The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Senators Demand Answers on Amazon Clinic’s Uses of Customer Data

Posted By on Jun 26, 2023

Two Democratic senators have demanded answers from Amazon about how it uses the data of customers of Amazon Clinic after an investigation by the Washington Post revealed individuals wishing to enroll in Amazon Clinic are required to sign away some of their privacy rights in order to use the service.

Amazon Clinic was launched in November 2022 and provides virtualized healthcare services. Amazon advertises the service as “a virtual healthcare storefront through which telehealth services are offered,” with those telehealth services provided by third-party healthcare providers. The Washington Post was contacted by a reader who requested an investigation of Amazon Clinic over the terms and conditions of its sign-up form. When enrolling for Amazon Clinic, users are required to provide consent to allow the use and disclosure of their protected health information. The form states that after providing consent Amazon will be authorized to have access to a complete patient file, may re-disclose information contained in that file and that the information disclosed will no longer be subject to the HIPAA compliance rules. While the terms are voluntary, individuals have no option of using Amazon Clinic if they do not agree to the terms and conditions.

Senators Peter Welch (D-VT) and Elizabeth Warren (D-MA) recently wrote to Amazon’s President and Chief Executive Officer, Andy Jassy, and expressed their concern that Amazon may be harvesting the health data of Amazon Clinic customers. The senators have demanded answers about how Amazon uses customers’ health data and whether Amazon is using the data collected from Amazon Clinic customers to sell them other Amazon products or services.

The form provided by Amazon Clinic is essentially a HIPAA Authorization, which is required by HIPAA-regulated entities before any disclosures of protected health information are possible that are not expressly permitted by the HIPAA Privacy Rule. The HIPAA Privacy Rule also prohibits conditioning care on signing an authorization to disclose patient information. The senators point out that the HIPAA authorization that Amazon Clinic customers are required to sign does not state how patient data will be used or shared. Essentially the signing of the authorization form gives Amazon full access to customers’ health data and allows the information to be used and redisclosed as Amazon sees fit. Amazon Clinic’s terms and conditions state that customer data is not used for any purposes that its customers have not consented to, yet no information is provided about why customer health data is collected and how that information will be used.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The senators explained that the Federal Trade Commission (FTC) recently fined telehealth provider GoodRx for failing to inform consumers that their health data was disclosed to third parties for advertising purposes, and in addition to paying a financial penalty, GoodRx has been prohibited from using manipulative methods – termed dark patterns – to obtain users’ consent to use and share their health information. “Amazon Clinic customers deserve to fully understand why Amazon is collecting their health care data and what the company is doing with it. Congress is also evaluating legislative efforts to protect health data in the context of emerging technologies,” wrote the senators.

The senators have asked Amazon to provide further information on its privacy practices by June 30, 2023, including a sample of the contract between Amazon and the third-party telehealth providers that have signed up with Amazon Clinic, a list of data elements collected from consumers that sign up for the service, a list of the data elements that are shared with other entities within Amazon Group, and a list of all uses of health data. Amazon was also asked whether any collected health data is used by its analytics and algorithms or for marketing, is sold to third parties, or is provided to federal, state, or local law enforcement authorities.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist