Getty Images/iStockphoto

Senators Seek Answers From Amazon Over Collection of Patient Data

Signing up for Amazon Clinic comes with a catch – the company asks patients to sign away the “use and disclosure of protected health information.”

Senators Peter Welch (D-VT) and Elizabeth Warren (D-MA) sent a letter to Amazon President and CEO Andy Jassy expressing concern over the privacy practices of Amazon Clinic, the company’s new online healthcare service that promises quick treatment and prescriptions for common health concerns.

“All of your information is protected by our practices and by law,” the front page of Amazon Clinic states.

However, a recent article published in the Washington Post alleged that some questionable privacy practices may be at play. The Post called attention to Amazon Clinic’s “HIPAA authorization” form, which patients must complete before signing up for the service.

The form asks patients for the “use and disclosure of protected health information” and allows Amazon to have patients’ “complete patient file.”

“The form indicates that this information ‘may be re-disclosed,’ after which it will ‘no longer be protected by HIPAA,’ the federal law that requires providers to take steps to protect patient health data. The form does not provide specific details on how patient data will be shared or used going forward,” Senators Welch and Warren wrote in their letter following the Post article.

The Senators also noted that customers who refuse to consent to this form are prevented from registering with the clinic, despite the fact that the HIPAA Privacy Rule prohibits conditioning care on an authorization to disclose PHI.

“Amazon Clinic customers deserve to fully understand why Amazon is collecting their health care data and what the company is doing with it,” the letter continued. “Congress is also evaluating legislative efforts to protect health data in the context of emerging technologies.”

The Senators requested a variety of information from Amazon by June 30, including a sample contract between Amazon and third-party providers that provide services to Amazon Clinic patients, and an itemized list of patient health data collected from customers that sign up for Amazon Clinic.

Additionally, the Senators requested a list of patient health data that Amazon shares with other entities within Amazon, and whether the data is used to develop other products or sold to third parties.

This is not the first time that Amazon has faced scrutiny over its health data privacy practices. In March, following Amazon’s acquisition of membership-based primary care practice One Medical, the Federal Trade Commission (FTC) sent a letter to the company reminding it of its obligations to protect sensitive health information.

“Companies that fail to abide by the commitments and representations they have made to consumers can violate Section 5 of the FTC Act,” FTC said at the time.

Recent enforcement actions by the FTC, such as the $1.5 million penalty issued to GoodRx over an alleged violation of the Health Breach Notification Rule, highlight the Commission’s commitment to cracking down on improper health data sharing.  

Next Steps

Dig Deeper on Health data access & privacy