25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Amazon Lex is Now HIPAA Compliant

Posted By on Dec 12, 2019

Amazon has announced that the Amazon Lex chatbot service now supports HIPAA compliance and can be used by healthcare organizations without violating Health Insurance Portability and Accountability Act Rules.

Amazon Lex is a service that allows customers to build conversational interfaces into applications using text and voice. It allows the creation of chatbots that use lifelike, natural language to engage with customers, ask questions, collect and give out information, and complete a range of different tasks such as scheduling appointments. The conversational engine that powers Amazon Lex is also used by Amazon Alexa.

Until recently, there was limited potential for use of Amazon Lex in healthcare as the solution was not HIPAA-compliant and could therefore not be used in connection with electronic protected health information (ePHI). The service was also not covered by Amazon’s business associate agreement (BAA).

On December 11, 2019, Amazon confirmed that Amazon Lex is now included in its AWS business associate agreement (BAA) addendum and that the service is eligible for use with workloads involving ePHI, provided that a BAA is in place. Amazon Lex has been subjected to third-party security assessments under multiple AWS compliance programs, and in addition to being HIPAA eligible is also compliant with PCI and SOC.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

As with any software solution, a BAA does not guarantee compliance. Amazon has ensured appropriate safeguards have been implemented to ensure the confidentiality, integrity, and availability of ePHI, but it is the responsibility of users to ensure that the solution is implemented correctly and used in a manner that complies with HIPAA Rules.

Amazon has released a whitepaper on Architecting for HIPAA Security and Compliance on AWS, which details best practices for configuring AWS services that store, process, and transmit ePHI. Guidelines on the administration of Amazon Lex have also been published.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist