Bloomberg Law
Nov. 25, 2020, 10:57 AM

Amazon’s Pharmacy Venture Opens New Privacy, Security Law Risks

Jacquie Lee
Jacquie Lee
Jake Holland
Jake Holland

Amazon’s push into delivering prescription drugs puts it in the crosshairs of everyone from state attorneys general to data thieves—who will all be scrutinizing how the e-commerce giant protects sensitive patient information.

Amazon’s new online pharmacy business will sell brand and generic prescription medications that consumers can buy through their insurance or through their Amazon Prime accounts for a discount. Collecting that sensitive patient data means Amazon will have to navigate its way through various overlapping federal and state privacy and data security laws. The company’s sizable footprint puts it squarely in several enforcement agencies’ sights.

At the federal level, Amazon will need to contend with the Health Insurance Portability and Accountability Act, the health privacy law that dictates who can disclose health data and how. Staying on the right side of the law means Amazon’s business associates—which could include coders, IT providers, and medical transcriptionists—will have to ensure they protect patient data as well, said Jon Moore, chief risk officer and head of consulting services at health-care cyber risk management company Clearwater Compliance.

Amazon Pharmacy works with HIPAA-permitted business associates, including software providers and accounting services providers, a company spokesperson said. Those companies “agree to abide by HIPAA requirements,” the spokesperson said.

Because of its size and brand recognition, Amazon will be under a legal microscope, said Linda Malek, who chairs Moses & Singer’s health-care and privacy practices.

“I don’t think it’s unreasonable to expect that they would be subjected to more scrutiny,” she said.

State by State

Though Amazon Pharmacy won’t serve Minnesota, Hawaii, Illinois, Kentucky, and Louisiana, it will have to navigate various state laws that can be much different and sometimes more restrictive than federal requirements.

Federal laws “permit pharmacies to share patient information with others involved in a patient’s care” like family members or friends, but “state law may not permit these types types of communications as broadly,” Dianne Bourque, a health privacy lawyer at Mintz in Boston, said.

New York law has more robust consent requirements and limitations of using and disclosing HIV/AIDS information that go beyond HIPAA requirements, Malek said. It also has more stringent requirements for how mental health information can be used.

States may have tighter laws on using health data for marketing and how to disclose that sort of collection, Malek said.

“Texas law has fewer exceptions than HIPAA to the general requirement that authorization be obtained prior to making a marketing communication,” she said. Texas also has “specific opt-out requirements that must be included in any marketing communication.”

Amazon said it won’t use health data to market people products. It will ask “explicit permission in a clear and transparent way” if that changes, a company spokesperson said.

Under Regulators’ Eye

Customers who think their private information has been mishandled or misused will have a powerful ally in their corner—the Department of Health and Human Services’ Office for Civil Rights.

Consumers can submit privacy or health-related complaints to the office, which investigates them on behalf of the consumer.

“We know from representing all kinds of clients for many, many years that patient complaints are taken very seriously,” Bourque said. “They trigger a response. And OCR doesn’t back down until they’re satisfied that the complaint has been addressed.”

Ensuring Security

Collecting reams of private patient data could make Amazon and its business associates more attractive targets for the kinds of data thieves that have hit hospitals with ransomware and other cyberattacks.

The IT firms working with covered entities such as Amazon are subject to a variety of data security provisions that include conducting risk analysis and information system reviews, Moore said. Those companies should also establish robust cybersecurity compliance programs and respond accurately to security questionnaires.

They should hire security experts with backgrounds in health compliance to ensure they meet the law’s particular requirements and shield themselves from potential liability.

“A lot of things in the security industry are called risk analysis,” Moore said. “But under the HIPAA Security Rule, a lot of those things don’t qualify.”

Amazon should remain vigilant of heightened risk in the health-care space, including cyberattacks and ransomware incidents against hospitals, said Amy Leopard, a health-care and privacy partner at Bradley Arant Boult Cummings LLP in Nashville.

It should also monitor its third-party associates to assess their security profiles and make sure proper safeguards are in place, she said.

“The new regulatory paradigm that Amazon is entering is the healthcare regulatory space beyond HIPAA,” Leopard said. “They’ll have to abide by the laws that govern pharmacies, including state laws, Medicare guidelines, and state insurance or state Medicaid requirements.”

To contact the reporters on this story: Jacquie Lee in Washington at; Jake Holland in Washington at

To contact the editors responsible for this story: Fawn Johnson at; Andrew Childers at