The Health Insurance Portability and Accountability Act, or HIPAA, protects your private information whenever you visit a healthcare professional. Now, the bad news. HIPAA rules and regulations don’t necessarily apply to mental health apps. Here’s what you need to know.
Amazon Clinic is a service that hooks you up with clinicians for treatment. After signing up for treatment, a healthcare provider (HCP) prescribes medication for anything from allergies to high cholesterol.
Here’s the thing: Amazon is not providing the care itself. It’s more of a middleman between you and the people who will treat you. And that’s where the problems begin.
How Amazon Clinic works
All you have to do is choose an online clinic and fill out a form. You don’t need to call anyone or even have a video chat. Depending on your condition, you may need to upload photos of the affected area.
A U.S.-licensed clinician will review your information and message you with a treatment plan that includes prescriptions and behavioral recommendations. After getting your treatment plan, you can message the clinician with follow-up questions for up to 14 days at no additional cost.
Amazon Clinic doesn’t accept health insurance at this time. Instead, you pay a flat fee for care, which can be as low as $30. The cost of medication isn’t included in the fee.
Submitting private health information for your care is a normal part of any doctor’s visit, but Amazon is standing between you and them here. So what is happening with your data?
The HIPAA in the room
Though Amazon declares it’s “compliant with HIPAA and all other applicable laws and regulations,” there’s more to the fine print.
When you sign up for treatment through Amazon Clinic, you “authorize” all entities involved. This includes doctors, pharmacies and labs to share your Protected Health Information (PHI) with Amazon.
Here’s what constitutes PHI:
- Contact Information (for example, email address).
- Demographic Information (for example, date of birth).
- Account and Payment Information (for example, insurance information).
- Your complete patient file, including medical and billing records related to the services that any HCP supplies to you through Amazon Clinic.
Amazon has the right to “retain, use and disclose this information” for two purposes: If an HCP you used through Amazon Clinic no longer provides service there, Amazon will “coordinate healthcare services” on your behalf. How nice of them.
Here’s the kicker: Amazon can use your PHI “in relation to any Amazon services” to “facilitate services from other providers.” Who exactly are these providers? Doctors? Other businesses?
Amazon says your authorization is voluntary. All that means is authorization is included if you sign up to use Amazon Clinic.
RELATED: Did you use this mental health app? It shared data with Facebook
So you’ve authorized Amazon to use and disclose your PHI. As if that’s not bad enough, the terms of service say that Amazon may “redisclose” this information and that “this redisclosure will no longer be protected by HIPAA.” What?!
Before flying off the handle, ask yourself this: How protected was your information in the first place? Amazon Clinic is not actually a clinic. It’s a service that connects you with third parties such as HealthTap, Hello Alpha and SteadyMD, delivering telehealth services with clinicians. That’s far too many hoops to jump through.
Amazon is held to different standards regarding HIPAA, and you’d need an experienced lawyer to determine where exactly Amazon’s permissions begin and end. HIPAA is far behind when it comes to digital privacy, what with everyone handing over their health information to their smart watches and health apps.
RELATED: Buying health supplements on Amazon? This well-known company just got hit with a fine for faking reviews
The bottom line
While we don’t know what exactly Amazon will do with your information, here’s what we think about the whole thing: Don’t sign up for Amazon Clinic. Ask your doctor for medical advice or find a reputable clinic for treatment.
There’s no reason to hand over your most private information to a company that plays fast and loose with data.
Take it back
You can revoke your authorization if you’ve already used Amazon Clinic and have second thoughts. Of course, Amazon makes it difficult, but we’ve got you covered.
You can’t simply opt out online. You must fax or mail a written request or fill out a form. They really want you to work for it.
First, fill out this form or put together a written request that includes your name, date of birth, address and phone number.
Now you can fax the paperwork to 206-266-7010 or mail it to the following address:
Attn: General Counsel
P.O. Box 81226
Seattle, WA 98108-1226
NOTE: The revocation will not affect any disclosure that any HCP took before receiving your revocation notice.
Messaging or emailing your doctor? Be careful. It might cost you