Is Alexa HIPAA Compliant? What You Can and Can’t Do with PHI

Overview of Alexa's HIPAA Compliance History

Alexa’s path with Protected Health Information began in April 2019, when Amazon launched an invite-only program that let select healthcare organizations build HIPAA-eligible skills using the Amazon Alexa Skills Kit. Six initial partners piloted experiences such as checking prescription status, scheduling visits, and retrieving diabetes readings. ([mobihealthnews.com](https://www.mobihealthnews.com/news/amazon-ends-support-third-party-hipaa-compliant-alexa-program?utm_source=openai))

Those skills operated in a controlled environment under a Business Associate Agreement and were framed as HIPAA-eligible, not blanket “HIPAA compliant” for all uses of Alexa. The focus was narrow: specific workflows, limited publishers, and guardrails aligned to the HIPAA Privacy Rule and HIPAA Security Rule. ([developer.amazon.com](https://developer.amazon.com/en-US/docs/alexa/custom-skills/requirements-for-hipaa-eligible-skills.html?utm_source=openai))

Separately, Amazon introduced Alexa Smart Properties for Healthcare to power enterprise deployments in hospitals and senior living, emphasizing managed devices and at-scale administration rather than consumer use. ([press.aboutamazon.com](https://press.aboutamazon.com/2021/10/amazon-brings-alexa-to-senior-living-communities-and-healthcare-systems-with-alexa-smart-properties?utm_source=openai))

Impact of Discontinuing HIPAA-Compliant Skills

On December 9, 2022, Amazon ended support for third‑party HIPAA‑eligible Alexa skills available through the public Skills program. Developers received a compliance termination notice directing removal of affected skills; Amazon indicated PHI associated with those skills would be deleted, and suppressed skills would return “no longer supported.” ([hipaajournal.com](https://www.hipaajournal.com/amazon-ends-support-for-third-party-hipaa-eligible-alexa-skills/?utm_source=openai))

What remains is a more limited model: HIPAA‑eligible, hidden “property skills” are supported only within Alexa Smart Properties for Healthcare, published by covered entities or business associates under a BAA and constrained to approved interfaces. Public, consumer‑facing skills cannot process PHI. ([developer.amazon.com](https://developer.amazon.com/en-US/docs/alexa/alexa-smart-properties/asp-in-healthcare-create-manage-skills.html?utm_source=openai))

Handling PHI Risks

Voice assistants create unique PHI exposure risks: inadvertent wake word activations, shared household devices, and cloud processing can all lead to unauthorized creation, receipt, maintenance, or transmission of PHI. Under the HIPAA Privacy Rule’s “minimum necessary” standard and the Security Rule’s safeguards, these vectors require disciplined controls. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/index.html?utm_source=openai))

If you deploy Alexa Smart Properties, Amazon’s policies prohibit entering PHI in free‑text fields (for example, device names or notifications) and restrict HIPAA‑eligible skills to specified APIs. These limitations help reduce leakage paths but do not eliminate governance duties like access control, audit logging, and data retention management. ([developer.amazon.com](https://developer.amazon.com/en-US/docs/alexa/alexa-smart-properties/alexa-for-residential-policies.html?utm_source=openai))

Alternative Solutions for PHI Management

For voice workflows that must handle PHI outside consumer smart speakers, consider HIPAA‑eligible AWS services. Amazon Lex can power voice or chat on web, mobile, or telephony channels under a BAA; Amazon Transcribe Medical supports clinical dictation with PHI identification; and Amazon Connect enables HIPAA‑eligible contact center use cases. ([aws.amazon.com](https://aws.amazon.com/about-aws/whats-new/2019/12/amazon-lex-achieves-hipaa-eligibility/?utm_source=openai))

These patterns keep PHI within systems you control while meeting Third‑Party Compliance expectations: execute BAAs with each vendor, segment environments, encrypt data in transit and at rest, and document risk analyses consistent with the HIPAA Security Rule. ([hhs.gov](https://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html?utm_source=openai))

Best Practices for Using Alexa in Healthcare

If you are a healthcare organization

• Use Alexa only through Alexa Smart Properties for Healthcare with a BAA; do not use consumer Alexa devices for PHI. ([developer.amazon.com](https://developer.amazon.com/en-US/docs/alexa/alexa-smart-properties/asp-in-healthcare-create-manage-skills.html?utm_source=openai))
• Restrict to hidden, HIPAA‑eligible property skills that rely on approved interfaces; avoid PHI in device names, notifications, or other free‑text fields. ([developer.amazon.com](https://developer.amazon.com/en-US/docs/alexa/alexa-smart-properties/alexa-for-residential-policies.html?utm_source=openai))
• Apply the HIPAA Security Rule: unique user authentication, least‑privilege access, audit trails, network segmentation, and encryption for any PHI you process downstream. ([hhs.gov](https://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html?utm_source=openai))

