- Amazon has been expanding rapidly into the healthcare field, but its approach to patient privacy could use a lot of tweaking if the company doesn’t want to run into HIPAA compliance problems down the road.
Amazon has set up a health and wellness team within its Alexa division to make the digital voice assistant more useful in the healthcare field.
The company has also joined with Berkshire Hathaway and JP Morgan to form a joint healthcare company to provide healthcare to their employees, and it recently purchased home delivery pharmacy company PillPack for around $1 billion.
But the company recently demonstrated a cavalier approach to a breach of patient privacy that doesn’t bode well for its ability to protect medical information and respond to health data breaches.
Vernon, Connecticut resident Leah Luce recently purchased a medical alert bracelet from a third- party seller on Amazon.com. The bracelet included Luce’s name, date of birth, emergency contact information, and medical condition printed on the inside of the bracelet, explained a report by NBC Connecticut.
Luce was then informed by her physician that photos of her bracelet with her medical information were visible on the Amazon website in advertisements for medical ID bracelets, the report noted. Luce called Amazon and an agent told her the company would investigate. She later received an email from Amazon saying that the company could not release the outcome of the investigation.
Obviously, this part of Amazon has not been trained on how to handle patient privacy breaches. As Amazon continues its healthcare expansion, it will need to do a lot better job of putting medical data security policies in place and training employees on how to handle breaches.
Luce ultimately got satisfaction when she contacted NBC Connecticut. The TV station sent emails to the seller of the bracelet, Personalized Love Jewelry, which responded almost immediately with an apology and a pledge to remedy the situation.
“All Marketplace sellers are required to follow our selling guidelines and those who do not will be subject to action, including potential removal of their account. The products in question are no longer available,” Amazon said in its response to NBC Connecticut.
The TV station confirmed that the photos of the bracelet with Luce’s medical information is no longer available on the Amazon site.
Sellers like Personalized Love Jewelry fall into a gray area when it comes to HIPAA. They occasionally handle PHI but they are not considered a covered entity or a business associate under HIPAA.
According to HHS, a covered entity is a healthcare provider, a health plan, or a healthcare clearinghouse. A business associate is a “person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.”
Mobile health apps also fall into this gray area. The American Hospital Association (AHA) recently warned about the potential misunderstanding among consumers concerning mobile health apps and HIPAA.
“Commercial app companies generally are not HIPAA-covered entities. Therefore, when information flows from a hospital’s information system to an app, it likely no longer will be protected by HIPAA,” AHA noted in its comments on the CMS hospital inpatient prospective payment system proposed rule for fiscal year 2019.
“Most individuals will not be aware of this change and may be surprised when commercial app companies share their sensitive health information obtained from a hospital, such as diagnoses, medications or test results, in ways that are not allowed by HIPAA,” AHA noted.
Providers of medical alert bracelets would likely fall into a similar category as commercial app companies when it comes to HIPAA. In the case of Luce, neither Amazon nor the bracelet seller was not subject to HIPAA rules, but the tech giant is getting into business areas in which HIPAA will come directly into play.
Amazon will need to do a better job at handling patient privacy complaints regardless of what area of the business is dealing with the aggrieved customer. If not, Amazon will be facing increasing consumer distrust and potential regulatory scrutiny.