Pamela Hepp, shareholder in the firm's Healthcare section and co-chair of the Cybersecurity & Data Privacy group, comments on how Amazon may use new access to patient information and the impact it may have on privacy in The Verge's article "Amazon’s Alexa Can Handle Patient Information Now — What Does That Mean for Privacy?"
Pamela Hepp, co-chair of the Cybersecurity and Data Privacy Group at Buchanan Ingersoll and Rooney, says that it is possible that patient information could be shared and used to train one of Amazon’s artificial intelligence algorithms. Again, it depends on the agreement. The HIPAA Privacy Rule does require written authorization before someone’s health information can be used for marketing, adds Hepp, but what constitutes “marketing” is not as straightforward as one might think. For example, a company could theoretically use a patient’s information to provide them with info about new services, even if that service isn’t related to the patient’s health needs. In these cases, Alexa could be used to communicate that information, though Alexa couldn’t market Amazon’s own products.
It’s also important to note that there is no official certification process for becoming HIPAA compliant. “There’s no Good Housekeeping seal of approval” or formal process to prove that someone is now HIPAA compliant, according to Hepp. Rather, it is a self-implemented process.
Still, Hepp points out that the more “entry points” there are into a medical system, the more risk there is for a cybersecurity breach. And Tschider says she’s concerned about the details of what is in those data use agreements: “I’m concerned about how a very large organization that also sells me stuff is going to use my health information.”