Tech companies and healthcare: Is privacy at stake?

Imagine the following scenario:

You are experiencing a cough, fever and chills and need to see a doctor. You lack transportation and no one is available to give you a ride. Accordingly, you walk into your kitchen and call out, “Alexa, where is the nearest doctor’s office?”

Alexa responds, “Rockingham Medical Care in Hampstead, New Hampshire.”

You then say, “Book me the soonest available appointment.” Alexa responds,

“OK, I booked you an appointment with Dr. John Thomas at 2:30 p.m. this afternoon. Do you need a ride?”

You reply, “Yes.”

Alexa responds “OK, an Uber driver will pick you up at 2 p.m.”

A few years ago, this scenario would have been fantasy. Today, this scenario verges on reality.

In April 2019, Amazon announced that its Alexa cloud-based voice service is now HIPAA-compliant. HIPAA is the federal law governing the privacy of health information. The press surrounding this announcement made it seem like anyone can now use Alexa in a HIPAA-compliant environment, but that is not true — yet.

Instead, Amazon has started an invitation-only pilot program through which it has partnered with six different healthcare entities, such as hospitals, health systems and prescription drug companies that have built HIPAA-compliant applications through which patients can transmit protected health information (PHI). The six companies are Cigna, Boston Children’s Hospital, Express Scripts, Atrium Health, Swedish Health and Livongo.

These six companies have worked with Amazon to develop applications that utilize Amazon’s Alexa voice service to assist healthcare consumers with various tasks. Examples of programs currently in use include using Alexa to schedule appointments at urgent care centers, to query blood sugar readings and trends, and to allow the parents of a child who has undergone heart surgery to provide updates about their child’s progress to the care team.

Before the April announcement, Amazon took the position that Alexa was not HIPAA-compliant because Amazon may record information communicated by users, and this information may be stored in the cloud without user authorization. In order to comply with HIPAA, Amazon has now signed business associate agreements with the six companies listed above, which require Amazon to safeguard the confidentiality of PHI transmitted by those companies with which it has contracted. Under HIPAA, a business associate agreement eliminates the need to obtain patient consent to disclose PHI.

Some have expressed concern regarding how Amazon, one of the nation’s largest retailers, will use the PHI it collects. For example, will Amazon use PHI to market products to consumers it knows have a given health condition? Others have expressed concern about Amazon’s ability to comply with heightened state and federal privacy law requirements governing sensitive categories of health information such as behavioral health, substance use and genetic information.

It is unclear whether any of these types of information are currently being exchanged or will be exchanged in the future.

Amazon is not the only company to make a healthcare play in recent months. Uber has rolled out its Uber Health platform, which allows healthcare providers to schedule transportation to and from medical visits for their patients. Uber drivers are not informed that the passenger’s ride was booked using Uber Health, and Uber has signed business associate agreements with its healthcare clients. Similarly Lyft, another ridesharing service, has partnered with LogistiCare to help coordinate transportation to non-emergency medical appointments.

In addition, Apple has launched its “Health Records” application, which allows users to aggregate their medical records from various healthcare providers on their smartphones. The idea is that users can take their medical records with them and store them all in one place as they travel through the healthcare system. According to Apple, Health Records connects directly with electronic health records systems and transmits medical records directly to a user’s phone using the Fast Healthcare Interoperability Resources (FHIR) standard. Health Records is encrypted and password-protected. Health Records is in the beta phase right now and, like Amazon, Apple has contracted with certain health systems as part of the rollout of this service.

The technological developments described above are exciting and are likely to increase access to healthcare and health information. However, as this technology develops, it is important to proceed with caution to ensure that the confidentiality of users’ PHI is protected and that users clearly understand how their PHI will and will not be used. One only need look at the estimated $5 billion fine Facebook expects to pay to the Federal Trade Commission to see how carefully technology companies must proceed when dealing with the privacy of user information.

Jason D. Gregoire is a shareholder in the law firm of Sheehan Phinney, whose healthcare practice consists of advising providers on regulatory, corporate, contracting, licensing and patient care, among other issues.