FTC tells Amazon, One Medical: Be careful how you use patient data

Federal Trade Commission (FTC) regulators say they’re keeping an eye how online giant Amazon and new health care partner One Medical use patient data.

On Feb. 22, the companies announced they completed the $3.9 billion acquisition announced in July 2022. They immediately offered annual membership at a reduced price of $144 a year, or $12 a month, for new patients.

The move followed months of speculation about how the FTC might respond to the deal. Last year, the companies announced the Commission had sought additional information about the merger, and news media reports stated the FTC considered a lawsuit to block the acquisition.

The lawsuit never happened, but this week, FTC Chair Lina M. Khan, JD, and Commissioners Rebecca Kelly Slaughter, JD, Christine S. Wilson, JD, and Alvaro Bedoya, JD, issued statements about the acquisition and the potential misuse of patient data.

Data at risk?

The commissioners did not explain potential violations of antitrust laws or the effects on primary care, physicians’ practices, or general competitiveness in the health care market. But it appeared they’re ready to pounce if Amazon uses patients’ health information for advertising or marketing, without patients’ permission.

“The statements in One Medical’s privacy policies, combined with the recent public statements by both companies about privacy, constitute promises to consumers about the collection and use of their data by the post-acquisition entity,” said the joint statement from the four commissioners. If companies fail to honor those promises, it may violate federal free trade law.

“The Commission has a long history of bringing successful actions against companies that make statements that, though they may be technically true or qualified by fine print, convey a false net impression,” the joint statement said. The companies must treat patient data with great care, they said.

Khan is the author of “Amazon’s Antitrust Paradox,” a critical inquiry about “facets of Amazon’s power” and the company’s effects on business competitiveness and consumers. Bedoya is the founding director of the Center on Privacy & Technology at Georgetown University Law Center.

In need of an update

In a separate statement, Bedoya, joined by Slaughter, said U.S. privacy law is aging and incomplete regarding medical information. He recounted the history of HIPAA, which people often wrongly believe is the “Health Information Privacy Act.”

In reality, HIPAA is the Health Insurance Portability and Accountability Act. It tries to balance patient privacy with beneficial health-related uses of data, so the related 1999 HIPAA Privacy Rule allows information to be “de-identified,” or stripped of details that link back to specific patients, Bedoya said.

But once de-identified, the information is no longer private, the statement said, and “those entrusted with the data can do with it as they please, as long as they don’t ‘re-identify’ it.”

“To boil down this jargon: When you hear a company tell you that they will abide by HIPAA, it does not mean that they cannot use your data for other purposes,” Bedoya’s statement said. “Rather, it means they must simply remove from that data certain markers that would tie that data back to you. I think that most people would be surprised to hear that.”

Bedoya and Slaughter encouraged Congress to revise privacy rules regarding health information and said the FTC “will continue to closely monitor this space.”