Amazon Clinic delays 50-state telehealth rollout due to Federal data privacy, HIPAA concerns on user registration, PHI–is it a warning?

Amazon delaying Amazon Clinic national rollout from today (27 June) to 19 July. Amazon Clinic, which debuted last November as an asynchronous, message-based telehealth consult or prescription renewal referral platform [TTA 16 Nov 2022], has run once again into Federal scrutiny. This time, it’s two Senators from New England–the well-known Elizabeth Warren (D-MA) and the little-known Peter Welch (D-VT)–who are poking Amazon with the stick of whether sensitive health and personal data are flowing into Amazon’s other databases.

Their letter to CEO Andy Jassy was fair warning that, as this Editor predicted last February (see the list of open issues) after the One Medical buy closed to high-fives all around, the government is nowhere near finished with scrutinizing Amazon and how personal data, including health data, flows between their units and is monetized. 

In a two-page letter dated 16 June based on reporting in the Washington Post (100% owned by Amazon’s 12.6% shareholder and controller, Jeff Bezos–the irony runs deep here), the two senators believe that they have caught Amazon but good–and with some of the goods. 

  • Users of the Amazon Clinic service are asked, in the registration form, to authorize the “use and disclosure of protected health information.” They are told that agreement to this gives Amazon access to the “complete patient file” and that this information “may be re-disclosed,” after which it will “no longer be protected by HIPAA”. By agreeing to this, users waive any HIPAA personal health information protections.
  • If the user declines to agree, they are redirected and unable to complete Amazon Clinic registration and denied care. HIPAA regulations specifically prohibit conditioning care on agreement to disclose patient information. (This is known by anyone who has taken required training or certification on HIPAA when working for health plans or other regulated healthcare providers including RPM and telehealth vendors.)

The letter raises the sensible, usual questions on why personal data is being collected and what Amazon is doing with it. For instance, it requests responses on how patient data is used by Amazon, what data is shared with third-party entities, and what data is used in any analytics or algorithms. It cites as a non-compliance example the $1.5 million that GoodRx paid in an FTC penalty on their past Meta Pixel usage for ad tracking. (Interestingly avoiding the $7.5 million Teladoc paid for similar ad tracker misuse by BetterHelp.)

The $30/visit service has been available in 33 states since last year and currently through asynchronous messaging, provides care for minor conditions such as UTIs, herpes, and skin infections. The expansion will cover all 50 states and add synchronous video telehealth.

One would think that with billions on the line with One Medical, Amazon would be more cautious about poking the Antitrust Bear. They have already been put on notice by the Federal Trade Commission, the Department of Justice (DOJ), Congress, and multiple states. For Amazon Clinic, requiring individuals to waive their right to protect their PHI in registering for the service is downright brazen. How this got past their legal and compliance departments boggles the mind. Why Amazon is not ‘hiving off’ PHI collected through this small service is another question. Doing so would show to FTC and DOJ that Amazon can play by the rules. Instead, it confirms the widely held belief of those in healthcare that Amazon culturally cannot deal with the restrictions that come with the territory. Are they deliberately ‘playing chicken’ with the Feds? Pollo loco? This up-to-the-line behavior tends not to end well, as the telemental health providers that over-prescribed controlled substances found out.  POLITICO, The Hill, mHealth Intelligence

Categories: Latest News and Opinion.