What will Amazon do with our health data?

Amazon.com on Tuesday announced a joint partnership with Berkshire Hathaway and JP Morgan to create an independent health care company for their employees, putting an end to months of speculation that the technology giant was eyeing a foray into the medical industry. It’s yet another endeavor for the company, which last year spent $13.7 billion to enter the grocery business with its acquisition of Whole Foods Market.

But as the online retailer expands into new industries — cloud computing, drones, tech gadgets, movie-making and now health care — some privacy experts say the company’s increasingly dominant role in our lives raises concerns about how personal data are collected and used. What happens, for example, when a company that has access to our weekly shopping lists, eating habits and in-home Alexa-based assistants, also becomes involved in our medical care?

“Amazon already has huge amounts of our data — we give it to them in exchange for two-day shipping,” said I. Glenn Cohen, a Harvard Law School professor who specializes in health law policy. “But what happens when you add in actual health care data? Many people are already concerned about who has access to that information, and this exacerbates those concerns.”

Amazon declined to comment. Its announcement comes a week after the company opened its cashier-less supermarket, Amazon Go, to the public. In place of cash registers, the store has a network of cameras, scanners and infrared sensors that allow the store to automatically charge customers for items they place into their bags.

The Health Insurance Portability and Accountability Act of 1996 prohibits health insurance companies and other entities from sharing personally identifiable medical data. There are also restrictions on using medical data for marketing purposes or to make lending decisions by banks. But, even if the new joint venture is subject to HIPAA rules, experts said there are exceptions to exactly what is covered.

“ The law covers traditional health insurance and provider health care, but it doesn’t cover many of the other sources of health-related data that today’s technology generates,” said Peter Swire, a professor of law at Georgia Tech and White House coordinator for HIPAA under President Bill Clinton. “It doesn’t cover, for example, the books you buy about health care or the many fitness and health care apps you may have on your phone.”

He and others added that even if companies aren’t collecting — or sharing — medical records, there are a number of other ways a patient’s habits and history could be used to glean important information about their health. (There are also signs that Amazon is considering possible privacy concerns: It recently posted a job opening on its site for a HIPAA expert who can “own and operate the security and compliance elements of a new initiative.”)

“You could say, ‘This patient uses our system to book doctors’ appointments six times a year,’ and compare that with that person’s purchase history to make certain connections,” said Cohen of Harvard. “Non-health care data can often be a rich source of information.”

Companies could also market cold and flu medicines to someone who always books doctor’s appointments at the beginning of flu season, he said, or recommend obstetricians to a shopper who recently ordered pregnancy tests or prenatal vitamins.

R e s e a rc h s h o w s t h at increased access to patients’ medical records and history reduces the cost of health care. But it also raises privacy concerns, particularly as companies use predictive technology to guess which patients may end up with a certain illnesses or chronic disease, said Idris Adjerid, a professor who specializes in health technology and privacy at the University of Notre Dame’s Mendoza College of Business.