Policies for Alexa Smart Properties for Healthcare

This document describes requirements for the use of Alexa Smart Properties in a Healthcare setting.

Requirements for integrating with ASP in Healthcare REST APIs

When integrating with Alexa Smart Properties for healthcare APIs, customers must adhere to the following requirements, listed below.

  1. Healthcare Subscription Usage. If a facility is a covered entity under HIPAA, it must be enrolled in the Alexa for Healthcare subscription. If the facility qualifies as a HIPAA hybrid entity (e.g., it offers both Independent Living and Skilled Nursing), the Alexa for Healthcare subscription must be used to service any health care component(s) of the facility. Where permitted by applicable law, a separate property unit may be used to enroll the non-covered portion(s) of the HIPAA hybrid entity in another Alexa Smart Properties subscription.
  2. Free Text Fields. Do not enter Protected Health Information (PHI, as defined under HIPAA) or any information that could directly or indirectly identify individuals in Free Text Fields (for example, SSID Name) in messages created using the Notifications API or the Proactive Suggestion API, in Name fields (for example, Device Friendly Name, Device Group Name, Unit Names, Address Book Name, Contact Name, and so on), and so on. Use of a room number or a generic room name, such as "restaurant" or "barbershop" is acceptable. The name of a patient or resident never should be included. PHI is also prohibited in text fields in the Notifications API and the Proactive Suggestion API.
  3. Address Books. The address book should not name a patient or resident; however, a room number is acceptable. Do not create a personalized address book that includes a relative of the individual (e.g., daughter, son, mother, or father). It is acceptable to include healthcare providers for the individual in the address book.
  4. Skill Enablement. Enablement of any skill that collects users’ personal information is prohibited.
  5. Automation. Do not enter Protected Health Information (PHI, as defined under HIPAA) or any information that could directly or indirectly identify individuals when using the Automation API to create an automation or define the custom utterance used to trigger the automation (for example, patient's names, doctor's names, medication name, medical conditions, and so on). For example, you can create a custom utterance of "Alexa, goodnight" with the action to announce "Take your medication." You cannot create a custom utterance of "Alexa, goodnight" with the action to announce "Sally, take your Lisinopril."
  6. Alarms. You will call the Clear Alarms API when the room is vacated by the current end user, and readied for a new end user.
  7. Drop In
    1. Only the following use cases are allowed:
      • Drop In from care staff onsite to patient/resident units
      • Drop In from onsite visitation rooms to patient/resident units
    2. The Property must notify the patient/resident that there is an Alexa enabled device in the room and they can disable or remove on request.
    3. The Property will provide training and collateral materials that describe Drop In to healthcare staff and patients/residents which will include the following:
      • Healthcare staff Drop In instruction: instruction on how healthcare staff can initiate Drop In
      • Instructions for Patient/Resident device: instruction on how to enable Do Not Disturb
      • Suggested FAQs for patient/resident device: include suggested Drop In related FAQs for patient/resident device

Drop In FAQ

  1. What is Drop In?
    Drop In allows the caller to simply appear on a recipient’s device (the recipient does not need to answer the call).

  2. When someone drops in on my device, what do they hear and see?
    When a contact drops in on your Echo device, you will hear an audio tone and see a visual indicator that someone is dropping in on you. The contact on the other side of the Drop In will automatically hear audio through your device. You may end the Drop In by saying “Alexa, hang up.”
    The caller will see a frosted glass view from your device’s camera. The frosted glass view will automatically transition to clear video over a short period of time. You will see the caller’s video (and a picture-in-picture view of your own video) when the Drop In is in progress. You can end a Drop In by tapping the End icon on the screen, or you can disable the camera while continuing an audio conversation by saying “Alexa, video off”, or tapping the Video Off icon on the screen.

  3. How do I disable Drop In?
    You can turn on Do Not Disturb on your Echo device to prevent being dropped in on. You can also disable Drop In permission from certain contacts by working with your prop erty or by viewing the contact card on your Echo device with a screen.

HIPAA Eligible Skills

Refer to Certification Requirements for general requirements that apply to all skills. For HIPAA Eligible skills in Enterprise environments, please refer to the guidelines below.

Requirements for Skills that are HIPAA-Eligible

An Alexa skill can be HIPAA-eligible if the developer is a HIPAA Covered Entity (CE) or Business Associate (BA), uses the means we provide to identify the skill as one that processes Protected Health Information (PHI), and agrees to the Alexa Business Associate Agreement (BAA). HIPAA-eligible Alexa skills must also adhere to the requirements listed below and pass a certification review. Note that these guidelines might change over time.

HIPAA-Eligible skill submission checklist

  1. The developer account must be owned by the Covered Entity or Business Associate that will publish the skill.
  2. The developer name of the account must represent the legal name of the Covered Entity or Business Associate that will publish the skill.
  3. You must indicate in the developer console (requires login) that you intend for your skill to handle protected health information (PHI)
  4. You must agree to the Alexa Skills Business Associate Agreement (BAA) with Amazon, made available in the developer console (requires log-in).
  5. Your skill must never have been published prior to when you indicate that you intend for your skill to handle PHI and/or agree to the BAA.
  6. Your skill will not send Amazon information that includes patient name or other patient personal information, (e.g., Room 101 needs pain meds and not John Smith needs pain meds).
  7. Your skill must be published live, but hidden from the skill store.
  8. Your skill must only be made available and distributed in the United States.
  9. Your skill cannot use PHI for development, testing, or certification purposes.
  10. Your skill must include a link to a privacy policy URL in the skill description.
  11. Your skill can only use Approved APIs and services.
  12. Your skill must not be Child Directed.

Approved APIs

HIPAA-eligible skills can only use the following APIs.