Amazon has a new low-price health service called Amazon Clinic. For as little as $30, you can message online with a clinician from an Amazon partner who will write you a prescription for anything from covid-19 to herpes.
But there’s a hidden cost to Amazon’s Clinic: your privacy. This is how Big Tech companies get away with invading your intimate business — and the laws that are supposed to protect us just aren’t keeping up.
A Washington Post reader asked me to investigate a legal form Amazon asks new Clinic patients to agree to. So I signed up. This “authorization” isn’t a standard doctor’s-office notice detailing how they follow the health-privacy law known as HIPAA, or the Health Insurance Portability and Accountability Act. That’s what makes sure your doctor protects your health information and shares it only in very specific circumstances.
This Amazon form is asking for something more extraordinary: “use and disclosure of protected health information.” It authorizes Amazon to have your “complete patient file,” and notes that the information “may be re-disclosed” after which it “will no longer be protected by HIPAA.”
Wait, you agreed to what? Amazon is essentially pushing people to waive some of their federal privacy protections, say the lawyers at the Electronic Privacy Information Center whom I asked to inspect the jargon. Amazon is required by law to say doing so is voluntary — but in practice you must agree to become a patient at its Clinic. There’s only one button to click: “Continue.”
Amazon says our data is protected by its privacy practices. It says it needs the HIPAA authorization to “help coordinate future health care services from Amazon,” because its Clinic is merely software used by external health care providers.
That shouldn’t matter: We the users and patients want our intimate information to be locked down by law, no loopholes for tech companies. The problem is as much tech’s overreach as it is American privacy rules that — unlike in Europe — don’t apply to many health situations and regulate specific players in the system rather than the information itself.
“People often think HIPAA follows the data, but HIPAA actually starts with the covered entity and how it follows the data is limited,” says Melanie Fontes Rainer, the Director for the Office for Civil Rights in the Department of Health and Human Services, which is primarily responsible for policing HIPAA. She declined to comment specifically on Amazon Clinic.
Amazon founder Jeff Bezos owns The Washington Post, but I review all technology with the same critical eye.
Amazon is pushing deeper into health care before it has earned our trust as a steward of very sensitive data, and these shenanigans don’t help. Last year, Amazon also bought primary care provider One Medical. I wonder: When it will start asking One Medical patients like me to authorize new uses of our health data, too?
“Amazon has a history of using complicated, mazelike design features to keep users from exercising privacy-protective options,” says Sara Geoghegan, a lawyer at EPIC. “That seems like what’s going on here.”
There’s plenty at stake. Amazon Clinic asks you to enter really personal information, including details and photographs of conditions such as hair loss, cold sores, and pinkeye. Chatting through Amazon’s website with one of its clinical partners, you can even request emergency contraception.
What could go wrong? There are lots of icky ways Amazon could use your health information: to upsell you on other services, to target marketing for its giant advertising business or to build out artificial intelligence or patient-risk models.
When I asked Amazon to be clear about what it is — and isn’t — doing with patient data, spokeswoman Christina Smith emailed: “We don’t use customer data for purposes that customers haven’t consented to.”
But Amazon’s HIPAA authorization is notably vague about what we’re consenting to. It says it will use the data “to facilitate services from other providers.” That could mean disclosing our information to other medical providers — or it could also mean disclosing it to any business that wants to provide services to us.
When I asked Amazon to be specific, Smith said: “We are not in the business of selling data to anyone. Amazon Clinic’s HIPAA authorization does not seek consent for the use and disclosure of [personal health information] for HIPAA marketing purposes, and we don’t use the data that way.”
Amazon doesn’t make that commitment on the privacy page for its Clinic.
To be clear, I don’t have evidence of Amazon doing something naughty with this data. After I signed up for the Clinic, consented to its authorization and paid $30 for help with seasonal allergies, I didn’t suddenly get swamped with ads tied to my diagnosis.
