The AMA is cautioning its members about the handling of patient data at retail clinics, calling for regulatory guidance that prohibits “clickwrap” contracts and creates privacy walls between the health and nonhealth business of retail health care companies.
The AMA has developed an issue brief (PDF) that reflects language in an AMA Council on Medical Service report (PDF) adopted at the 2024 AMA Annual Meeting. Additional recommendations call for these clinics to separate consents required to receive care from any consents to share data for reasons unrelated to medical care.
Retail health care companies should also clarify how patients can withdraw consent and request deletion of data.
A growth area in the U.S. health care system, retail health care includes walk-in clinics that employ nonphysician providers, or services that connect patients with participating online clinics. The issue brief further develops detailed AMA policy on retail health clinics.
The HIPAA Security Rule requires that both covered entities and business associates maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting electronically stored protected health information (PHI).
Additionally, the Federal Trade Commission (FTC)’s rule on health-breach notifications requires vendors of personal health records and related entities not covered by HIPAA to notify individuals, the FTC, and, in some cases, the media of a breach of unsecured personally identifiable health data.
Figuring out which organizations fall under HIPAA’s purview is not straightforward. The regulation applies to health plans, health care clearinghouses, and health care providers who transmit health information electronically in connection with a covered transaction, in addition to their business associates.
“In some cases, there is confusion regarding a retail health care company’s HIPAA status, requiring patients to read and comprehend several documents together to understand their rights,” according to the issue brief. A 2022 AMA survey found that most people are unclear about the privacy rules.
Signing away data protection rights
Retail health companies may say they have stringent customer-privacy policies, but some still require customers to sign away some of their data-protection rights.
Consent forms may state that, after providing consent, the company now has access to the complete patient file and may redisclose information contained in that file.
“The fundamental problem is that once patients agree to the authorization, they agree their health information may no longer be protected by HIPAA,” notes the AMA issue brief.
Even if terms are voluntary, patients might not be able to use health care services if they don’t agree to the terms and conditions.
Determining how retail health care companies may manipulate data can take years. The AMA recommends that companies establish a “privacy wall” between the health and non-health business of retail health care to eliminate sharing of identifiable PHI, or re-identifiable PHI, for uses not directly related to medical care.
Retail health companies should not require data sharing for uses not directly related to medical care as a requirement to receive care, unless it’s something mandated by law, such as the reporting of infectious diseases.
“Operationally, this means that the Terms of Use should be distinct from the Notice of Privacy Practices, with clear indication that patients are not required to sign the latter in order to receive care,” the AMA brief stated.
Retail health care companies should educate patients on this concept to reduce patient vulnerability.
Look out for opt-outs, “I agree”
Some retail health care companies have “clickwrap” or online agreements where the user assumes acceptance by clicking a button or checking a box that states, “I agree.”
“While the purpose of a clickwrap agreement is to digitally capture acceptance of a contract, they permit patients to assume assent through use of a service without affirmatively consenting to the data sharing,” according to the AMA brief. An example of this is when a website visitor acknowledges that a website uses cookies, are installing a mobile app, or connecting to a wireless network.
Retail health care companies should be prohibited from using “clickwrap” agreements, the AMA says.
Another concern is the usage of opt-out consent, which assumes user consent unless they act to withdraw it. Users must take action to indicate nonconsent and actively protect their data.
“When opt-out consent is coupled with deceptive wording, it may lead patients to agree to something without meaningful consent. Meaningful consent requires a patient to be given sufficient and understandable knowledge to make a valid decision,” the AMA brief says.
To protect patients’ privacy, retail health care companies should use a default opt-in consent, offering directions in plain language to foster health literacy.
“Once consent is given, it then becomes important to provide clear direction on how patients can withdraw consent,” notes the AMA brief.
