Is Amazon Alexa HIPAA Compliant?

Is Amazon Alexa HIPAA compliant? Can Alexa be used in healthcare in conjunction with patients’ protected health information without violating HIPAA Rules?

Amazon already supports HIPAA compliance for its cloud platform AWS and is keen to see its voice recognition technology used more extensively in healthcare. However, before the true potential of Alexa can be realized, Amazon must first make Alexa HIPAA compliant.

Alexa certainly has considerable potential in healthcare. Alexa could be used by physicians to transcribe medical notes or as a virtual assistant in physicians’ offices. Alexa is currently used in around 30 million U.S. homes, and the technology could easily be used to remotely monitor patients. The technology could also help to engage patients more in their own healthcare.

Some healthcare organizations have already started experimenting with Alexa. WebMD has developed an Alexa skill to deliver some of its web content to consumers via their Alexa devices at home. Beth Israel Deaconess Medical Center (BIDMC) has run a pilot scheme to test Alexa’s capabilities in an inpatient setting, although not using real patient data. That pilot produced highly promising results. BIDMC plans on using Alexa in a clinical setting, once appropriate safeguards have been incorporated and when Amazon is willing to sign a business associate agreement (BAA).

Boston’s Children’s Hospital (BCH) is also piloting the use of Alexa to provide information to its clinical staff, although, without a BAA, only with non-identifiable health information at present. BCH has also developed an Alexa skill called KidsMD, which allows parents to ask about medical conditions and obtain advice on basic health conditions.

Earlier this year, Merck challenged developers to come up with new ways of using Alexa to assist patients with diabetes. The Alexa Diabetes Challenge, launched in April 2017, was developed to help improve the lives of patients diagnosed with type 2 diabetes – approximately 27.5 million individuals in the United States.

Effective treatments are available, and along with lifestyle changes, patients can live long and healthy lives. However, self-management of the condition can be difficult, especially for individuals who have recently been diagnosed with the disease. Amazon sought submissions of patient-centric solutions that use Alexa voice recognition technology to assist patients. The winner of the challenge will be announced later this month.

Last month, Oxana Pickeral, Global Segment Leader for Healthcare & Life Sciences at Amazon Web Services, acknowledged that HIPAA was an issue that needs to be overcome before Alexa could be widely used in healthcare.  She explained that the Diabetes Challenge has helped to demonstrate the potential of the technology. Pickeral said, “While Alexa and Lex are not HIPAA-eligible, this [Diabetes Challenge] has provided us an opportunity to envision what is possible.” Amazon is now looking at addressing the requirements of HIPAA for Alexa, as it did with AWS.

Thanks to the work it has done on AWS, all the basics are all in place, but until Alexa, and the Lex platform on which it is based, incorporate appropriate safeguards to meet the requirements of the HIPAA Security Rule, the voice recognition technology will not be able to be used by HIPAA-covered entities in conjunction with protected health information.

Amazon is certainly moving toward making Alexa HIPAA-compliant, but until it is willing to sign a BAA and abide by HIPAA Rules, Alexa cannot be used in a healthcare setting with any identifiable health information.

You can read more about virtual assistants and HIPAA compliance here.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.