Alexa, including its healthcare-specific skills, is no longer HIPAA compliant, as Amazon has discontinued its support for HIPAA compliance in Alexa skills, thereby making it unsuitable for handling or processing Protected Health Information (PHI) in a manner that meets HIPAA’s stringent privacy and security requirements. Healthcare-related Alexa skills that do not collect PHI or data protected under HIPAA will remain operational and unaffected by this change.
Virtual assistants started out being used in consumer settings and on devices such as tablets or mobile phones to respond to simple voice commands, for example commands to call a specific contact or search the internet for a query. Over time, they have developed into much more complete systems, often with the promise of coupling with other devices in the home such as climate control systems or fridges, to provide an integrated control center for a user’s home. It may be seen as only natural that their use is being extended into business and office environments for more professional ends.
Alexa as part of the team
For many industries, there is no need to question whether Alexa can become part of the team, so to speak, but this is not the case in the healthcare industry where strict privacy rules and the Health Insurance Portability and Accountability Act, more often know as HIPAA, dominate every decision or new tool. Despite the possibilities offered by Alexa in areas such as remote patient monitoring or encouraging patients to engage more with their healthcare and healthcare providers, until Alexa is HIPAA compliant, it cannot be used with patient data.
For a service to be HIPAA compliant, several aspects are required. First of all, the company providing the service must be willing to enter into a Business Associate Agreement (BAA). Currently, while Amazon will enter into such agreements for their Amazon web services cloud platform, they will not do so for Alexa.
HIPAA compliance also requires that certain safeguards be in place before patient data is used with that service. These include elements such as access control, audit functions, encryption and other aspects. Some of these may already be addressed with existing functions or they can be adapted with functions ported from other Amazon services. Other areas require further development.
Amazon and HIPAA compliance
What we do know is that Amazon is working on enabling HIPAA compliance for Alexa, or in creating a similar virtual assistant that can be used by HIPAA covered entities in the healthcare space. Amazon has created a health and wellness team consisting of executives and engineers that have worked on building HIPAA compliance into other digital services.
Reportedly, Amazon is trying to position itself to compete and win in the healthcare services market. Should Alexa be configured for HIPAA compliance, the potential for stand-alone use as well as use with third party apps could quickly make Amazon a key player in the entire healthcare industry.
Examples of Alexa’s use with healthcare and wellness topics include a collaboration with Merck to find solutions to help people with diabetes better manage their condition and their care. Another target which Amazon reportedly feels could benefit from Alexa is new mothers, a group which already uses Amazon services for ordering baby supplies and other items.