Amazon Lex is Now HIPAA Compliant

Amazon has announced that the Amazon Lex chatbot service now supports HIPAA compliance and can be used by healthcare organizations without violating Health Insurance Portability and Accountability Act Rules.

Amazon Lex is a service that allows customers to build conversational interfaces into applications using text and voice. It allows the creation of chatbots that use lifelike, natural language to engage with customers, ask questions, collect and give out information, and complete a range of different tasks such as scheduling appointments. The conversational engine that powers Amazon Lex is also used by Amazon Alexa.

Until recently, there was limited potential for use of Amazon Lex in healthcare as the solution was not HIPAA-compliant and could therefore not be used in connection with electronic protected health information (ePHI). The service was also not covered by Amazon’s business associate agreement (BAA).

On December 11, 2019, Amazon confirmed that Amazon Lex is now included in its AWS business associate agreement (BAA) addendum and that the service is eligible for use with workloads involving ePHI, provided that a BAA is in place. Amazon Lex has been subjected to third-party security assessments under multiple AWS compliance programs, and in addition to being HIPAA eligible is also compliant with PCI and SOC.

As with any software solution, a BAA does not guarantee compliance. Amazon has ensured appropriate safeguards have been implemented to ensure the confidentiality, integrity, and availability of ePHI, but it is the responsibility of users to ensure that the solution is implemented correctly and used in a manner that complies with HIPAA Rules.

Amazon has released a whitepaper on Architecting for HIPAA Security and Compliance on AWS, which details best practices for configuring AWS services that store, process, and transmit ePHI. Guidelines on the administration of Amazon Lex have also been published.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.