By Arundhati Parmar, MedCity News | February 8, 2019

There is a rumor out there that Amazon is about to launch a HIPAA-compliant Echo device, which is expected to drive greater adoption of voice in healthcare. But what does it mean for a smart speaker to become HIPAA compliant and what can voice do today?

Rumblings abound that Amazon, whose interest in healthcare is no secret, is soon going to announce an Echo voice device that will be HIPAA compliant. It’s a race given that Amazon, Google and Microsoft all have voice-activated smart speakers and all are apparently working to make the devices and the associated software architecture comply with that complex bit of regulation involving a patient’s health information.

“Everyone’s kind of chomping at the bit,” said Heidi Culbertson, CEO of Ask Marvee, a voice startup, of the availability of HIPAA-compliant devices. “I have also heard of the rumor but don’t know enough about it.”

HIPAA of course is the regulation that governs how personal health information (PHI) is stored and transmitted to make sure that no one who isn’t authorized can access that information. The process needs to ensure end-to-end encryption among other requirements.

Amazon’s voice devices are powered by Alexa, the virtual assistant, and there are several companies that have built HIPAA and non-HIPAA compliant apps (or Alexa skills) on top of Amazon’s voice platform. Ask Marvee is one of them – it builds apps that don’t require HIPAA compliance. The other is Boston-based Orbita, which has built an enterprise-level HIPAA compliant voice platform to support scalable deployments across omnichannel environments.

“It’s inevitable,” said Bill Rogers, CEO of Orbita, of the ultimate launch of a HIPAA-compliant Echo or other, competing voice-activated device. He declined to comment further saying he is not privy to Amazon’s launch schedule.

Missy Krasner, whose title is simply Special Projects, Amazon, did not respond to an email request for comment.

HIPAA compliance is not for the faint of heart. Culbertson noted that simply because the Echo or other device becomes HIPAA compliant doesn’t mean the entire environment is.

“There’s some different things you can do to collect personal health information and possibly transmit it in a multi-channel way where a user might speak something and it’s stored differently on a device and transmitted differently, but as soon as any of that touches transmitting into Alexa – the cloud itself – you are crossing a line,” said Culbertson, who founded Ask Marvee to use voice to focus on wellness and social isolation. She noted that the Google Cloud is not HIPAA compliant.

But Rogers says Amazon currently supports many services that are HIPAA-compliant including  Amazon’s EC2 (Elastic Computing Cloud.)

“The piece that is not HIPAA-compliant today, in Alexa as the engine, is that a piece of analog data is coming to Alexa which has your audio voice. What Amazon needs to do is certify that, so that the analog data that’s collected and stored on the platform is stored in a way that follows all the HIPAA compliance rules,” Rogers explained.

In other words, when Amazon announces the launch of HIPAA-compliant device, this last piece will also comply with that regulation.

Still, he thinks that is only a minor part of the problem for those companies building HIPAA compliant environments. Everything else touching Alexa or the competing virtual assistant powering the device, will also need to be similarly certified. Without that, you stand to run afoul of that regulation.

“The other 90 percent of the problem is when Alexa is HIPAA compliant whoever is going to interact with it has to be HIPAA compliant,” he said. “Even if you are using an EC2 server and you are writing code, that doesn’t make it HIPAA compliant.”

EC2is one of the services provided by Amazon Web Services.  A journal on HIPAA probably captured it best when it articulated the following:

Amazon supports HIPAA compliance, and AWS (Amazon Web Services) can be used in a HIPAA compliant way, but no software or cloud service can ever be truly HIPAA compliant. As with all cloud services, AWS HIPAA compliance is not about the platform, but rather how it is used.

Just because AWS is HIPAA compliant, it does not mean that using AWS is free from risk, and neither that a HIPAA violation will not occur.

Rogers also emphasized that beyond the hardware and software, HIPAA is also very much about policies and procedures.

“If something does happen, what is your policy in notifying people that information did get exposed,” he explained. “Do the back ups have rotating encryption keys, so there’s a fair amount of overhead to make sure that even 10 years down the road, you have ensured that nothing that you created and stored, can be accessed by the wrong people.”

Compliance experts can of course have a field day with this but even without HIPAA compliance voice technologies are making improvements in the lives of everyday people.

When Culbertson’s mother, Marvee, started losing her vision, she moved away from the world of mobile and Internet of Things to voice and started Ask Marvee based in Naples, Florida. She and her siblings were worried about their mother who lived alone. So she developed an “Alexa Skill” that would allow her and her siblings to know daily that mom was OK. Voice developers for Alexa have the ability use the Alexa Skill Toolkit to develop apps.

“So every morning she would get up and tell Alexa – ‘Alexa, Ask Marvee to send an I’m OK message.’” Culbertson said. “And my brothers and sisters and I would receive a text or email based on what was chosen.”

That can be a huge relief for both family members and adults who would like to safely age in place at home.

With HIPAA that simple interaction could be expanded. Culbertson could respond by asking her mom whether she had taken her medicines appropriately that day. Which would further elicit a response from the elderly parent with more specific personal information.

“And I could respond by passing on that information to her doctor,” she said. “So even the simplest thing from today, you can extend.”

But far beyond simple interactions, voice technologies are rapidly gaining the ability to understand the humans they surround. Culbertson pointed out that Amazon has filed some patents that says that Alexa can understand change in voice.

“I know that Amazon filed a patent that is about speech analysis to see if there’s a change in the speaking voice which would affect health,” she said.

Rogers of Orbita noted that today, if you whisper to Alexa, it will whisper back.

“Amazon filed some patents on emotion detection,” he said. They include the ability for Alexa to know when a person is sad, frustrated or mad.

“Even swear detection,” is possible, he said.

Orbita’s voice technology was used to power the Mayo Clinic First Aid application on Alexa for home use. If you have a burn, you can ask the application how to treat it and it will use Mayo’s content to provide an answer in response. The technology is also being used by a HIPAA-compliant device called Pillo made by Pillo Health that is a voice-activated medication dispenser.

Rogers seemed to echo Culbertson when he said that voice has particularly life-changing applications for seniors.

“What we’ve  seen with AARP, when they started getting elderly people to use these devices, is that older people find it much easier to use voice to engage than to use a mobile app,” he explained. “The thing about voice is that it is natural language. So you are not learning a new interface. You are using the tools that you have learned as a child to be able to engage and that’s why we are seeing elderly people adopt this technology very quickly when they can’t adopt using a mobile app.”

From wellness to healthcare, people seem to be recognizing the potential that voice has, Rogers and Culbertson said. With HIPAA compliance that potential gets greatly magnified.

Amazon, Google, Microsoft… who first?