If you are an individual at home

• HIPAA generally does not apply to your personal use, but your voice data may still be stored and processed by Amazon. Avoid speaking sensitive diagnoses, member IDs, or medication details to consumer Alexa devices.
• Use Alexa for non‑PHI tasks (general wellness tips, timers, music). If you choose to set health reminders, keep language generic to reduce identifiability.
• Review device access, household profiles, and deletion settings to limit unintended sharing on shared devices.

Legal Implications of Non-Compliance

For covered entities and business associates, using consumer Alexa to collect or transmit PHI without a BAA can trigger HIPAA violations. The Privacy Rule sets boundaries on PHI uses and disclosures, while the Security Rule requires administrative, physical, and technical safeguards for ePHI—enforceable through investigations, corrective action plans, and civil penalties. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/index.html?utm_source=openai))

HIPAA is a federal floor; state privacy laws that are more protective are not preempted. Monitor evolving requirements—HHS proposed significant updates to strengthen the Security Rule on December 27, 2024—because regulatory expectations for Healthcare Data Protection continue to rise. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/faq/399/does-hipaa-preempt-state-laws/index.html?utm_source=openai))

Future of Voice Assistants in Healthcare

The near-term future favors enterprise‑managed deployments with tightly scoped use cases, hidden skills, and explicit BAAs—not open consumer ecosystems. Expect more edge processing, identity controls, and auditable integrations as vendors align with HIPAA Security Rule expectations and broader cybersecurity goals. ([developer.amazon.com](https://developer.amazon.com/en-US/docs/alexa/alexa-smart-properties/asp-in-healthcare-create-manage-skills.html?utm_source=openai))

Conclusion

As of February 5, 2026, Alexa is not a universally “HIPAA compliant” channel for PHI. Public third‑party HIPAA‑eligible skills ended on December 9, 2022; PHI‑capable use now lives primarily within Alexa Smart Properties for Healthcare under strict constraints. If you need voice with PHI, prefer HIPAA‑eligible cloud services and tightly governed enterprise deployments, and apply Privacy and Security Rule controls end‑to‑end. ([hipaajournal.com](https://www.hipaajournal.com/amazon-ends-support-for-third-party-hipaa-eligible-alexa-skills/?utm_source=openai))

FAQs

Is Alexa currently HIPAA compliant?

No. Consumer Alexa is not a HIPAA‑covered service. PHI‑handling is limited to Alexa Smart Properties for Healthcare with hidden, HIPAA‑eligible property skills under a BAA; public third‑party HIPAA‑eligible skills were discontinued on December 9, 2022. ([hipaajournal.com](https://www.hipaajournal.com/amazon-ends-support-for-third-party-hipaa-eligible-alexa-skills/?utm_source=openai))

What happens to healthcare Alexa skills that handle PHI?

Amazon ended support for public third‑party HIPAA‑eligible skills and directed developers to remove them; suppressed skills stopped working and associated PHI was slated for deletion. Enterprise property skills in Alexa Smart Properties for Healthcare remain the supported path. ([hipaajournal.com](https://www.hipaajournal.com/amazon-ends-support-for-third-party-hipaa-eligible-alexa-skills/?utm_source=openai))

Can Alexa be used for any healthcare tasks involving personal data?

Healthcare organizations should not use consumer Alexa for PHI. Within Alexa Smart Properties for Healthcare, you can implement narrowly defined, HIPAA‑eligible workflows under a BAA. Individuals at home can use Alexa for non‑PHI tasks; HIPAA typically does not apply to personal use. ([developer.amazon.com](https://developer.amazon.com/en-US/docs/alexa/alexa-smart-properties/asp-in-healthcare-create-manage-skills.html?utm_source=openai))

What are the risks of using Alexa with PHI?

Key risks include inadvertent activation and recording, shared‑device access, cloud processing without a BAA, and data leakage via free‑text fields or unapproved interfaces. HIPAA requires documented safeguards; Amazon’s healthcare policies also restrict where PHI can appear. ([hhs.gov](https://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html?utm_source=openai))