Amazon Care and privacy: A host of unknowns

In In The News by Barbara Jacoby

By: Matt Fisher


If HIPAA does not apply to Amazon Care, then absent another privacy regulation applying, avoiding exploitation of the data relies on the good faith of the entity operating the service.

The recent announcement by Amazon concerning a national launch of its telehealth offering, Amazon Care, is generating a significant amount of buzz and speculation within the healthcare industry. Most of the buzz is focused on whether Amazon Care will overtake existing major telehealth players or how Amazon has learned from experience within healthcare. Leaving aside the delivery aspects, a bigger question could exist around the privacy of health information generated through the use of Amazon Care. Depending on the exact means of implementation and rollout, the regulatory protection or lack of protection of it could be very important.

Nature of the Amazon Care Service

The exact nature of how Amazon Care delivers its services will greatly influence what, if any, privacy regulations govern its services. The announcement of Amazon Care’s expansion directly from Amazon frames the service as a workplace benefit that will mirror how it operated during the initial pilot phase. Looking at the pilot phase first, the service consisted of a telehealth component (mix of chat or telemedicine) and some ability to receive an at-home visit, which means in-person care. The expansion will seemingly extend those services to more locations operated by Amazon as well as entry into a broader market by selling the same services to other employers.

The important component in the announcement is that the services will be offered to employers. The announcement implies that employers for external or Amazon itself internally, pay for the services offered by Amazon Care. It does not appear that claims or other requests for payment would be sent to an individual’s insurance plan or otherwise paid for in a more traditional reimbursement model.

Viewing the service as part of a benefit plan offered by an employer would be an alternative angle to take. If telehealth or limited in-person care is direct services offered by an employer, then it could be similar to a wellness program or other service offering that are subject to plan rules and regulations.

Why is the Nature Important?

The characterization of the services is important from a privacy perspective. Even though a service may look and act like a regular healthcare service, it may not actually be one for HIPAA purposes. The disconnect in the analysis can be surprising, but the distinctions are important. If HIPAA does not apply, then absent another privacy regulation applying, avoiding exploitation of the data relies on the good faith of the entity operating the service.

Looking at how Amazon Care may apply in practice, the likelihood that no claims will be submitted for the services is very important. Under HIPAA, a “health care provider” is not just a person or entity that provides healthcare services. It is also necessary for a claim to be submitted electronically, which means sending a claim for reimbursement. If no reimbursement is sought, then no claims are submitted and the entity does not meet the definition of a covered entity as applicable to a health care provider. If Amazon Care does not meet the definition of a covered entity, then it is not subject to HIPAA imposed privacy obligations at the top level.

The scenario is similar to direct primary care practices. A direct primary care practice may voluntarily choose to abide by the standards of privacy and security established by HIPAA, but there is no affirmative legal obligation to do so. That boils down to the organization choosing to meet expectations, but not being obligated to do so.

If Amazon Care chooses to bill insurance for the services provided to individuals, then the scenario is more traditional and HIPAA applies. However, the description in the announcement does not tend to support an outcome in that direction.

Another means of HIPAA coming to bear as a legal requirement would be if Amazon Care is part of a health plan offering. An additional benefit can be part of a health plan offering if it forms a part of the overall offering, is identified as a component of the health plan, or other certain facts that fold it in. Wellness programs are a prime example of an additional offering that can become part of a health plan. For example, the wellness program could be used to incentivize better behavior that provides access to premium reductions. However, if the wellness program is offered directly by an employer and stands apart from the health plan, then HIPAA does not apply. Ultimately, if the service is a component of the health plan offering, then HIPAA is swept in as health plans are another form of covered entity. The outcome requires a case-by-case review as different employers or entities may implement additional services differently.

In the event the service is considered part of a health plan offering, Amazon Care may still not be a covered entity. Instead, it could be a business associate that must protect the data consistent with HIPAA for the applicable covered entity health plan. The outcome from the protection point of view is the same, but there could potentially be more restrictions as the covered entity can set the ground rules for use of any healthcare data.

Privacy in the Absence of HIPAA

Since there is a high likelihood of HIPAA not applying to the service, what privacy protections exist to prevent broader use of any collected data? State law could create the desired protections, though any impact will vary on a state-by-state basis. Knowing the full extent of potential protection would require a 50 state survey, which is tine consuming. However, just because a privacy law may exist in a state where operations occur, there is still not a guarantee that the state law would apply. Some state laws (looking at California and Virginia) have thresholds relating to the volume of individuals impacted and/or revenue generated in the state. Amazon as a whole likely meets any threshold requirements, but that could be small comfort if data could potentially be used across services.

In terms of the impact of state law, the evolving nature of state privacy law will create shifting sands on protection. Predicting what will happen is an uncertain place to be.

Good Intentions

Without the clear application of federal or state laws, it should be acknowledged that the Amazon Care website currently (at least as of the writing of this article) reflects that privacy will be respected and healthcare data will not be sued for other purposes. If that statement is trusted, then comfort does exist. However, it is not possible to even currently understand what those limitations might be as there are no readily findable terms of use or privacy policy that apply specifically to the new service. The only documents available near the launch of the website focus on general policies applicable across all of Amazon’s services and were not necessarily recently updated.

Without being able to confirm terms specific to the new service, the assertion of protecting information and not using it for other purposes can only be taken at face value. Trust will need to be earned that unexpected use will not occur.

The Rollout

As Amazon Care begins to roll out and be used, tracking privacy in the wild will be important. The scope and value of data are only increasing, which underscores the need to be vigilant and look at all of the details.