Last updated: 8 April 2019 We sometimes get asked by customers and prospects about Amazon Alexa and their ability to use it in a HIPAA compliant manner. We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud services in this sector.
In previous posts, we’ve covered the following cloud solutions and their capabilities for HIPAA compliance:
- Amazon CloudFront
- Apple iCloud
- Apple iMessage
- Box
- Calendly
- Citrix ShareFile
- Constant Contact
- DocuSign
- Dropbox
- FaceTime
- Google Calendar
- Google Docs
- Google Drive
- Google Forms
- Google Hangouts
- Google Hangouts Chat
- Google Slides
- Google Voice
- GoToMeeting
- Heroku
- Intercom
- MailChimp
- Mandrill
- Microsoft Teams
- Microsoft 365
- OneDrive
- PostageApp
- Postmark
- Return Path
- SendGrid
- SharePoint
- Slack
- Sonic
- SparkPost
- Uber Health
- WordPress
- Yammer
- Zoho
- Zoom
Today, we will determine if Amazon Alexa offers HIPAA compliant service or not. SEE ALSO: HIPAA Breaches and Cloud Providers
Amazon Alexa
Alexa is Amazon’s cloud-based voice service and is currently available on millions of devices. Alexa is capable of voice interaction, music playback, making to-do lists, setting alarms, streaming podcasts, playing audiobooks, providing weather, traffic, sports, and real-time news.
Amazon Alexa and the Business Associate Agreement
We’ve previously talked about how a Business Associate Agreement is a written contract between a Covered Entity and a Business Associate. It is required by law for HIPAA compliance. We checked Amazon's site and found a lot of useful information on their HIPAA Compliance page. In particular, they include the following information:
What services can I use in my AWS account if I have a Business Associate Addendum with AWS?
Customers may use any AWS service in an account designated as a HIPAA account, but they should only process, store, and transmit protected health information (PHI) in the HIPAA-eligible services defined in the Business Associate Addendum (BAA). For the latest list of HIPAA-eligible AWS services, see the HIPAA Eligible Services Reference webpage.
If we inspect the HIPAA Eligible Services Reference page, we see that Alexa is still not offered under the AWS BAA. Last week however, on 4 April 2019, Amazon announced an invite-only program allowing select developers to create and launch HIPAA-compliant healthcare skills for Alexa. In other words, Amazon Alexa is providing its “HIPAA eligible environment” to voice app developers on an invite-only basis in the U.S., but says it expects to enable more developers to access this capability in the future. Here are some of the organizations Amazon invited:
Does Amazon Alexa Offer HIPAA Compliant Service?
The Business Associate Agreement is a key component to HIPAA compliance between a covered entity and a business associate. We were able determine that as of April 2019:
- Alexa is still not listed under the Amazon HIPAA Eligible Services Reference page
- Amazon has recently allowed a small, invite-only group of organizations to develop HIPAA-compliant healthcare skills for Alexa
Conclusion: Amazon Alexa is HIPAA compliant for a small group of invite-only healthcare organizations. For everyone else, it is still not HIPAA compliant.