Senators Demand Answers on Amazon Clinic’s Uses of Customer Data
Two Democratic senators have demanded answers from Amazon about how it uses the data of customers of Amazon Clinic after an investigation by the Washington Post revealed individuals wishing to enroll in Amazon Clinic are required to sign away some of their privacy rights in order to use the service.
Amazon Clinic was launched in November 2022 and provides virtualized healthcare services. Amazon advertises the service as “a virtual healthcare storefront through which telehealth services are offered,” with those telehealth services provided by third-party healthcare providers. The Washington Post was contacted by a reader who requested an investigation of Amazon Clinic over the terms and conditions of its sign-up form. When enrolling for Amazon Clinic, users are required to provide consent to allow the use and disclosure of their protected health information. The form states that after providing consent Amazon will be authorized to have access to a complete patient file, may re-disclose information contained in that file and that the information disclosed will no longer be subject to the HIPAA compliance rules. While the terms are voluntary, individuals have no option of using Amazon Clinic if they do not agree to the terms and conditions.
Senators Peter Welch (D-VT) and Elizabeth Warren (D-MA) recently wrote to Amazon’s President and Chief Executive Officer, Andy Jassy, and expressed their concern that Amazon may be harvesting the health data of Amazon Clinic customers. The senators have demanded answers about how Amazon uses customers’ health data and whether Amazon is using the data collected from Amazon Clinic customers to sell them other Amazon products or services.
The form provided by Amazon Clinic is essentially a HIPAA Authorization, which is required by HIPAA-regulated entities before any disclosures of protected health information are possible that are not expressly permitted by the HIPAA Privacy Rule. The HIPAA Privacy Rule also prohibits conditioning care on signing an authorization to disclose patient information. The senators point out that the HIPAA authorization that Amazon Clinic customers are required to sign does not state how patient data will be used or shared. Essentially the signing of the authorization form gives Amazon full access to customers’ health data and allows the information to be used and redisclosed as Amazon sees fit. Amazon Clinic’s terms and conditions state that customer data is not used for any purposes that its customers have not consented to, yet no information is provided about why customer health data is collected and how that information will be used.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The senators explained that the Federal Trade Commission (FTC) recently fined telehealth provider GoodRx for failing to inform consumers that their health data was disclosed to third parties for advertising purposes, and in addition to paying a financial penalty, GoodRx has been prohibited from using manipulative methods – termed dark patterns – to obtain users’ consent to use and share their health information. “Amazon Clinic customers deserve to fully understand why Amazon is collecting their health care data and what the company is doing with it. Congress is also evaluating legislative efforts to protect health data in the context of emerging technologies,” wrote the senators.
The senators have asked Amazon to provide further information on its privacy practices by June 30, 2023, including a sample of the contract between Amazon and the third-party telehealth providers that have signed up with Amazon Clinic, a list of data elements collected from consumers that sign up for the service, a list of the data elements that are shared with other entities within Amazon Group, and a list of all uses of health data. Amazon was also asked whether any collected health data is used by its analytics and algorithms or for marketing, is sold to third parties, or is provided to federal, state, or local law enforcement authorities.