Q&A: HIPAA compliance for smart speakers potentially ‘listening in’ on discussions with patients
Q: I work in a residential care facility, and we have smart speakers in some resident rooms that use voice control for their TVs and other electronic devices. These residents are not able to control these devices by conventional means, so this technology gives them back some of their freedom and control. No resident information is associated with the accounts used to set up and control these smart devices, and the facility owns and manages the devices. However, patient information is discussed where these smart devices can “hear” it. Most smart speaker manufacturers claim they are not “listening in,” but we all hear about how these technology providers sometimes do what they claim they do not. Is this a HIPAA violation? Do we need to obtain a business associate agreement (BAA) from the smart speaker manufacturer?
A: In a number of states, residential care facilities are not covered entities (CE). If what is provided is assistance with daily living, that doesn’t fall into the category of healthcare as defined by the Social Security Act. The first step would be to determine if the residential care facility is a CE because if it is not, no BAA is required. A residential care facility would be a CE if healthcare as defined by the Social Security Act is provided and insurance carriers are billed for services using a HIPAA-covered transaction. This is not to say privacy is not important. It is to determine whether the HIPAA rules apply.
If it is determined that the residential care facility is a CE, the facility needs to determine if the PHI that is “heard” is stored at the facility or on a facility server, or if the smart speaker vendor is a software as a service (SaaS) vendor. Also, you need to determine whether PHI is stored for any period of time on a SaaS vendor’s servers. It’s a good idea to check with the vendor to determine what is stored or “listened to.” If PHI is stored by the vendor, the vendor would likely be a business associate (BA), and a BAA would be required.
It’s not that simple, though. If the vendor is, say, Google or Amazon, you may be able to get these larger vendors who have a significant presence in the healthcare industry to sign a BAA. On the other hand, the vendor may say that it does not store PHI or “listen in” and refuse to sign a BAA. At that point, it may be a matter of evaluating whether the potential for PHI to be “listened to” is a higher risk than the benefit to facility residents of having improved quality of life through the use of smart speakers. HIPAA doesn’t necessarily work well when it comes to long-term care.
Editor’s note: This question was answered by Chris Apgar, CISSP. Apgar is president of Apgar & Associates, LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS.