Amazon Alexa Is Now HIPAA Eligible: What’s Next?
Amazon announced that a version of their virtual assistant technology, Alexa, is now HIPAA-eligible. This means it’s available for applications that are subject to the data privacy and security requirements of HIPAA. The new HIPAA-eligible version of Alexa, specifically the Alexa Skills Kit, is now available to a limited number of developers by invitation only.
Amazon has seen increasing interest in Alexa’s potential to serve as a virtual healthcare assistant. While devices like PCs, tablets, and smartphones have contributed to advances in healthcare, they’ve been problematic for some aspects of patient engagement – particularly among the elderly and others who physically cannot – or will not – use them.
The idea of a smart, always-available, hands-free, voice-powered virtual assistant that can answer questions, deliver medication reminders, facilitate communication with one’s doctor, provide health coaching, and more, has piqued the interest of the healthcare community. Amazon has responded.
Until now, Alexa’s use in healthcare has been mostly limited to question answering services – voice apps, or “skills” in Alexa parlance, that answer general questions about health conditions, treatments, symptoms, etc. Amazon Echo users, for example, can access health benefit information from a skill like Answers by Cigna, or tap into one of many symptom checkers in the Alexa marketplace. The big change is that Alexa can now be used in certain applications that collect and transmit protected health information (PHI).
This opens a whole new world of voice applications beyond basic Q&A, such as remote patient monitoring population health, medication adherence and clinical trial optimization. It seemed inevitable that voice assistants like Alexa and smart speaker-equipped devices like the Amazon Echo would find their way into clinical applications. Amazon’s announcement confirms this.
Organizations must understand the full range of issues surrounding the “what, why and how” of securing, voice-first healthcare applications. HIPAA is just the start. There is no formal certification process for HIPAA, and it applies only in the U.S. Also, many healthcare IT departments use other industry standards or ?have created their own standards for data privacy and security. In their eyes, completely securing a voice application may go well beyond ensuring that a service provider will sign a HIPAA business associate agreement. Issues like user authentication, data privacy in shared spaces, network and device hacking, secure system integration (e.g. with an EHR), should all be addressed.
Healthcare will see continued deployment of consumer-facing skills that do not require HIPAA’s rigor, as well as a morphing of these customer service-centric offerings into more clinical use cases where HIPAA will be mandated. Consider a basic Q&A member benefit voice skill offered by a health plan. A much richer and more personalized experience can be created by adding PHI to the mix. The lines will blur in this regard, and with regard to value-based care bringing new shared risk revenue models across the various sectors within healthcare.
This information is excerpted from the Apr. 4, 2019, Orbita blog post titled: Amazon Alexa Is Now HIPAA-Compliant. What’s Next? authored by Orbita president and co-founder Nathan Treloar.