Amazon Completes Acquisition of OneMedical Amid Concern About Uses of Patient Data
Amazon has completed its $3.9 billion acquisition of the primary care provider One Medical as the retail behemoth continues its move into the healthcare ecosystem. One Medical has over 220 medical offices, a subscription-based telehealth service, and an electronic health record system, and contracts with more than 9,000 employers across the country. When Amazon announced its intention to acquire One Medical, consumer groups and privacy advocates expressed concern about the potential for misuse of patient data, with many analysts believing that data acquisition was a driving factor behind the deal.
The consumer rights advocacy group, Public Citizen, voiced concern about the merger and has been urging the Federal Trade Commission to step in and block the deal due to fears that Amazon could gain an unfair advantage in the healthcare market, by leveraging the retail side of its business. For instance, Amazon could add One Medical services to its Prime membership package or use the retail side of the business for advertising products related to customers’ medical conditions. Of even greater concern is the potential for Amazon to use the medical data of One Medical patients for other purposes.
One Medical has approximately 836,000 members, and the health data of those individuals could easily be used for a range of purposes. Amazon has stated that One Medical data will be kept totally separate from the retail and marketing side of the business and that it will be fully compliant with HIPAA, which prohibits the use of patient data for reasons not related to treatment, payment, or healthcare operations without consent. There is concern that Amazon may try to get around these restrictions, such as by offering incentives to One Medical patients to consent to the use of health data, such as for marketing purposes.
The FTC also has concerns about the merger and went as far as preparing a lawsuit to challenge the acquisition but it was never filed, presumably because it failed to find sufficient grounds to block the deal. As Rob Weissman, President, Public Citizen, suggested, “It’s a very, very problematic merger, but the kinds of concerns it raises don’t line up perfectly with antitrust law.”
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The FTC is concerned about the merger and recently communicated some of its concerns about the limitations of current healthcare data privacy laws. On February 27, 2023, in response to the closure of the deal, FTC Commissioner Alvaro M. Bedoya and Commissioner Rebecca Kelly Slaughter issued a statement regarding the acquisition, calling for Congress to update the Health Insurance Portability and Accountability Act (HIPAA) or otherwise address U.S. privacy law, which they said is “both aging and incomplete.”
In the letter, Bedoya pointed out some of the regulatory gaps in the HIPAA Privacy Rule that could potentially be exploited by Amazon. The HIPAA Privacy Rule restricts uses and disclosures of protected health information (PHI), which is any individually identifiable healthcare information that relates to the past, present, or future health of an individual. PHI ceases to be PHI if it is deidentified, which involves stripping out 18 identifiers that allow that information to be tied to a specific individual. At the time when the HIPAA Privacy Rule was drafted, those 18 identifiers were considered complete, but there are now many more ways that individuals can be identified and that list has not been updated since.
Bedoya explained that when the Privacy Rule was drafted, the HHS failed to limit the uses of deidentified data to improving the efficiency and effectiveness of healthcare delivery. Instead, the HHS ruled that once deidentified, PHI is no longer PHI and is no longer covered by the HIPAA Privacy Rule, so there are no restrictions on what can be done with that data once those 18 identifiers have been removed. With respect to One Medical data, Amazon is free to do whatever it chooses with that data, provided it does not re-identify individuals. As Bedoya explained, Amazon can say it is HIPAA compliant, which suggests that it will not use patient data for anything other than health-related matters, when the reality is patient data – in a deidentified form – can be used for other purposes without restriction.
“When HHS proposed the Privacy Rule in 1999, I doubt that it had reason to anticipate that one day the world’s largest retailer—a company of profound technological sophistication— would amass people’s health information on this scale,” wrote Bedoya. “I encourage Congress to continue working toward new privacy laws and HHS to consider updating its Privacy Rule to better reflect the reality of how firms can use health data.”
Bedoya also said health information is not solely protected under HIPAA, and the FTC will be closely monitoring Amazon and the health app market and will not hesitate to initiate enforcement actions if laws are violated.