Just a heads up, if you use this service PillPack and Amazon Employees have full access to your entire prescription history. Full name, social everything - it was common for employees to look up the info of celebrities / other employees for fun.
Any prescription / healthcare info you give them will be sold back to SureScripts and used to sell you more garbage from Amazon ;)
What is your source for the claim that Amazon - PillPack employees commonly accessed prescription info "for fun?"
I worked at PillPack for over 3 years, and while I haven't been there for a while this seems like a very bold claim that is wildly inconsistent with the sort of practices I saw followed in my time there.
I don't think using a throwaway to throw shade like this is the right way to handle such a serious matter, but whatever -- if you do legitimately want to address this issue let me know; I could point you to a contact at the company and/or outside of it that would take it seriously and investigate it, as this is very alarming and unacceptable (speaking also as a customer whose data is there).
Far be it for me to dispute the knowledge of a random throwaway, but I'd be surprised if there Amazon didn't have access controls to prevent looking up customer prescription history.
I know the hoops I have to go through just to access customer resource metadata in AWS Support. There are multiple, auditable checks that force you to provide access justification to resources -- and the process is routinely modified to make it more onerous and restrictive.
If we have dual control mechanisms to access routine information about a customer's VPC, I'd be shocked if Amazon didn't have auditable controls on Amazon Pharmacy.
Nope. Any PillPack developer can look up any customer in seconds. Other employees have more limited access, but generally quite a bit of access. Access is logged in production, but developers can also get a clone of the entire production database pretty easily.
That's not necessarily a problem or a HIPAA violation, depending on how it's used, although the opportunity for abuse exists. They cover their ass with annual HIPAA training.
I feel like if this were true HIPPA/HHS would have asses in slings. I've worked in a couple of places that worked with HIPPA-adjacent data and boy howdy you don't not mess with them.
It's HIPAA, and there's no such meaningful category as HIPAA-adjacent data. Data is either PHI held by HIPAA covered entities or it's not, and consumer health and wellness data that one would see as being equally sensitive but that involves consumer transactions with an entity which is not a “covered entity” as defined in HIPAA (including where the consumer takes information from a covered entity and provides it to the service, so that the service is engaged by the consumer but has no business relation to the covered entity) is simply not PHI protected by HIPAA.
On the other hand, the information you describe from a pharmacy customer isn't “HIPAA adjacent”, it's just plain HIPAA PHI. on the gripping hand, lots of places have fairly weak internal controls on access to PHI; there is no required independent certification of practices, only after-the-fact enforcement when an unauthorized use occurs, is reported, and is investigated. And lots of places that haven't been caught out yet have training in what your not allowed to do with data, but inadequate controls on what you can do and inadequate auditing of what you have done.
> Minor quibble - HIPAA and HITECH are not the same thing
They are separate legislative actions, but HITECH is largely amendments to HIPAA, and can't really be considered in isolation. References to what HIPAA requires generally refer to not only the original HIPAA enactment but subsequent amendments (such as, but not limited to, those in the ACA and HITECH), and regulations and guidance adopted under HIPAA (as amended). Distinguishing HITECH from HIPAA makes sense in terms of discussing legislatibve history, but less so in terms of discussing current rules.
It is also not accurate to draw the division as HIPAA being "general policy" and HITECH being "how that policy can be implemented in technology." Its true that HITECH (more precisely, guidance/regulation mandated by and adopted subsequently to HITECH's amendments to HIPAA) provides more technical specificity in some areas, particularly privacy/security, than was in HIPAA (and regulations under HIPAA) prior to HITECH, but HITECH also amended aspects of HIPAA that fall into the general policy area (for instance, direct liability of Business Associates), and there were specific technical standards adopted under HIPAA prior to HITECH and also under mandates stemming from post-HITECH (notably, ACA) amendments to HIPAA.
I worked on this project and can tell you this is absolutely false. All user info is obfuscated and we have procedures in place to ensure we do not have access to information without express consent from the user. Furthermore, we dont even use surescript anymore. Lastly, all data is walled off from amazon. There is no way for amazon to even know if you are signed up for pharmacy.It is a separate account with a separate cart and all amazon metrics are blocked from this ecosystem.
I’m a fan of giving the belief of innocent until proven guilty. You have a firm who’s aligned to cvs making accusations. A firm who’s likely long term going to loose money if Amazon succeeds here.
From that article, “Surescripts did, however, inform CVS and Express Scripts ahead of time about its plans to go public with its decision, the spokesmen said.”
Going to need some much stronger proof than hearsay.
My clients in the financial services industry take their PCI and critical risk data access very seriously. Those clients had to share with me the software, controls and training they put into place to enforce those access rules, and I confirmed with long-time employees they've walked staff out of call centers summarily fired for joy-riding the data. I can believe the situation at hospitals can be looser, but financial services being more strict than pharma fulfillment or PBM's would be news to me. I've only had two clients in the PBM space, and they didn't seem to take their infosec lightly either, but that is a much smaller sample space so I'd be interested to hear from those who work in the trenches in PBM's or pharma fulfillment what it is like for them.
I worked for amazon for 10+ years. Sure, in the beginning, a lot of people had access to customer accounts. However, all that was locked down, I wanna say before 2010. Strictly need to know and every access logged.
So, if I wasn't able to look what book a customer purchased, I highly doubt I could see anyone's RX, especially since HIPAA is very clear on those points.
Any prescription / healthcare info you give them will be sold back to SureScripts and used to sell you more garbage from Amazon ;)
https://www.wsj.com/articles/amazon-mail-order-pharmacy-face...