Privacy Concerns Hang Over the Amazon and Aetna-CVS Health Deals

What about the HIPAA issues with the Amazon-Berkshire Hathaway-JPMorgan Chase initiative?

For any new health insurance company owned by Amazon, all the HIPAA rules would apply to the insurance activities. For instance, they can't send insurance data out to third parties without patient consent, or some special HIPAA exception.

And there's also marketing rules under HIPAA that set limits on how the covered entity can market to its customers. Those are quite complicated, so I don't have any view on what exactly Amazon health insurance could do with Amazon bookseller. But they would have to watch out for those HIPAA marketing rules.

What about health care information that could be derived from users' shopping history and patterns—for example, the fact that someone bought migraine medicine in bulk from Amazon?

That's another side of it. There are fewer legal restrictions on sending Amazon's e-commerce data to the health insurance company. Amazon can make a lot of inferences about its customers based on the health care books and searches that they do on the Amazon site. So Amazon might know that you have bought books about migraines and bought over-the-counter medicines for migraines, and that information is outside of HIPAA, typically, unless health insurance paid for the medicines. And that's true much more generally today. So all of those apps on people's phones—[including] fitness trackers and many other apps that can provide insight about a person's medical condition—are outside of HIPAA unless they're being run by a covered entity.

Are there other regulations, state or federal, that would cover this type of data?

In general, the law hasn't caught up with all of this non-HIPAA collection of health data. So there are fewer restrictions on the e-commerce side of Amazon sending that data to the insurance side. The rules are stricter if the insurance side, which is a regulated covered entity that has to comply with HIPAA, tries to send data out to e-commerce.

Are there other issues implicated by the other two companies' involvement in the initiative?

JPMorgan Chase is the bank involved, and there's another set of issues that come up for financial services companies. The big privacy rule there is the Gramm-Leach-Bliley Act, which sets limits on taking banking information out of the financial services company and sending it to other companies. Bank customers have opt-out rights before data goes to a third party.

There's another issue that's less well-known: The bank regulators have issued rules limiting the use of medical information in financial decisions. So if JPMorgan Chase receives medical information, they have banking rules to follow about how they can or cannot use that medical information.

For practical purposes, there are medical privacy, financial privacy and e-commerce issues, and the overall structure has to comply with all of those different legal regimes.

Is there a reason for consumers to be concerned about such health care delivery systems that may center on data sharing?

Part of the reason for the HIPAA privacy rule was to reduce the chances that people would be treated worse because of their medical history.

There are rules limiting what medical information employers can get before the hiring decision. There are rules against genetic discrimination, like the Genetic Information Nondiscrimination Act (GINA), which sets limits on decisions based on genetic information, and medical records can provide clues about a person's genetic history. So when these different types of databases are combined, there's a risk that decisions will occur that are less favorable to some of the individuals. And the privacy rules in part exist to protect against those uses of personal information.

— Read Carrier Pays $1 Million to Settle Health Data Security Claims on ThinkAdvisor.

— Connect with ThinkAdvisor Life/Health on Facebook and Twitter.