already wields too much power, and while the company would be required to comply with HIPAA and other healthcare privacy laws, some loopholes could be exploited. One of the biggest concerns with this merger, should it go ahead, is how Amazon plans to draw the line between consumer and patient data, and exactly where that line will be drawn.

Amazon Clinic Launched

The latest venture, Amazon Clinic, brings the convenience of Amazon’s retail empire direct to every home with an Internet connection and every individual with a smartphone. According to Amazon, Amazon Clinic allows everyone to “get treatment for common health concerns at your convenience—no appointments, video calls, or live chat required.” Amazon Clinic is billed as a virtual healthcare service that, like its retail business, delivers convenience and affordability.

Amazon Clinic is a message-based virtual care service, where users can select from a list of common health complaints, answer some questions, have that input reviewed by a licensed clinician, and then be provided with a personalized treatment plan. No appointments are needed, and in contrast to other healthcare services, the user knows the cost of the visit in advance. Pay a flat fee upfront and there are no surprises. Amazon says that the fee charged is less than many co-pays, plus the service offers more convenience as there are no waiting room visits and no telehealth appointments. The service is available 24/7 and prescriptions are filled by Amazon Pharmacy.

At launch, the virtual care service is being provided in 32 U.S. states for adults aged 18-64 and covers 20 common health conditions from acne to yeast infections, and the service can also be used to renew prescriptions for common medications with no visits or live chat required.  The service is aimed at the uninsured market as Amazon does not accept insurance – although payment can be made and users can then try to claim back the cost from their insurer.

Amazon’s Checkered Privacy History

Anyone concerned about providing their most sensitive health data to Amazon need not be worried, as Amazon states, “Your health data is secure – All of your information is protected by our practices and by law… HIPAA and all other applicable laws and regulations.” Amazon also points out that “We have extensive experience protecting data of all kinds appropriately across a variety of businesses and remain focused on the important mission of protecting customers’ health information.”

There is, of course, the question of the extent to which consumers can trust Amazon with their health data, as while its services are much loved by consumers, the company does not have an exemplary record when it comes to data privacy. That “extensive experience” includes some questionable data practices and there have been many allegations of serious privacy violations.

Amazon was investigated for violations of the European Union’s General Data Protection Regulation (GDPR), with the Luxembourg Data Protection Authority determining that the retailer had violated several Articles of the GDPR related to its processing of user data, even though Amazon was well aware of the requirements of the GDPR. The fine imposed in 2021 was a record €746 million ($887 million). Amazon has appealed that decision and maintains there was no data breach or disclosure of personal data to any third parties. The exact nature of the alleged violations has not been disclosed publicly, although it is suspected to be related to the use of personal data internally for advertising purposes without consent.

This year, an Amazon cloud backup service was recently found to be inadvertently exposing RDS snapshots over the public Internet that contained corporate personally identifiable information (PII). Also, this year, Amazon accidentally exposed an internal server to the public Internet that contained data about users’ Prime viewing habits.

One problem for Amazon comes from the sheer volume of data that it collects from many different sources, from search engine and site searches to what is said to Alexa. Amazon has had problems mapping all of that data and does not know exactly where all that data is being held, let alone how all that data is being used. That is a major concern if health information is also collected.

Then there is Amazon’s vast workforce of more than 1.6 million full and part-time employees, which creates a considerable insider privacy risk and questions have long been asked about how customer data is protected against insider threats. A report was published by the Wall Street Journal in 2018 about how Amazon employees were being bribed to provide access to sensitive information such as buying habits, sales volume, and the on-site search terms of customers. Amazon has a history of having employees sharing customer contact information with third parties, and in 2020, disgruntled employees were found to be leaking customer email addresses. An internal application that was used by Amazon to extract data was found to be used as a backdoor, allowing third parties to collect customer data, notably by a Chinese firm that had harvested the information of millions of customers. Questions have also been asked about the ability of the Amazon retail arm to detect security incidents.

Of course, insider threats are a problem for all businesses; however, for a company such as Amazon which has received considerable criticism from employees about working conditions, the threat is greater. Former Amazon chief information security officer Gary Gagnon said in 2018 that there was free-for-all internal access to customer information and that the systems in place made it difficult to track where all of Amazon’s data was going.

Privacy Concerns About Access to Medical Data

Amazon has access to a huge amount of data from the retail side of its business and has the goal of broadening its access to data to include healthcare information, which through Amazon Clinic will help to drive the growth of its online pharmacy business.

Amazon states that it will abide by federal regulations such as HIPAA, but while HIPAA has helped to protect the privacy of patients for two decades, there are considerable gaps. HIPAA has not adapted to changing technology, such as the massive rise in the use of health apps. The data collected through those apps is often the same data that HIPAA protects if collected by a healthcare provider, yet the apps are beyond the protection of HIPAA.

One concern is to what extent the data collected through Amazon Clinic will be used by other parts of the business. Through Amazon Clinic, patients fill out health questionnaires. That information would be valuable for the retail arm. The first health condition on the Amazon Clinic list – Acne – brings up more than 10,000 products on its retail site. Amazon may claim that Amazon Clinic data will be kept separate, but enforcers of the GDPR are likely to have their suspicions about the extent to which that will occur. Will users of the Amazon Clinic find they are offered a range of tailored products to suit their specific health needs?

As Amazon has demonstrated over the years, other players in the markets in which it operates struggle to compete, and that has been seen from the very early days when Amazon started putting booksellers out of business. There are already several players in the telehealth market that offer similar services for common health conditions but lack the reach of Amazon, and they may well struggle to compete. Coupled with its companion One Medical business – if that acquisition goes ahead – could lead to a monopoly on telehealth that would reduce consumer choice.

The Future of Healthcare?

There is no doubt that there is demand for Amazon Clinic, which seeks to bridge the gap between medical complaints that require more than a trip to the drug store and are not sufficiently severe to warrant a costly trip to the doctor. A service that plugs that gap and offers convenience and affordability is almost certain to prove popular.

Amazon Clinic could have a positive impact on the industry from a patient perspective. One of the keys to the success of Amazon is its focus on improving the customer experience. If the service proves to be successful, healthcare providers may also start looking at ways that they can do the same and make their services better and more convenient.

U.S. consumers may be comfortable with Amazon collecting vast amounts of information and building up detailed profiles of consumers in exchange for convenience and low prices, but questions remain about whether Amazon can be trusted with health data. An American Medical Association survey earlier this year suggests there is widespread mistrust in nontraditional healthcare entities. Amazon may find it difficult to earn consumer trust.

Amazon says this new service makes doctor’s visits simpler and affordable and that any privacy fears are unfounded. It remains to be seen whether making health care more convenient and affordable will come at the cost of patient privacy, and it may be some time before that becomes fully apparent.

Steve Alder 

Editor-in-Chief, HIPAA Journal

The post Editorial: Will Amazon Clinic Put Patient Privacy at Risk? appeared first on HIPAA Journal.