*This writing is a blog post. It is not a published IPTF Journal Article.
Alexa Dawid
Technology giants are spending billions to enter the healthcare space.[1] Offerings like Apple’s health monitoring functions on the iPhone, Microsoft’s cloud computing services for healthcare companies, and Meta’s fitness applications through its virtual reality goggles have transformed traditional notions of doctor’s offices and paper records into convenient digital systems.[2] Amazon has been one of the most ambitious within the space, debuting six HIPAA-compliant skills for Alexa in April 2019.[3] These skills mark the first time Alexa has surpassed HIPAA requirements in utilizing HIPAA-compliant data transfers.[4] Alexa may now be used securely by healthcare organizations.[5] Although Amazon cancelled this service in December 2022, the move signaled Amazon’s venture into healthcare which continued with its $3.9 billion acquisition of primary care provider OneMedical in March 2023.[6]
Amazon’s OneMedical acquisition involved obtaining health data for 836,000 members, with similar acquisitions yielding significant additional gains in the quantity of data Amazon controls.[7] Currently, data within the Amazon ecosystem includes recorded motion outside homes from Ring Cameras, order tracking through delivery services, book pages users have read through Kindle, and floor plans of homes from Roomba vacuums.[8] The mosaic theory is a helpful lens when considering the vast amount of data to which Amazon has access. The mosaic theory states that the type and amount of information gathered, when viewed as an aggregated whole, can reveal a much greater level of information about an individual.[9] In Carpenter v. United States, the Supreme Court acknowledged the mosaic theory, holding that the defendant had a reasonable expectation of privacy to his previous cell phone location information because the near inseparable connection between a cell phone and its user “achieves near perfect surveillance as if [the government] had attached an ankle monitor to the phone’s user.”[10]
There is no safeguard under HIPAA for data lacking identifiable information (de-identified data).[11] This leaves a gap between data that is de-identified but can be re-identified using additional information.[12] HIPAA should expand its definition of de-identified data to combat against patient privacy concerns surrounding Amazon’s wealth of data. Under the mosaic theory, even de-identified data, when viewed in the aggregate of Amazon’s ecosystem, can reveal intimate details of a person’s life.[13] A seemingly insignificant data point like blood type viewed in isolation may constitute a harmless piece of de-identified data, but when viewed within a larger dataset available to Amazon, there exists a greater chance of reidentification and ultimately comprised personal health information.[14]
[1] Alphabet is spending billions to become a force in healthcare, The Economist (Jun. 20, 2022), https://www.economist.com/business/2022/06/20/alphabet-is-spending-billions-to-become-a-force-in-health-care.
[2] Id.
[3] Amazon Announces 6 New HIPAA Compliant Alexa Skills, HIPAA Journal (Apr. 5, 2019), https://www.hipaajournal.com/hipaa-compliant-alexa-skills/.
[4] Id.
[5] Id.
[6] Id.; Amazon Completes Acquisition of OneMedical Amid Concern About Uses of Patient Data, HIPAA Journal (Mar. 3, 2023), https://www.hipaajournal.com/amazon-completes-acquisition-of-onemedical-amid-concern-about-uses-of-patient-data/.
[7] HIPAA Journal, supra, note 3; Matt Burgess, All the ways Amazon tracks you and how to stop it, Wired, (Jun. 22, 2021), https://www.wired.com/story/amazon-tracking-how-to-stop-it/?intcid=inline_amp.
[8] Id.
[9] Robert Fairbanks, Masterpiece or Mess: The Mosaic Theory of the Fourth Amendment, 26 Berkely J. Crim. L. 71, 74 (2021).
[10] Carpenter v. United States, 138 S. Ct. 2206, 2218 (2018).
[11] 45 C.F.R. § 160.103
[12] Id.
[13] See Carpenter, 138 S. Ct. at 2217 (finding that physical movements captured through extensive cell-site location data provide an intimate window into a person’s life).
[14] See Duane C. Pozza and Boyd Garriot, The Risks of De-Identified Health Data Sharing: An Update on Potential State Privacy Claims and Standing, Wiley (Sept. 2020), https://www.wiley.law/newsletter-Sep-2020-PIF-The-Risks-of-De-Identified-Health-Data-Sharing-An-Update-on-Potential-State-Privacy-Claims-and-Standing (discussing implications of big data’s ability to reidentify data).