Amazon’s Alexa has a new HIPPA (US) compliant Skills Kit. But is it enough?

This April, Amazon announced a Skills Kit for their Smart Speaker, Alexa. This new software means that Alexa voice tools can be made capable of securely storing, transmitting, and receiving protected patient information and data in a healthcare setting, all in compliance with HIPAA (US).

According to StatNews.com, Amazon has released the Skills Kit to only six (6) US companies who can use it to build their own applications.

They are:

1. Cigna created a voice program to allow employees of its large national clients to manage their health improvement goals and earn wellness incentives.
2. Express Scripts, the pharmacy benefit manager acquired by Cigna, built a tool that enables people to check the status of home delivery prescriptions.
3. Boston Children’s Hospital built a program enabling parents and caregivers to provide clinicians with updates on their progress after surgery and get information on post-operative appointments.
4. Providence St. Joseph Health, a network of 51 hospitals in seven states, created a tool enabling customers to search for a nearby urgent care center and schedule a same-day appointment.
5. Atrium Health, which operates more than 40 hospitals and 900 clinics in North Carolina, South Carolina, and Georgia, built a similar tool.
6. Livongo, a digital health company that helps users manage chronic conditions, launched a program that allows people to query their last blood sugar reading and blood sugar measurement trends, and receive personalized health advice.

As this technology develops and scales within the healthcare field, Amazon’s Smart Speaker will “hear” more and more protected patient information and may one day become an intrinsic part of capturing information and transmitting clinical data. And while the new skills kit is getting its legs in the US, Canadian experts and healthcare professionals are wondering how the Skills Kit might impact their work.

Expert Opinion

In March (2019), CDA Oasis Discussions took a look at Smart Speakers in the dental office from a security and patient information point of view. With help from security professional and Co-founder and CEO of Alexio, Anne Genge, we considered the risks and benefits of using Smart Speakers in a dental practice. During that Oasis conversation, Anne detailed special considerations for protecting patient data and avoiding hacks. She touched on Alexa’s abilities and shortcomings when it comes to safeguarding sensitive information and adhering to the law.

Today, Anne is back on Oasis with key insights on the new skills kit and what it means for Canadian dentists.

On Development

Amazon has released a developer kit for HIPAA use to six (6) companies, which means they can build their own applications from or with it. But this doesn’t automatically mean they will be able to market the technology for healthcare use. There are many criteria which must be met like ensuring the hardware and software properly safeguards Personal Health Information (PHI) at all times. The current standard for this includes things like encryption, protection from unauthorized access, consent to collect, store and transmit plus more. 

On Security

The stakes are high, and the complexities are enormous and there have already been breaches using smart speakers. Also important, this (Skills Kit) was announced just as the world learned this story (Amazon reportedly employs thousands of people to listen to your Alexa conversations) about who hears our conversations.

In June, Amazon was served with two class-action lawsuits that allege Alexa has been recording and storing the voices of children without their consent or the consent of their parents and that the device makes children vulnerable by exposing details about their lives like products they use in their homes and private questions they have posed to the device.

On Alexa’s HIPAA Compliance

Remember, Alexa leverages the Amazon Web Services (AWS) cloud. And according the HIPAA Journal, “Amazon supports HIPAA compliance, and AWS can be used in a HIPAA compliant way, but no software or cloud service can ever be truly HIPAA compliant. As with all cloud services, AWS HIPAA compliance is not about the platform, but rather how it is used.”

For Anne, just because AWS is HIPAA compliant, it does not mean that using AWS is free from risk, nor does it prevent a HIPAA violation occurring.

Considerations for Canadian Dentists 

As a privacy and security professional specialising in healthcare, Anne said she views all technology as dangerous until proven otherwise. And while she sees two threads of potential benefit: one is for a patients’ own use, and two is for practitioners; in both cases the patient is still involved.

In a dental practice there may be some efficiencies not yet conquered by practice management companies where this integration could be welcome. Charting could be an example, or the voice command, ‘Alexa, send an email to Dr. Smith’. At first glance it’s easy to get excited about the potential without thinking of the downside. 

Generally, Anne advises her clients to let the others go first. New technology can be alluring but the potential reputational damage to a dental practice in such an already competitive environment, she feels the risk is not worth it.

Looking ahead, Anne Genge is interested in seeing how compliance and security best practices will be addressed when there are still many computer networks and systems in dental practices that don’t pass the security test.

What do you think about this latest technological attempt? 

Leave a comment about this post in the box below, send your feedback by email or call us at 1-855-716-2747.

Until next time!

CDA Oasis Team