On the 16th of June, US senators Elizabeth Warren and Peter Welch sent a letter to Andy Jassy, Amazon President and CEO, expressing concerns about how Amazon’s online health platform, Amazon Clinic, harvested consumer health data from patients.
Amazon Clinic a telehealth provider and Amazon’s subsidiary. Telehealth is the delivery and facilitation of health and health-related services via telecommunications and digital communication technologies[1]. Using Amazon’s own words, Amazon Clinic operates as a virtual health storefront, bringing together clinical offerings from national, award-winning telehealth providers. Customers can select the third-party telehealth provider that best meets their timeline and budget, then connect directly with a licensed clinician who can provide a message-based consultation and prescribe treatment[2].
Initially, it sounds like an efficient and largely accessible service to everyone without problems. However, in order to provide such a feature, Amazon certainly needs to access and process very sensitive users’ data, namely health information.
In this article, we explore the areas of major concern and will try to explain why we believe they are significant. We will conclude by considering how overseas data protection practices can also affect data subjects who are under the protection of the General Data Protection Regulation (GDPR) and what this means from a legislative point of view.
What users agree to?
A recent Washington Post investigation ascertains that in order to enrol and use Amazon Clinic’s service, users are first required to sign an “authorisation” that gives Amazon access to complete patient files[3].
Additionally, by signing the consent form, customers authorise Amazon to re-disclose the information, which would determine the loss of the Health Insurance Portability and Accountability Act (HIPAA) protection.
The HIPAA is the US federal law that protects Individual Identifiable Health Information (IIHI) transmitted or maintained in electronic media or any other form. HIPAA provides protection to IIHI whilst it is being used for the purposes of direct care/health care. However, HIPAA does not provide any protection where the data is processed or shared outside of uses for direct care/health care. Indeed, IIHI disclosed by individuals about themselves on websites and health apps, to friends and family, or anyone other thana healthcare provider, health plan or employer, won’t be protected by the HIPPA. In fact, such IIHI can be redisclosed by the recipient without violating HIPAA[4].
The first element to consider is the Amazon Clinic Privacy Notice, which does not mention any redisclosing of data, as contrarily, the authorisation form does at the next enrolment stage. Indeed, in the privacy notice, customers are only informed that their data will be treated according to the HIPAA provisions. However, this turns out to be misleading and not very transparent since, as explained above, the legislation excludes its protection when data subjects share their data with websites and apps and is disclosed further. This is precisely the scenario that would occur with the use of Amazon Clinic.
Secondly, Amazon requires access to the complete patient file even before the customer details their requested health treatment. From a European perspective, this is alarming from many points of view, but mostly from a data minimisation perspective, considering that Art. 5 (1) (c) of the UK GDPR establishes that personal data shall be adequately relevant and limited to what is necessary concerning the purposes for which they are processed.
Who are the recipients of your personal data?
A further debatable component regards this data’s potential recipients, organisations with which Amazon might share this health information. And for what purpose might they redisclose this data? According to the Washington Post investigation, there are many ways Amazon could use patients’ health data, to mention a few: to build an AI product, for targeting market purposes, or to create a patient-risk model.
Once again, from a European perspective, this is profoundly worrying if we consider the protection offered by the purpose limitation principle, which provides that “personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; (…)”.[5]
Finally, this can be even more controversial if we consider recent events where online pharmacies and social media platforms released very sensitive health information related to their customers or users as a result of requests from law enforcement authorities.
On the 22nd of May 2023, a woman from the state of Nebraska pleaded guilty to performing an illegal abortion. The prosecution went further to even accuse her mother of illegally helping her with the abortion.
You may legitimately wonder how this is relevant to us or to the topic of this article. But the case against the mother and daughter is partially based on Facebook messages the two women exchanged about their plan to obtain the medication to induce an abortion.
Apparently, the local police were already investigating the suspect for the disposal of the remains; thus, they requested access to her Facebook’s chats. However, the information in that chat, released in full, incidentally revealed the discussion of abortion pills. The subsequent charges indicate how data released by social-media companies can be used to prosecute people for other “crimes”, even when they are being investigated for other reasons.
Of course, Meta, as well as any other social media platforms or websites, shall cooperate with law enforcement authorities, but there must be a fixed and transparent framework to comply with. Whilst we are not implying that such a framework does not exist in the US, the amount of information authorities have access to still feels worrying and it seems unrestricted to what is relatable to the investigation subjects. Moreover, it is even more alarming that, upon request, they can use information unrelated to the crime investigation to prosecute a new, different offence.
In the UK and Europe, the GDPR regulates such scenarios and provides that personal data can be shared with law enforcement authorities only where it is necessary and proportionate.
Conclusion
Considering the tied political and economic relationship that the UK and EU Countries have with the USA, it is accurate to say that data flowing between the two continents is continuous. Furthermore, economically wise, as stated by the Whitehouse, the EU-U.S. economy is worth $7.1 trillion and depends on the transatlantic data flows to function[6].
However, the gaps in the US data protection framework are evident and highly alarming, especially when considering the protection offered to special categories of data such as health information. As highlighted above, HIPAA provides the disclosure of data to third parties and explicitly establishes its inapplicability in case of further redisclosing. As well pointed out in the Washington Post investigation, HIPAA was written in 1996 primarily to make medical records portable at a time when many were stored in folders on shelves. No wonder the law can’t keep up with digital businesses harvesting health information. HIPAA also doesn’t cover the growing trove of body information collected by Apple Watches and even Google searches[7].
With all the above in mind, the perspective of the spreading of Amazon Clinic is quite concerning. Indeed, all the uncertainties related to the data protection offered by the HIPPA make it more alarming and, to a certain extent, meaningless Amazon’s assurance that Amazon Clinic will treat data following the HIPPA.
Finally, worth mentioning that the disputable protection offered to health data in the US is just an example of how this Country safeguards personal data. Hence it is regarded with surprise the very recent adequacy decision adopted by the European Commission in favour of the US, which allows the free flow of data from the EU to US companies without having to implement additional data protection safeguards.
[1] What is Telehealth? https://catalyst.nejm.org/doi/full/10.1056/CAT.18.0268
[2] What is Amazon Clinic – What is Amazon Clinic: A virtual health service for common conditions (aboutamazon.com)
[3] Amazon Clinic patients must sign away some HIPAA privacy rights – The Washington Post
[4] USA: Scope of HIPAA | Insights | DataGuidance
[5] UK GDPR, Art. 5 (1) (b).
[6] FACT SHEET: President Biden Signs Executive Order to Implement the European Union-U.S. Data Privacy Framework https://www.whitehouse.gov/briefing-room/statements-releases/2022/10/07/fact-sheet-president-biden-signs-executive-order-to-implement-the-european-union-u-s-data-privacy-framework/
[7] Amazon Clinic patients must sign away some HIPAA privacy rights – The Washington Post.
