Amazon wants your patient data—but what will they do with it?

Amazon announced in late November that it has a new software application that can mine unorganized patient data and convert the information into useable databases. Pharmaceutical companies, insurers, hospitals, researchers, and providers could get custom databases for a wide range of purposes—for clinical trials, clinical decision making, or even just simplifying data entry. Amazon said the data will be HIPAA eligible and the company won’t be able to use the data. But some experts aren’t so sure about that.

Amazon indicated that this new data processing platform, Amazon Comprehend Medical, is desperately needed because the health care industry is virtually drowning in data. Most health and patient data are “trapped” in medical notes, hospital admission records, prescriptions, audio interview transcripts, pathology results, and radiology reports. Speeding up the process of extracting this unstructured data would accelerate patient care and free up resources that could be used elsewhere, the company said.

“Identifying this information today is a manual and time-consuming process, which either requires data entry by high skilled medical experts, or teams of developers writing custom code and rules to try and extract the information automatically,” Amazon stated.

Its software platform instead uses “advanced machine learning models” that learn and improve over time, but users won’t need to have machine learning experience to operate it.

To use Amazon Comprehend Medical, customers will simply upload their “unstructured” health data to Amazon’s cloud service. Amazon’s machine learning algorithms will “read” the text, identify specific types of data, and return the results to customers in an organized spreadsheet-like database.

Advancing research but raising risks?

Fred Hutchinson Cancer Research Center, Seattle, WA, has already begun using Amazon Comprehend Medical for clinical trials of cancer therapies.

“The process of developing clinical trials and connecting them with the right patients requires research teams to sift through and label mountains of unstructured clinical record data. Amazon Comprehend Medical will reduce this time burden from hours to seconds,” said Matthew Trunnell, Chief Information Officer at Fred Hutchinson. “This is a vital step toward getting researchers rapid access to the information they need when they need it so they can find actionable insights to advance lifesaving therapies for patients.” 

Patients themselves may benefit from having access to information about their own health data. Amazon’s software could “empower a consumer to be more in charge of their own health and maybe be a more active consumer of medical services that might be beneficial to their health,” said Katherine Hempstead, PhD, senior policy adviser at the Robert Wood Johnson Foundation, Princeton, NJ, in a podcast from the Wharton School of the University of Pennsylvania, Philadelphia, PA.

Although arming consumers with more information about their health “would be great,” it also raises a crucial question, said Robert Field, JD, MPH, PhD, in the same podcast. Dr. Field is a lecturer in health care management at Wharton and dual professor of law and of health management, Drexel University, Philadelphia, PA.

“Who’s paying the bill here?” he asked. “It’s going to be insurance companies, health systems, and perhaps other large corporate entities, and they’re the ones who are going to want first dibs on the data. We have to keep an eye on how they’re going to use the data.”

Insurers can already access medical data and use technology to price their products for specific markets, Dr. Hempstead said, and the Amazon service might make it easier for them to exploit such data. For example, insurers could refuse to enroll people with conditions that they deem too risky, she said.

Data for sale

Another troublesome possibility: Companies could use the data for commercial purposes, such as selling their products to targeted patients, Dr. Field suggested.

Amazon itself raised eyebrows recently in this regard. In certain electronic health records systems, an embedded app prompts doctors to recommend health products to their patients. The doctor’s recommendation includes descriptions and links to products for sale—where else?—on Amazon. However, the app was developed by Xealth Inc., a separate company from Amazon.

For its new Comprehend Medical platform, Amazon promised it will not use any personally identifiable information in its customers’ content “to target products, services, or marketing” to customers or their end users.

“We do not access or use your content for any purpose without your consent,” Amazon stated. “We also implement responsible and sophisticated technical and physical controls that are designed to prevent unauthorized access to or disclosure of your content.”

These controls may protect patient data, but it’s important to note that while the platform is HIPAA eligible, it’s not HIPAA compliant. An Amazon blog post seemed to suggest that HIPAA compliance is the responsibility of the user: “A word of caution: Amazon Comprehend Medical may not accurately identify protected health information in all circumstances, and does not meet the requirements for de-identification of protected health information under HIPAA. You are responsible for reviewing any output provided by Amazon Comprehend Medical to ensure it meets your needs.”

That may be an important detail, especially because data breaches are becoming all too common, noted Arnold Rosoff, JD, in the same Wharton podcast. Rosoff is a professor emeritus, Legal Studies and Health Care Management at Wharton. He asked: If a data breach can happen to other major companies, why not Amazon?

“Are they [Amazon] going to tell you right away if there’s been a data breach, and then they’re going to help you sort that out?” Rosoff said. “There’s no government agency at this point that’s taking the lead and saying this is what people need to know before they start down this path.”

It’s too soon to tell if Amazon would take responsibility for a breach of private health data on its platform. If the company’s blog post is any indication, HIPAA compliance will fall squarely on the shoulders of the platform’s customers. Let the user beware.