Amazon Clinic announces 50-state rollout 1 August. Were the privacy issues fixed?

At least the disclaimers are new and improved. Amazon today, on its news page, announced that Amazon Clinic was being rolled out to all 50 US states from the previous 33. You will be paying in cash (no insurance accepted) for services, which now include live 24/7 telehealth (via two ‘white-labels’, Wheel and SteadyMD) in addition to asynchronous (messaging) telehealth, for treatment of about 30 common mild and chronic conditions such as rosacea, gout, eczema, UTIs, and the ever-popular erectile dysfunction and hair loss. Access is provided through the Clinic website or the Amazon app. Providers set fees on a one-time and ongoing basis. Prescriptions can be filled individually or through Amazon Pharmacy. The service is not available to those below 18 or above 64, which is a mystery as those 65+ are perfectly capable of paying in cash and suffer from the same maladies. (Age discrimination, anyone?)

As to the reported delay from 27 June on the service expansion [TTA 27 June], an Amazon spokesperson denied that privacy concerns expressed by two US senators (Warren and Welch) and in the Washington Post had any effect and in fact, denied that there was any delay.  FierceHealthcare.

It is unknown whether Amazon replied to the senators’ letter that cited where consumer information went, that it may be redisclosed, and denial of service (inability to complete registration) if a user during registration did not agree to waive HIPAA and give Amazon access to the patient’s personal information file.

Looking at the news, website and privacy disclosures, there are multiple disclaimers wherever one looks that seem to address these concerns.  On the news release, there is a link labeled Read more about how privacy is built into Amazon Clinic’s core. Excerpts below (main points in red):

We do not sell customer information.

Amazon doesn’t sell customers’ personal information. Amazon Clinic also doesn’t use a customer’s personal health information to market or advertise other products in the Amazon.com store.

We ask for HIPAA authorization to make things easier for customers.
One of the complaints we hear a lot about traditional health care is how many times customers are asked to fill out forms over and over again. To solve this problem, Amazon Clinic asks customers for permission (through the HIPAA authorization) to allow us to save their information and patient records if their health care provider leaves Amazon Clinic. This supports continuity of care and makes it easier for customers to work with different provider groups, because they won’t have to fill out the same form multiple times or lose access to their visit history. Customers have the option to accept or decline the HIPAA authorization before getting treatment—customers who decline can still receive care from Amazon Clinic.

Privacy disclosure on the Amazon Clinic site is the same in consumer-oriented language and with a revocation notice:

What we do (and don’t do) with your information
We use your information to make your healthcare experience easier. We send it to your healthcare providers and pharmacies when you’re being treated, and we save it so you won’t have to fill out the same forms over and over again—even if your healthcare provider were to leave Amazon Clinic. We’ll never sell your information to anyone and we don’t use your personal health information to market or advertise other products available on Amazon.com.
We respect your preferences
If you don’t want us to save your health information, you can still get care through Amazon Clinic. However, you should know that if the healthcare provider(s) you’ve used leave Amazon, we’ll be required by law to delete your health information and you’ll have to re-enter it if you visit us again.
You can change your mind
If you give us permission to save your health information, then change your mind, that’s OK. To revoke your HIPAA Authorization, just email your request to clinic.privacy@amazon.clinic. Make sure to include your name, date of birth, address, and phone number, or download the HIPAA revocation form, fill it out, and send it as an attachment to your email.

Unless this is not operating reality, Amazon may have come to its senses and installed proper guardrails on this service. Amazon is making a massive bet on healthcare by building Clinic, Amazon Pharmacy, and paying $3.9 billion for One Medical which is currently unprofitable. They are betting that to their captive audience, basic healthcare can be delivered like merchandise and that more complex primary care can be folded into the Amazon continuum. In Amazon Clinic, it’s betting that it can one-up established players like Ro and Hims as well as Teladoc and Amwell.

A hard look at Amazon reveals that the strategy compensates for losses in other areas, such as their basic businesses with layoffs of 27,000, including Amazon Pharmacy and the Washington Post, and shuttering Amazon Care last year. Technology hasn’t been much of a winner, with Halo terminated yesterday and with privacy concerns (again) around Alexa, Kindle, and Ring security cameras. AWS is no longer the cash cow mooing in the meadow that subsidizes various ventures, with growth down by half and plenty of competition [TTA 16 June]. Amazon has few friends in DC, not even at the Washington Post. The Federal Trade Commission (FTC) and the Department of Justice (DOJ) have held up their $1.7 billion buy of iRobot for one year as of this month, and are still scrutinizing One Medical.

If the guardrails are made of Silly Putty and there are consumer complaints, Senator Warren, who has a long history of sparring with Amazon, will be issuing more letters. She will huddle with FTC and DOJ, where there’s a dartboard with Amazon’s name on it. Note to Amazon: Senator Warren is up for reelection in 2024, and she needs a high-profile issue.

Data breaches and ‘hackermania’ running wild

Data breaches remain in the news–and the debate around how best to secure data rages.

Everything old is new again. UK website Computing reported that East Midlands Ambulance Service NHS Trust lost a data cartridge containing 42,000 records from its divisional headquarters in Nottingham. It was a small but deadly cartridge containing scanned handwritten copies of Patient Report Forms from September to November 2012. However, it can only be read on a now-obsolete cartridge reader, one of which is on the Trust’s premises. An interesting project for a ‘cracker’? Perhaps someone thought it was an old paperweight? Is this the virtue of old tech?

Wakey, wakey Hermann! Memorial Hermann Health System in Houston, Texas had an unauthorized employee nosing around patient records for seven years up to July, affecting at last count 10,604 patients. Compromised were health insurance information, Social Security (SSI) numbers, names, addresses and dates of birth (DOB). Obviously they weren’t firewalled and easy to access. No motive cited. According to HealthITSecurity, this person has been suspended, not fired. Also iHealthBeat.

Nothing to see here…move on. Breaking News. Healthcare.gov was breached in July by a hacker uploading malicious software to a server used to test code. No evidence that personal information was compromised. HHS maintains this was the first successful intrusion. We’ll see. MarketWatch (excerpt of WSJ paywalled story)

Is any system hackerproof? Reader Joanne Chiocchi cited this Editor’s first article on the massive CHS breach (from the reprint in HITECH Answers–thank you, Roberta Mullin) and posed this question on LinkedIn’s Ellen’s Ethical Lens group. 48 comments later, (more…)