The acquisition of One Medical by Amazon is not only raising questions of possible antitrust violations, the Federal Trade Commission is also putting the companies and the broader health-app market “on notice” that it intends to keep monitoring consumer health data and use its enforcement arm when warranted.
The FTC warning about its consumer data privacy concerns stems from the companies' public notices that it would not misuse health data after Amazon finalized its $3.9 billion deal to buy the membership-based primary care practice one week ago.
The FTC is already examining possible competition issues with the purchase in light of complaints around the tech giant’s expansion into the healthcare space. The American Economic Liberties Project previously stated: “Amazon has no business in healthcare.”
The deal “will also pose serious risks to patients whose sensitive data will be captured,” AELP warned after the purchase was made public. The new FTC statement shows its commissioners are equally concerned about the possible risk of violating consumer protection laws.
“One Medical has made representations about how it would collect, analyze, store, share, and use consumers’ sensitive health data,” the commissioners wrote. Amazon has made similar public representations “that they will not share consumers’ personal health information for advertising or marketing purposes without their clear permission.”
The FTC, however, is not convinced Amazon will follow through with these “promises” and urged company leadership to “make clear” how they intend to use health data covered by the Health Insurance Portability and Accountability Act.
Amazon should also publicly assert how it intends to “use any One Medical patient data for purposes beyond the provision of healthcare.”
Failure to “obtain consumers’ express affirmative consent for marketing based on sensitive data such as health data may be in violation of the law,” the commissioners added. The FTC fully intends to leverage its authority to monitor the market for possible privacy violations and take action against companies that fail to adhere to privacy laws.
FTC’s role in securing health data not regulated by HIPAA
The warning to Amazon is the latest FTC action signaling its increased enforcement presence in protecting consumer privacy and health data that falls outside of the HIPAA purview. It’s a welcome change, given the rapid explosion of consumer-focused health apps that fall outside of the Department of Health and Human Services’ regulatory scope.
Health- and mental-health apps are notorious for particularly dubious privacy practices; each year reports reaffirm that the majority of the most popular apps routinely share consumer data with third parties and without consent or transparency into the practices.
Flo Health was one of the first FTC actions taken against a health app for similar violations, and soon after, the agency warned it intended to levy its Health Breach Notification rule to further enforce egregious violations. After the Supreme Court struck down Roe v. Wade, agency leaders reaffirmed its commitment to shielding consumers from questionable health-app vendors.
GoodRx was the first enforcement action taken under the rule after the FTC confirmed a 2019 study finding the company shared its users’ data with 20 third-party data brokers. The company took issue with the $1.5 million penalty, but the Department of Justice has since finalized the settlement and ordered GoodRx to properly notify consumers about the past privacy breaches.
Coupled with the warning to Amazon, digital-app developers should review privacy practices to prevent future FTC actions.