Amazon’s health clinic can share patient records. Does HIPAA need an update to protect patients from businesses?

Amazon’s health clinic may be quick and affordable, but when it comes to patient privacy, it’s not necessarily secure. A new investigation by The Washington Post revealed that the company requires patients to agree to a “redisclosure” of their health information in the future in order to use services.^[]

The agreement causes some to wonder if Amazon is breaching HIPAA laws, which protect individual medical records and identifiable health information from certain disclosures without a patient’s authorization. But patients who use Amazon’s services are authorizing this disclosure. And because HIPAA allows companies to add additional authorizations on privacy agreements (as long as patients sign and agree to them), Amazon isn’t necessarily breaking the law by requiring it.^[]

“The issue here is not necessarily that Amazon is outright breaking the rules, but that HIPAA may not be as strong or all-encompassing as we tend to think, especially when it comes to the digital age and the involvement of tech companies,” adds Ahn. “The law, written in 1996, may not be adequately equipped to regulate digital businesses that handle health information like Amazon Clinic.”

Further, Amazon isn’t a healthcare provider but a “business associate” to healthcare providers. “This distinction allows Amazon to handle patient data within the scope of HIPAA regulations as a business associate, not subject to the same restrictions as a healthcare provider,” Ahn explains. 

David Clark, partner at The Clark Law Office focused on medical malpractice, adds that Amazon’s redisclosure sheds light on existing “loopholes” in HIPAA regulations.

“All people are entitled to confidentiality unless they give permission for disclosure,” says Clark. “Whether it’s legal or not, it’s up for debate.”

Could Amazon be sued for breaking HIPAA?

It’s unclear if Amazon can or will be sued for its actions, says Clark. On an individual basis, people cannot sue Amazon strictly for violation of their HIPAA rights because HIPAA lacks a “private right of action.” However, Amazon could be sued for damages if the person proves that the company “willfully violated their HIPAA rights,” meaning they would have to prove that the entity intended to and knew it was violating HIPAA and caused harm, Clark says.^[] 

Is Amazon’s health system ethical?

Legal or not, it is likewise unclear if Amazon’s redisclosure requirement is ethical. 

“This issue straddles both medical ethics and legal boundaries,” says Ahn. “On one hand, it raises concerns about patient privacy and the handling of sensitive health information, which is an ethical issue. On the other hand, it involves the interpretation and application of existing privacy laws. It is crucial to address both aspects to ensure that patients' rights and privacy are adequately protected.”

As it stands, not all doctors are OK with it. 

Kristen Fuller, MD, MDLinx board member, and former emergency care doctor, says that Amazon does not give patients the deserved trust or protection they should receive in a healthcare setting.

“Patients' information should always be protected as health information is extremely personal,” Fuller adds. “It is important for patients to be able to trust their healthcare providers, and signing contracts that protect patients is one way to ensure this trust and for patients to be honest and disclose everything to their providers.”

“Is this legal?” she asks. “Probably. Is this ethical? That is up for debate.”

Will increased use of telehealth undermine patient privacy? 

As a large and influential business, it wouldn’t be out of the question for other companies to follow in Amazon’s footsteps.

If others were to replicate the idea, another setting that offers telemedicine—especially if acting foremost as a business but partnering with various healthcare providers, like pharmacies or health insurance companies—could be second in line, Ahn says.

Fuller adds that it is important to remember that other health clinics do not appear to be doing this (breaching privacy) right now, but that she disapproves of Amazon and other platforms that attempt it.

“With more access to telemedicine, we are going to see this type of thing more often and patients are at risk of having their information out in the Internet world,” she says.