Earlier this month, Amazon announced that it is opening its “HIPAA-eligible” environment to select Amazon Alexa skills that will transmit and receive identifiable patient information. This allows users of the Alexa virtual assistant to begin using the device for select health-related services.
Amazon defines its HIPAA-eligible services as those that enable HIPAA-regulated covered entities and business associates to process and store identifiable patient information, or HIPAA protected health information, in its Amazon Web Services environment. At this time, Amazon is offering the opportunity to develop a skill for its HIPAA-eligible environment on an invitation-only basis.
The first six HIPAA-eligible Alexa skills focus on an individual’s management of their care at home. For example, the Livongo Blood Sugar Lookup skill allows users to ask their Alexa device to provide their latest blood glucose reading. Cigna’s Health Today skill allows Cigna enrollees to monitor their wellness program goals and receive health tips. Through the Express Scripts skill, an individual can track prescription delivery and receive notification through the Alexa device when a prescription is delivered.
Although Amazon’s addition of these skills to its HIPAA-eligible environment represents significant progress toward the use of virtual assistants to meet individuals’ medical needs, it is important to note that these skills are limited. Amazon is not presenting a framework to allow for skills that capture data in an operating room or emergency room, for example, nor do the six HIPAA-eligible skills allow patients to correspond with clinicians for treatment or diagnosis of medical needs.
For people to use Alexa in these types of environments, not only will Amazon have to deem the relevant skills to be HIPAA-eligible and execute HIPAA business associate agreements with the skill developers, but the facilities and clinicians using Alexa for these services will have to ensure that they have the capability to do so in a manner that complies with the HIPAA requirements governing patient privacy and security. Some key considerations for facilities and clinicians will be to establish protocols to prevent people who are not authorized to access or hear an individual’s identifiable information from doing so on the Alexa device, as well as ensure that Alexa captures the data in a way that attributes individual patients’ data properly.