How Amazon One Medical and Amazon Pharmacy handle patient data privacy

Each person’s health journey is personal. When someone seeks health care, they often share sensitive details with a medical professional—details they want to remain private and protected. This patient and provider relationship is built on trust. Across Amazon Health Services, including Amazon Pharmacy, Amazon One Medical, and Amazon’s Health Benefits Connector, we take the responsibility of safeguarding and protecting customer information seriously. That is why privacy and security are foundational to how we design and operate our products and services.

We don’t take customer trust for granted—our goal is to continuously earn that trust through the privacy decisions we make. We are clear with customers about the information we collect and how we use it, including protected health information (PHI). We protect customers’ PHI with stringent, Health Insurance Portability and Accountability Act (HIPAA)-compliant privacy and security practices to keep the information safe and secure. Amazon Health Services does not sell customers’ data, including PHI.

Our mission is to improve the health care experience while preserving patient privacy. With privacy at the forefront, we’re designing a patient experience that is less rigid, making it easier for people to get the care they need. We’re building a health care experience that is more convenient and usable, while also protecting customers’ and patients’ privacy. When it’s easy to get care, people engage more in their health, and realize better health outcomes.

We use PHI to provide care

We use this information to provide care, make getting care easier, and to ensure patient safety. For example, Amazon One Medical, including Membership or Pay-per-visit, may disclose prescription information to the pharmacy a customer chooses, which may include Amazon Pharmacy, so pharmacists can fill and dispense medication to the customer. Prior to filling and dispensing medication, pharmacists within Amazon Pharmacy may review other medications a customer is currently taking to ensure a prescribed medication will not cause an adverse or allergic reaction based on the customer’s other medications, allergies, and medical conditions. Or, Amazon One Medical may work with other health care providers who are not part of Amazon One Medical to provide patient care. For instance, if a member is treated for an injured knee, we may share their PHI among the member’s primary care provider, knee specialist, and physical therapist.

We use PHI to reduce friction for customers and providers

The health care experience in the U.S. is often cumbersome and dissatisfying. We use PHI, in a manner consistent with all applicable laws and regulations, to reduce the administrative burden for customers and providers. For example, Amazon Pharmacy may share a customer’s PHI with a health plan to check if the customer’s medication is covered by insurance. We may also use health information to make our care better for customers and patients. For example, we may use PHI to conduct quality analysis that helps us improve our services and the care our patients’ receive—such as Amazon Pharmacy medication fulfillment or Amazon One Medical provider and staffing needs.

We have pharmacy and fulfillment locations throughout the U.S., which allows us to get customers what they need quickly. We may look at the types of prescriptions being filled in a particular area to ensure our Amazon Pharmacy fulfillment centers have the right medications stocked for our customers and patients. And we may review patient mix by Amazon One Medical primary care office location to better understand if we need more providers with expertise in caring for a specific population at a certain location. Case in point, if an office in one city has many patients with multiple chronic illnesses, we will ensure that we have providers with expertise in those conditions. Customers can always learn more in the Amazon Pharmacy Notice of Privacy Practices and the One Medical Notice of Privacy Practices.

How we safeguard customers’ information

We have full teams working to ensure the security of customers’ information, and we maintain administrative, physical, and technical safeguards to protect it. This includes conducting rigorous security reviews and testing during product development, using encryption to protect data, and providing features like two-step verification for account protection. We do not sell customers’ personal information.

Customers can request to have their health data deleted. However, like all health care organizations, we are required by law to retain some information to comply with state/federal medical records retention requirements. This includes information like prescription records and patient visit notes. In addition to our privacy and security processes and safeguards, we educate customers on how they can keep their information safe with simple steps, such as using multi-factor authentication.

We know that to be successful, we must earn and keep our customers’ trust. Our teams are focused on providing access to care and medications by delivering the right mix of products and services, underpinned by thoughtful privacy and security measures. We’ll continue to listen to our customers, members, patients, and providers to make it as easy and transparent as possible to access and provide health care products and services to get and stay healthy.