Amazon's PillPack Deal Could Give It Reams of Users' Private Medical Data

Amazon CEO Jeff Bezos.
Amazon CEO Jeff Bezos.
Photo: AP

E-commerce giant Amazon wiped out nearly $15 billion in value from Walgreens, CVS, and Rite Aid this week when it announced a nearly $1 billion deal to acquire PillPack, an online prescription service, sending the competition scrambling for cover. It’s unclear just how Amazon plans on integrating PillPack into the rest of its offerings, with rumors of a Prime Prescriptions service or something similarly ominous.


One catch for Amazon, though: Federal regulations stipulating that private medical data, such as prescription histories, can’t be used for marketing purposes like the behavioral tracking Amazon uses to pump up its retail model. According to the Wall Street Journal, the company only has a few limited ways to proceed with patient data: It could compartmentalize the PillPack business into its own unit with limited data-sharing with the rest of Amazon, or it could reorganize the entire Amazon business to become compliant with the Health Insurance Portability and Accountability Act (HIPAA), which would probably be more trouble than it’s worth.

The Journal writes:

“Prescription drug information is highly personal information—it can tell if someone has cancer, if they have a sexually transmitted disease,” said Julie Roth, a health-care regulatory attorney with Spencer Fane LLP in Overland Park, Kan. That may raise some privacy concerns, she said.

There’s also the possibility Amazon could gain access to some data by asking users to give explicit opt-in consent, though HIPAA would still limit the ways in which the company is allowed to use it:

... The federal privacy act does allow companies to share information about patients for marketing purposes, but only with the patient’s consent. That consent could be given when patients simply check a box on privacy disclosures that come with most medical transactions.

“Nobody reads the notice of privacy practices,” said Ryan Stark, senior privacy attorney with the law firm of Page, Wolfberg & Wirth. He said Amazon likely would need to wall off PillPack from its larger operation, otherwise it might have to take steps to ensure the entire business meets federal privacy standards, which govern everything from who has access to data to how user passwords are encrypted.

Basically, that means it would be difficult for Amazon to see that a customer is ordering, say, blood-pressure medication, and then keep on recommending they order more carrots through Amazon Fresh—at least not without the customer opting in. 

As the Journal noted, PillPack is a relatively small business compared to Amazon, with “tens of thousands of customers versus Amazon’s hundreds of millions.” But as Amazon’s prescription business grows, so will its role as a safekeeper of some of the most sensitive personal information of its users.


Amazon does already stockpile large amounts of information about users’ health by tracking purchases of things like medical supplies, books and apps, or over-the-counter drugs, which the Washington Post noted in January is already considered a fairly major loophole in HIPAA. Amazon CEO Jeff Bezos is also teaming up with executives at Berkshire Hathaway and JP Morgan Chase to potentially form a health insurance initiative for their companies’ staff, saying whatever entity they formed would be free from profit-making constraints.

“So much of this is unknown right now, but ultimately it would not surprise anyone if they start as a nonprofit health-care provider for 1.2 million employees, and in a few years, add it as yet another Amazon Prime benefit for general consumption,” Stephen Beck of NYC-based consulting firm cg42 told the Post. “If we look down the road a few years, the obvious concern is data and privacy.”


[Wall Street Journal]

"... An upperclassman who had been researching terrorist groups online." - Washington Post


Tebow Kneeled First

“Hey Alexa, how many months do I have left on my cancer prognosis?"