Op-ed: Privacy considerations to keep in mind with Amazon’s Halo
Amazon Halo accessory bands
Source: Amazon
This week’s launch of the Amazon Halo wearable represents a critical new entrant not only into the health-tech wearable industry, but also into the broader health care ecosystem.
Amazon’s Halo will compete with Fitbit and Apple Watch, and start-ups like the Oura Ring. But the device not only allows customers to track things like exercise and sleep, which are common in fitness wearables, but can also track emotional changes by listening to the wearer’s tone of voice and can present a 3D body image with a body fat percentage.
In a parallel announcement, one of the largest electronic medical record companies, Cerner Corporation, said that users of the Halo device will have the option to upload information collected by the device to their physicians’ Cerner health record, beginning with the Sharp Health System in San Diego.
These developments potentially represent a step forward for physicians to make use of health data that patients generate on their own.
But the new functionality of Halo also raises new privacy implications, which I’ve spent my career focused on, both at private companies and at the federal government. A company that has changed our expectations around convenience and personalized recommendations will now be selling a device — and membership — to collect some of the most intimate health details of a person’s life. And much of the conversation in the wake of Thursday’s announcement has rightly centered on trust as Amazon makes a more direct entry into consumer health care.
So going forward, the company would be well-served to keep several key topics in mind:
No standard rules for data collection from wearables
In 2016, the Office of the National Coordinator for Health IT (ONC) — the federal government team responsible for health and informatics policy development — delivered a report to Congress highlighting basic legal gaps in consumer protection collected via fitness trackers, compared to devices and systems governed by the rules governing privacy known as HIPAA.
I was formerly the Chief Privacy Officer of ONC at the time, and worked on this report.
Currently, neither Amazon, nor Apple, nor any other retail fitness tracker is required by federal law to maintain any particular privacy standard. (California residents may benefit, though, from the California Consumer Privacy Act.) This is an important point.
Companies in traditional healthcare — like Cerner or Sharp Health System mentioned earlier — are bound by HIPAA, the nationwide privacy law that applies to health care providers and payers. But some consumer devices, like fitness trackers, may not be.
Halo has taken the step of putting control of the collected health data in the hands of the individual, not the company that manufactured the device. Halo even includes a one-way hash that prevents other Amazon business units from using Halo data for other business purposes. Both of these are important markers for Amazon to lay down as it launches this new business line.
But the privacy controls announced by Amazon for Halo are simply provisions in its Terms of Use. Companies like Amazon can change its terms prospectively at any time, so long as they do not mislead or treat consumers unfairly. That’s something that people in the privacy world, like myself, will keep an eye on.
Privacy protections for medical records
Halo is looking to do more than simply collect data so consumers themselves can review it via an app. Paired with the Cerner announcement, the goal is clearly to achieve interconnectivity or “interoperability,” meaning the easy exchange of health information, with clinical technology systems already in use in traditional health care.
Apple’s HealthKit has been a critical tool in enabling individuals to extract their own data from a doctor’s office in a low-friction, mainly automated process, but only using an Apple iOS operating system.
Halo appears to be taking a similar approach, but without requiring any specific operating system. This makes it available to a larger potential market.
Having the same privacy practices across all operating systems is a step forward for consumers because it simplifies what they have to keep track of to manage their health information privacy outside their doctor’s office.
Data from patients’ lives can be helpful
Patient-generated health data, or PGHD as it’s referred to in the industry, is defined as data inbound from a patient’s life into the health care system. How to manage it has been a topic of intense debate among health policy wonks for the last several years.
There have been multiple analyses, and calls for more systematic, standards-based, and interoperable ways for consumers to ensure their health care providers have access to important information about patients’ lives outside the doctor’s office. The potential for this data to deliver context and ultimately better care is immense. Whether it’s social determinants of health, health environmental factors, or simply “what’s going on in my life,” your physician or care team may be able to use this information to deliver better care for you, and better outcomes across the system. Even during the current pandemic, some physicians and nurses have commented that they’ve learned a great deal about their patients’ lives simply by using telehealth video chats to see into their kitchens.
Amazon’s Halo, and the company’s partnership with Cerner and Sharp, can accelerate these trends — but only if consumers trust the company to be a good steward of their most intimate details. Amazon’s early statements on these fronts are encouraging. But regulators, and the company itself, will need to work collaboratively to make sure that foundation is stable enough on which to build a completely new relationship.
Amazon Halo makes great progress on helping consumers use digital tools to collaborate with their health care professionals. But to really fortify consumer trust in digital health, we need a nationwide privacy law that ensures the same protections outside of traditional healthcare as we have for HIPAA.
Lucia Savage is the Chief Privacy and Regulatory Officer for Omada Health, a digital health care company. She was formerly the Chief Privacy Officer at the Office of the National Coordinator for Health IT within the U.S. Department of Health and Human Services.