Alexa and HIPAA Considerations

Alexa and HIPAA Considerations


A mix of HIPAA compliant and non-compliant services may be used and still maintain compliance. Below is Amazon’s position on this as well as a list of their HIPAA compliant services.

“Can my organization use non-eligible services in an account marked as “HIPAA”?

Under the AWS BAA, you must identify each account that contains PHI as a HIPAA account. An organization may use any AWS service within that account; however, you may only process, store, or transmit PHI on eligible services.

An organization can use services such as AWS Lambda, AWS OpsWorks, and Amazon EC2 Container Service (Amazon ECS) to orchestrate and schedule EC2 instances if the actual PHI is processed on EC2 and stored in S3 (or other eligible services).

Your organization must still ensure that EC2 instances processing, storing, or transmitting PHI are launched in dedicated tenancy and that PHI is encrypted at rest and in transit. Any application metadata stored in Lambda functions, Chef scripts, or task metadata must not contain PHI.”

Examples of how to architect a solution are below:

  • Separate Amazon Virtual Private Clouds (VPC) for PHI and non-PHI data. The right hand VPC is used to test a mobile solution, while the left-hand VPC stores and processes PHI. PHI does not flow from the left-hand to the right-hand VPC. Note: Left-hand VPC must be architected to be consistent with HIPAA requirements
  • Indirection strategy. When a new object containing PHI is written to S3 via S3 Transfer Acceleration, an S3 trigger signals AWS Lambda to write the appropriate metadata to an Amazon SQS queue. A service running on Amazon EC2 polls the SQS queue, and if new data is available, pulls the PHI data from S3. A second Lambda function triggers a mobile alert, notifying that processing of data has begun. In this example only S3 and EC2 are used to store, process, and transmit all PHI data; Lambda and SQS are only used to orchestrate services or notify when jobs should begin.

More on official AWS HIPAA compliant services, considerations and useful information:

Business Associate Agreements

If you are a SaaS provider of healthcare services and sign a BAA with AWS, do your customers (such as a hospital or physicians’ group) need to sign a BAA with AWS?

No. In this case, each healthcare provider or covered entity would establish a BAA with the SaaS provider, and the SaaS provider would establish a BAA with AWS. (Frequently-asked-questions-about-hipaa-compliance-in-the-aws-cloud-part-two)

HIPPA Eligible Services:


  • Amazon API Gateway excluding the use of Amazon API Gateway caching
  • Amazon Aurora [MySQL-compatible edition only]
  • AWS Database Migration Service
  • AWS Direct Connect
  • Amazon DynamoDB
  • Amazon Elastic Block Store (Amazon EBS)
  • Amazon Elastic Compute Cloud (Amazon EC2)
  • Elastic Load Balancing
  • Amazon Elastic MapReduce (Amazon EMR)
  • Amazon Glacier
  • Amazon Redshift
  • Amazon Relational Database Service (Amazon RDS) [MySQL, Oracle, and PostgreSQL engines only]
  • Amazon Simple Storage Service (Amazon S3) excluding use of Amazon S3 Transfer Acceleration
    Alexa Data Privacy
  • Recorded voice commands stored locally only
  • History can be deleted
  • Data for AWS skills and general Alexa data stored at AWS: “Amazon will not release customer information without a valid and binding legal demand properly served on us…”
  • Privacy Policy

Logistical Considerations


  • Before your service/Lambda function accepts a request, verify that the request is actually intended for the service
  • Ensure applicationID is included SpeechletServlet

Request Handlers:

  • Must handle the LaunchRequest, IntentRequest and SessionEndedRequest
  • LaunchRequest — when user invokes the skill with the invocation name (Alexa, talk to ___)
  • IntentRequest — user speaks a command mapped to “intent” (defined slot values — large number of built-in library of slots)
  • SessionEndedRequest — either “exit” or user does not respond or says something that does not match an intent
  • Pre-Recorded audio can be added to the response
  • Error handling —

Account Linking

Security Considerations

Thank you for reading and hopefully this helps you during your journey through the wonderful world of Conversational AI!

Let's create something amazing.

Coffee Much?

Built in center of everything 🌎 Indianapolis, IN.

Privacy Policy