Peter Swire.

Last December, CVS Health and Aetna Inc. announced plans to merge—combining one of the nation's largest health insurers with one of its biggest retail pharmacies. The companies' hope is to leverage the massive data pool that would be created by the deal, which currently is under review by the U.S. Department of Justice, to deliver more personalized and efficient health care.

And last month, Amazon.com announced that it would be teaming up with Berkshire Hathaway Inc. and JPMorgan Chase & Co. to create an independent health care company for the companies' employees. Around that same time, Amazon also posted a job listing for a professional experienced with the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) to work on health care-related compliance matters. And, in another consolidation believed to be linked to impending disruption by Amazon, the Albertsons Cos. Inc. supermarkets chain on Tuesday announced it would merge with drugstore chain Rite Aid Corp.

(A privacy rule enacted in 2000 set national privacy standards for protection of personally identifiable health information. HIPAA is enforced by the Office for Civil Rights at the Department of Health and Human Services.)

But anyone who has ever ordered a bottle of pain reliever or book about a particular disease from Amazon knows the e-commerce giant already has medical-related information about its users that may not be covered by HIPAA, leading to questions about how personal health information is collected, used and stored.

ALM talked with Peter Swire, senior counsel at Alston & Bird, former government official and  privacy and cybersecurity expert at the Georgia Institute of Technology's Scheller College of Business, about some of the legal and data privacy issues surrounding these new, data-driven health care delivery systems. The interview has been edited for length and clarity.

 

How is HIPAA implicated in the proposed deal between CVS and Aetna?

Swire: Both [CVS and Aetna] are covered under HIPAA, but historically they were in two different categories of entities. So with the merger, the general rule is that the pharmacy data can be merged in the company's databases with the insurance data subject to minimal rules. HIPAA says you should only collect and share the minimum necessary data that's needed for the patient, but the rules there tend to be pretty flexible.

HIPAA also has rules about role-based access, because the janitors shouldn't see the psychiatric records. The role of someone for health insurance might require different data than the role that's needed for a health care provider. The merger doesn't give every health insurance employee the right to see all of the medical records from the pharmacy.

Does this type of regulation have an effect on CVS and Aetna's ability to implement this type of business model?

When they try to combine business operations, they'll have to go step by step and document why it's appropriate to share data with these new categories of recipients.

Are there other regulations that would govern the data?

The insurance companies are also regulated at the state level, so the rules for Aetna's data may be restricted by state insurance laws.

Similarly, states can apply stricter versions of the HIPAA rules, if they pass state laws to do that, and the pharmacy data would have to comply with those state law restrictions. For instance, some states have special rules for HIV patients, and the data for HIV medications would be subject to those stricter state rules.

What about the HIPAA issues with the Amazon-Berkshire Hathaway-JPMorgan Chase initiative?

For any new health insurance company owned by Amazon, all the HIPAA rules would apply to the insurance activities. For instance, they can't send insurance data out to third parties without patient consent or some special HIPAA exception.

And there are also marketing rules under HIPAA that set limits on how the covered entity can market to its customers. Those are quite complicated, so I don't have any view on what exactly Amazon health insurance could do with Amazon bookseller. But they would have to watch out for those HIPAA marketing rules.

What about health care information that could be derived from users' shopping history and patterns—for example, the fact that someone bought migraine medicine in bulk from Amazon?

That's another side of it. There are fewer legal restrictions on sending Amazon's e-commerce data to the health insurance company. Amazon can make a lot of inferences about its customers based on the health care books and searches that they do on the Amazon site. So Amazon might know that you have bought books about migraines and bought over-the-counter medicines for migraines, and that information is outside of HIPAA, typically, unless health insurance paid for the medicines. And that's true much more generally today. So all of those apps on people's phones—[including] fitness trackers and many other apps that can provide insight about a person's medical condition—are outside of HIPAA, unless they're being run by a covered entity.

Are there other regulations, state or federal, that would cover this type of data?

In general, the law hasn't caught up with all of this non-HIPAA collection of health data. So there are fewer restrictions on the e-commerce side of Amazon sending that data to the insurance side. The rules are stricter if the insurance side, which is a regulated covered entity that has to comply with HIPAA, tries to send data out to e-commerce.

Are there other issues implicated by the other two companies' involvement in the initiative?

JPMorgan Chase is the bank involved, and there's another set of issues that come up for financial services companies. The big privacy rule there is the Gramm-Leach-Bliley Act, which sets limits on taking banking information out of the financial services company and sending it to other companies. Bank customers have opt-out rights before data goes to a third party.

There's another issue that's less well-known: The bank regulators have issued rules limiting the use of medical information in financial decisions. So if JPMorgan Chase receives medical information, they have banking rules to follow about how they can or cannot use that medical information.

For practical purposes, there are medical privacy, financial privacy and e-commerce issues, and the overall structure has to comply with all of those different legal regimes.

Is there a reason for consumers to be concerned about such health care delivery systems that may center on data sharing?

Part of the reason for the HIPAA privacy rule was to reduce the chances that people would be treated worse because of their medical history. There are rules limiting what medical information employers can get before the hiring decision. There are rules against genetic discrimination, like the Genetic Information Nondiscrimination Act, which sets limits on decisions based on genetic information, and medical records can provide clues about a person's genetic history. So when these different types of databases are combined, there's a risk that decisions will occur that are less favorable to some of the individuals. And the privacy rules in part exist to protect against those uses of personal information.

This story has been updated with information about the Albertsons-Rite Aid merger.

Read more:

Have 5 Years of HIPAA Experience? Amazon Is Looking for You

Why Uber's Hired a Federal Health Care Lobbyist

Inquiries Into Aetna Claims Review Practices Not Likely to Derail CVS Merger: Lawyers

Aetna Shareholder Sues to Block Takeover by CVS Health

CVS GC Elevated to Become Company's Public Voice in Health Care Debate

Are You A Hybrid Entity Under HIPAA?