Amazon, Aetna-CVS deals plagued with security concerns: 5 things to know

Recent, unconventional mergers in healthcare, like CVS and Aetna or Amazon, JPMorgan Chase and Berkshire Hathaway, have cropped up with hopes to disrupt the industry.

But breaking into such a highly-regulated industry isn't going to be easy. The companies will face a range of unique privacy- and security-related hurdles.

In a Q&A article with The National Law Review, cyberlaw expert Peter Swire shared his insights. Here are five highlights from the conversation.

1. HIPAA plays a role. "Both [CVS and Aetna] are covered under HIPAA, but historically they were in two different categories of entities. So with the merger, the general rule is that the pharmacy data can be merged in the company's databases with the insurance data subject to minimal rules … [However,] the merger doesn't give every health insurance employee the right to see all of the medical records from the pharmacy," Mr. Swire told The National Law Review.

For the Amazon-Berkshire Hathaway-JPMorgan company, all HIPAA rules would apply to its presumed insurance activities the same way. "They can't send insurance data out to third parties without patient consent or some special HIPAA exception … And there are also marketing rules under HIPAA that set limits on how the covered entity can market to its customers," Mr. Swire added.

2. Insurance companies are regulated by the state, which could subject the CVS-Aetna merger to heightened scrutiny. "The rules for Aetna's data may be restricted by state insurance laws … Similarly, states can apply stricter versions of the HIPAA rules, if they pass state laws to do that, and the pharmacy data would have to comply with those state law restrictions," Mr. Swire told The National Law Review.

3. There aren't many legal restrictions on Amazon sending its e-commerce data to the new health insurance company. "Amazon can make a lot of inferences about its customers based on the healthcare books and searches that they do on the Amazon site. So Amazon might know that you have bought books about migraines and bought over-the-counter medicines for migraines, and that information is outside of HIPAA, typically, unless health insurance paid for the medicines," Mr. Swire said.

4. That data sharing can't go backwards. "There are fewer restrictions on the e-commerce side of Amazon sending that data to the insurance side. The rules are stricter if the insurance side, which is a regulated covered entity that has to comply with HIPAA, tries to send data out to e-commerce," Mr. Swire told The National Law Review.

5. Financial services also pose implications. "JPMorgan Chase is the bank involved, and there's another set of issues that come up for financial services companies. The big privacy rule there is the Gramm-Leach-Bliley Act, which sets limits on taking banking information out of the financial services company and sending it to other companies. Bank customers have opt-out rights before data goes to a third party," he said.

But, medical data and financial decisions can't mix. "The bank regulators have issued rules limiting the use of medical information in financial decisions. So if JPMorgan Chase receives medical information, they have banking rules to follow about how they can or cannot use that medical information."

Click here to read the full article.

More articles on cybersecurity:
U of Virginia Health System may have exposed 1.8k patients data in 2-year, ongoing malware infection
What's up with cryptocurrencies? 5 coin values as of Feb. 20
Siemens, IBM join 6 other tech companies to launch cybersecurity charter

© Copyright ASC COMMUNICATIONS 2018. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.


Top 40 Articles from the Past 6 Months