But we also shouldn’t have to wait for abuse to stop it from happening, or let companies make their own rules for how to protect our most-sensitive information.
“Of course Amazon can do what they want with the data if a patient clicks ‘O.K.,’ regardless of what the company claims,” says Andrea Downing, the co-founder of a patients’ digital rights group, The Light Collective. “Whether seeking care for a sexually transmitted disease, a cold, or a urinary tract infection, patients want relief and affordable care, not to be tricked into signing away privacy rights.”
Said Amazon’s spokeswoman: “Speculating about possible nefarious uses might make for interesting media columns, but these kinds of unfounded theories completely disregard the importance Amazon places on protecting its relationship with customers and partners that has guided us since day one.”
We’re just supposed to trust Amazon. But this is the same company that, after making privacy assurances, was found to have workers listening to Alexa recordings from people’s homes, and handed to police Ring camera video clips without owners’ consent.
“We don’t need another pinkie promise from a tech company that they’re going to safeguard our data,” says EPIC’s Geoghegan. “We need meaningful limitations on what data they can collect and use.”
HIPAA doesn’t protect as much as you might think
How is this legal? First, Amazon claims a different status under HIPAA than your neighborhood doctor’s office. It says its Clinic is a provider of storefront software to outside health care providers such as HealthTap — not a health care provider itself. So the Clinic isn’t a clinic. Got that?
That means Amazon is only a business associate of health care providers, which limits its use of patient data. (It’s something like videoconference software Zoom, which is also a business associate doctors use for telemedicine.) But Amazon wants to be able to do more. The example it gave me: If one of its health care providers leaves the Clinic, it wants to quickly rematch the customer with a different Amazon provider and port over that patient’s medical data.
HIPAA does specifically allow companies to ask for disclosure that isn’t normally permitted. For example, HIPAA requires an authorization to disclose heath data for most forms of marketing. (Last year I wrote about a company called Phreesia that makes doctor-office check-in software; it uses an authorization to be able to show patients targeted ads for treatments right before they see the doctor.)
Signing an authorization isn’t a “waiver” of your rights, but you’re contenting to your data being disclosed for additional purposes, at which point it leaves the protections of HIPAA, said HHS’s Fontes Rainer.
Tour Amazon’s dream home, where every appliance is also a spy
But HIPAA also says that you can’t condition treatment on whether you sign an authorization. On Amazon’s form, it says if you refuse to sign you can still get service from one of its health care partners by “reaching out” directly. Then it offers a link with their websites and phone numbers.
I did that. For my allergy treatment, which I got for $30 from Amazon, I would have had to pay HealthTap at least $101, including the cost of a quarterly subscription. (HealthTap offers direct patients much more personal service than Amazon Clinic, including a 15 minute video consult with a doctor.)
But that’s hardly an equivalent cost for those who don’t want to consent. Could that be a HIPAA violation? It’s debatable, says Geoghegan of EPIC. But it would also have to pass muster with the Federal Trade Commission, which would look at whether it is unfair or deceptive. It has brought cases along those lines in the past.
“To make a truly informed choice in this current consent form, you’d need a law degree, a lot of extra time, and attention span to read the fine print of loopholes in HIPAA,” says Downing.
I’m just as frustrated with our lawmakers as I am with Amazon. HIPAA was written in 1996 primarily to make medical records portable, at a time when many were stored in folders on shelves. No wonder the law can’t keep up with digital businesses harvesting health information. HIPAA also doesn’t cover the growing trove of body information collected by Apple Watches and even Google searches.
Some good news: Last week, Washington became one of the first states to adopt health data protections that put limits on tech companies’ ability to collect and sell our health information.
If you’re an Amazon Clinic patient and now slightly horrified by what you agreed to, there is some more good news. Amazon is at least required by law to let you revoke your authorization. Of course, they’ll make it a lot more work than agreeing in the first place. You have to download this form, and then physically send or fax it to Amazon’s General Counsel.