The new, low-price health service requires authorization from patients that may allow for sensitive data to be used or spread by Amazon.
In recent years, Amazon has been diving into healthcare. In 2022, they acquired primary-care company One Medical. In January of 2023, they released a prescription program, RxPass, and even attempted their own healthcare program for employees.
While their ventures have had mixed success, Amazon continues to enter into the healthcare sphere with full force.
One of their popular operations, Amazon Clinic, officially rolled out in November of 2022, offering virtual care and prescribing prescriptions for common health conditions like acne and allergies. According to USA Today, they also allow prescription renewals for existing issues, like migraines or asthma.
Related: Telehealth HIPAA compliance after the COVID-19 exemption ends.
The platform is lauded for its ease of use, but potential patients are now given pause because of the authorization required. The Washington Post reported that one of the forms to receive services requires users to agree to the "use and disclosure of protected health information." Amazon is then given access to your patient file and states that information may be "re-disclosed," which may no longer be protected by HIPAA.
Amazon's authorization remains vague, and it's unclear what they may do with the data. It's possible they could use it to promote other services or for more specific targeted ads. While Amazon claims that the data will only be used for purposes customers have consented to, the lack of clarity – and federal regulations for these situations – adds a layer of concern that should be considered before customers sign up.
On top of this, while Amazon says they are HIPAA compliant, if the data leaves their hands, other organizations who are not considered covered entities may not be required to follow the same laws. Overall, the situation allows for various loopholes when it comes to sharing protected health information.
In an interview with the Washington Post, Amazon spokeswoman Christina Smith said, "We are not in the business of selling data to anyone. Amazon Clinic's HIPAA authorization does not seek consent for the use and disclosure of [personal health information] for HIPAA marketing purposes, and we don't use the data that way."
Sarah Geoghegan, a lawyer at EPIC, claimed that Amazon frequently complicates its features as a way to "keep users from exercising privacy-protective options." Geoghegan explained that the matter is complicated by the lack of regulation in this sphere, "We need meaningful limitations on what data they can collect," she said.
As Amazon continues to test the healthcare waters, it's unclear how they may use consumer data, or what safeguards potential customers may have in response.
With Amazon's vague authorization form, many patients are reconsidering if Amazon Clinic will be the right choice for them.
HIPAA compliant entities should keep their eye on Amazon Clinic's situation, as it will likely shape the precedent for the ever-growing online healthcare industry.
Read more: HIPAA Compliant Email: The Definitive Guide