Experts: Amazon Pharmacy Poses Risks Due to Holes in HIPAA

By Maria Marabito

Amazon has launched its online pharmacy, Amazon Pharmacy, but experts told Digital Privacy News that the service could jeopardize user privacy — as federal HIPAA protections might fall short in safeguarding sensitive health information.

“Nothing requires Amazon to keep medical information private in the true sense of the word, because HIPAA authorizes broad sharing of data between health care entities and their business associates,” said Twila Brase, a registered nurse who is president and cofounder of the Citizens’ Council for Health Freedom (CCHF) in St. Paul, Minn.

“Thus, the promise of HIPAA is security after and during the data transfer.”

But Amazon said in its privacy policy that it must comply with the Health Insurance Portability and Accountability Act because it involved protected health information.

“Amazon Pharmacy, like Amazon, takes customer privacy very seriously,” an Amazon Pharmacy spokesperson told Digital Privacy News. “Amazon Pharmacy customers’ protected health information (PHI) is protected by our practices and by law, including HIPAA.”

Calls for Updating

The law, signed by Democratic President Bill Clinton in 1996, has come under fire recently for being outdated and for setting low enforcement standards for the digital age.

“There are two major risks,” Fred H. Cate, professor and vice president for research at Indiana University in Bloomington, told Digital Privacy News.

“One is that we don’t protect privacy well enough,” he said. “The other risk of not updating HIPAA is we leave too much stuff out in the wild and unprotected.

“The challenge with HIPAA is that where it applies — the delivery of and payment for health services — is cumbersome and bureaucratic,” explained Cate, who also is an expert in privacy and security laws.

“But the even bigger problem is the many areas in which it does not apply — such as medical, fertility and fitness apps on smart phones and the sale of supplements and other quasi-pharmaceuticals.

“We don’t protect privacy well enough.”

Fred H. Cate, Indiana University.

“Amazon is a good example of that divide, providing important products and services on both sides of it,” Cate said.

Separate Operation

Introduced in November, Amazon Pharmacy builds on Amazon’s adoption of PillPack, an online delivery system for select medications, which the company acquired in 2018.

Amazon maintains that its online pharmacy is distinct from its retail services and that customers’ private health data will not be used to populate recommendations for

Customers can sign into the pharmacy using their preexisting Amazon account. 

Marketed as a “simpler pharmacy,” Amazon Pharmacy comes as the COVID-19 pandemic has brought less in-person shopping and stronger reliance on shipping services.

The service offers users prescriptions and generic medications for a low price, with additional discounts and perks for prime members, including two-day shipping.

The Amazon Pharmacy spokesperson told Digital Privacy News: “We do not currently ask for a customer authorization to disclose their protected health information for advertising or marketing outside the pharmacy as part of customer sign-up or onboarding.

“Because of that, customers can be confident we do not share information with any entities outside the pharmacy for those purposes.

“If that ever were to change, we would ask explicit permission in a clear and transparent way,” the representative said.

‘Weakest Restraints’

But HIPAA has holes — and Indiana University’s Cate and other critics have called for updates and improvements.

The law “should put less focus on bureaucratic tools — like notices no one reads and signatures on forms affirming that patients have read notices they may never have seen — and more focus on substantive privacy and security protections,” Cate told Digital Privacy News.

“Currently, it puts its weakest restraints on marketing of health services using personal data and its most restrictive on life-saving research,” he added. “This just seems perverse and contrary to consumer expectations.

“It just doesn’t work well for a digital age in which most of us provide the vast majority of our health data in nonmedical settings.”

“Customers can be confident we do not share information with any entities outside the pharmacy for those purposes.”

Amazon Pharmacy spokesperson.

However, Cate noted that HIPPA “still permits state regulation of health privacy, so Amazon will have to comply not only with HIPAA, but also with a hodgepodge of state laws.

“It is easy to see how that increases costs, but hard to see how it enhances privacy,” he said.

‘Business Associates’

Protected health information covered by entities like Amazon Pharmacy can legally be shared with “business associates” as outlined by HIPPA — usually third-party providers like accountants and consultants — though more functions and activities are allowed.

“There are at least 1.5 million business associates, according to the federal government, allowing patient data to be shared by Amazon with associates regardless of patient consent,” CCHF’s Brase said, “unless a state has a patient privacy law that restricts access by requiring patient consent.”

Minnesota has such a law, she said.

“Too many state legislators believe HIPAA protects patient privacy, giving them no reason to enact state privacy laws,” Brase told Digital Privacy News.

“They do not realize that state privacy laws supersede HIPAA’s permissive data-sharing rule.”

De-Identified Data

HIPAA only extends as far as identifiable data. Once the data becomes de-identified, it is legally open to use of any kind.

“It’s important to distinguish between privacy and security,” Brase said. “In a digital world, even security cannot be promised.

“Hackers and ransomware criminals have penetrated the largest industries and government agencies, often going months or years undetected.” 

Amazon officials continue to assert that privacy protection is a top concern, but the company’s retail services have been breached in the past — including last August’s hack of Amazon’s payment partner Juspay.

“Nothing requires Amazon to keep medical information private in the true sense of the word.”

Twila Brase, Citizens’ Council for Health Freedom.

“Because of HIPAA, no one can trust that a pharmacy will protect the privacy of their information,” Brase told Digital Privacy News, “and increasingly pharmacies receive medical-record information as a result of ePrescribing.”

Smaller Shops Imperiled

Amazon Pharmacy also represents a new alternative to smaller, local pharmacies — and Brase urged customers to weigh their options carefully.

“Small, independent pharmacies may be willing to restrict outside access to the patient’s data more than large corporate pharmacies,” she told Digital Privacy News.

“Patients may want to consider independent pharmacies when they choose a pharmacy,” Brase added. “If privacy and freedom from profiling is important to them, a higher cost for medication may be worth the price.”

But market consolidation could bring fewer choices for customers, particularly as COVID continues its path of destruction, experts warned.

“As Amazon grows under the Amazon-favorable conditions of COVID-19 restrictions, and as smaller pharmacies may be suffering,” Brase said, “it’s possible that the market will shrink to a few surviving big pharmacies — limiting the choices of Americans and increasing prices due to consolidation.”

Cate observed: “We already trust Amazon with data that for many people is more sensitive — what we watch and read, what we store in the Amazon cloud, financial and location information — and, to date, the company has a good track record.

“They may actually bring stronger privacy protections to pharmacy data than many hospitals and medical offices do.

“But it won’t be because of HIPAA,” Cate cautioned. “It will be in spite of HIPAA.”

Maria Marabito is a Pennsylvania writer.

Effect on the Market

Amazon Pharmacy is not expected to have a large impact on the pharmaceutical-distribution market, according to a November report from the J.P. Morgan Chase investment firm.

“We don’t expect this to be a game changer or lead to significant share shifts in the near term,” Lisa Gill, managing director and senior analyst, said in Morgan’s Healthcare Technology and Distribution report.

“In our view, the retail pharmacies have had several years to prepare for this — and, while Amazon brings strong fulfillment capabilities and an easy-to-use customer interface, the (pharmacy) companies have been adapting their business models and adding new services and offerings that can’t be easily replicated by online-only providers.

“We point to CVS’s comprehensive integrated offering and ability to lower overall health care costs as a primary example,” Gill said.

— Maria Marabito