Alexa HIPAA Compliance: Is Amazon’s Voice Assistant Safe for Healthcare Use?

HIPAA Compliance Status

As of February 2026, Alexa isn’t HIPAA-compliant by default. Standard consumer devices and skills don’t come with a Business Associate Agreement (BAA) and must not handle Protected Health Information (PHI). For HIPAA Covered Entities, that means you should treat consumer Alexa experiences as out of scope for PHI processing.

However, Alexa Smart Properties for Healthcare supports a narrowly defined, HIPAA-eligible path. In this model, organizations deploy managed Echo devices at a property (for example, a hospital unit or senior care community) and use “hidden” enterprise skills that undergo a special certification. Those skills are covered by an Alexa Skills BAA and are designed to minimize what PHI, if any, is sent to Amazon services.

What this means in practice

• Consumer Alexa: No BAA, no PHI. Use only for non-clinical, non-identifiable tasks.
• Alexa Smart Properties for Healthcare: HIPAA-eligible when you use hidden, approved skills under an executed Alexa Skills BAA and follow Amazon’s healthcare policies.

Previous HIPAA Compliance

Amazon initially introduced HIPAA-eligible Alexa healthcare skills in April 2019 through an invite-only program. On December 9, 2022, Amazon ended support for third‑party HIPAA skills in the public Alexa Skills Store. Since then, HIPAA use has been re-scoped to enterprise deployments via Alexa Smart Properties for Healthcare, with hidden skills and stricter controls.

Current Healthcare Use

Today’s deployments focus on improving patient and resident experience while protecting data privacy. Typical use cases include hands‑free access to property information, room controls, non-PHI reminders, and staff communication using tightly scoped features.

Examples of allowed patterns

• Property information and service requests that avoid identifiable details, such as “Alexa, request housekeeping for Room 220.”
• Staff-initiated Drop In for patient support, with required notice and controls.
• Generic announcements and routine prompts that don’t include names, diagnoses, or other identifiers.

These uses rely on Alexa Smart Properties policies that restrict PHI processing in free-text fields and skill interactions. If your workflow needs PHI, it should be handled by your backend systems over secure Healthcare APIs, not embedded in Alexa utterances or messages.

Alternative Solutions

If you need full PHI Processing with granular control, consider Amazon Lex under an AWS BAA. Lex powers voice and chatbots within your own applications and VPC, giving you direct control over data privacy, logging, and retention. You can pair Lex with other HIPAA-eligible AWS services to build end‑to‑end clinical workflows without involving consumer assistants.

When to prefer Alexa vs. Lex

• Alexa Smart Properties: Best for property-wide, hands‑free experiences where you can avoid individually identifiable data and operate within Amazon’s healthcare constraints.
• Amazon Lex: Best for clinical or administrative workflows that require PHI end‑to‑end, custom data handling, and direct BAA coverage through AWS.

Integration Requirements

To deploy Alexa in a HIPAA‑eligible way, you must enroll in Alexa Smart Properties for Healthcare and use hidden, enterprise skills. The developer account that publishes the skill must be owned by a Covered Entity or Business Associate, and the skill must be certified for HIPAA-eligible use.

Key integration steps

• Subscription and scope: Enroll the covered components of your facility in the Alexa for Healthcare subscription.
• Hidden skills: Publish “property skills” that are hidden from the public store and enabled by a unit administrator.
• Approved interfaces: Use only the approved Alexa APIs for healthcare use; avoid account linking to individuals and personal contact lists.
• US-only distribution: HIPAA‑eligible Alexa skills are limited to the United States.
• Operational readiness: Provide in‑room collateral and staff training that explain device behavior, Drop In, and privacy controls.

Data Handling Restrictions

Amazon’s healthcare policies aim to keep identifiable elements out of Alexa’s cloud. Do not include patient names, diagnoses, medication names, or other identifiers in free‑text fields, reminders, notifications, or automation utterances. Use unit or room numbers instead of names, and avoid enabling any skill that collects personal information.

Privacy and retention controls

• Cloud processing: Alexa interactions are processed in the cloud; configure “don’t save recordings” and retention settings to limit stored data.
• Room turnover hygiene: Clear timers, reminders, and alarms whenever a room is vacated; reset devices between occupants.
• Backend isolation: Route any PHI through your secure backend and Healthcare APIs; keep Alexa payloads free of identifiers.

Developer Requirements

HIPAA-eligible skills must pass a dedicated certification and adhere to strict design limits that prioritize Data Privacy and least-necessary disclosure.

Submission essentials

• Publisher identity: The developer account must belong to the HIPAA Covered Entity or Business Associate, and the legal name must be accurate.
• BAA and declarations: Identify the skill as PHI‑handling in the developer console and accept the Alexa Skills BAA.
• Hidden and US‑only: Publish live but hidden, and distribute only in the United States.
• No PHI in development: Never use real PHI for development, testing, or certification.
• Approved APIs only: Limit the skill to approved Alexa interfaces for healthcare contexts and include a clear privacy policy.

FAQs

Is Alexa currently HIPAA-compliant?

Not by default. Consumer Alexa products and public skills aren’t HIPAA‑compliant and shouldn’t handle PHI. HIPAA eligibility is available only through Alexa Smart Properties for Healthcare using hidden, certified skills under an Alexa Skills Business Associate Agreement and strict data‑handling policies.

What are the risks of using Alexa in healthcare settings?

The main risks are inadvertent PHI exposure and noncompliance if you use consumer features, unapproved skills, or free‑text content that includes identifiers. Cloud processing also means you must configure retention controls and operational safeguards. Mitigate risk by deploying under Alexa Smart Properties for Healthcare, using only approved interfaces, avoiding identifiers, and clearing device data between occupants.

How can developers create HIPAA-eligible Alexa skills?

Build a hidden “property skill” for Alexa Smart Properties in healthcare, publish it under a Covered Entity or Business Associate developer account, designate it as PHI‑handling, accept the Alexa Skills BAA, restrict yourself to approved APIs, exclude identifiers from requests, and pass the HIPAA‑eligible certification. Distribute only in the United States and never use real PHI in development or testing.

How does Amazon Lex differ in HIPAA compliance?

Amazon Lex is an AWS service that’s HIPAA‑eligible under the AWS BAA. You embed Lex in your own apps and infrastructure, control data flows and retention directly, and can process PHI end‑to‑end. Alexa, by contrast, is a consumer assistant with an enterprise track (Alexa Smart Properties) that limits PHI and relies on hidden skills and policy constraints to reduce exposure.