Policies for Alexa Smart Properties

When integrating with Alexa Smart Properties, you must adhere to the following requirements.

Properties located in Canada

For properties located in Canada, if you are a public sector organization within the meaning of Canadian law or regulation, you may not subscribe to any Alexa Smart Properties services without Amazon's prior written approval, and may be subject to additional requirements. For details, reach out to your Alexa Smart Properties business development contact.

Properties located in Quebec

For properties located in Quebec, you must adhere to the following requirements:

  • Set the locale for the devices in the property to the fr-CA locale or en-CA/fr-CA language pair to comply with Quebec province regulations.
  • Provide in-room collateral in both English and French.

Properties located in Japan

For properties located in Japan, you must adhere to the following requirements:

  • Obtain prior consent from the data subject for the relevant use of Personally Referable Information, as defined in the Japanese Act on the Protection of Personal Information (“APPI”), if you receive and use Personally Referable Information as Personal Data, as defined in the APPI, by cross-referencing it with other information.
  • Inform End Users of and obtain their consent to the fact that by using the Alexa Communications services, as defined in the Alexa Terms of Use, Personal Data provided to you from End Users for the purpose of using the Alexa Built-in (such as the contact information of a person who receives a call made through Alexa Communications) will be provided to Amazon.com Services LLC and/or its affiliate(s) providing Alexa Smart Properties service (collectively, "Amazon") on behalf of End Users. With respect to the Personal Data of data subjects other than End Users, the Personal Data you provide to Amazon must be limited to data for which consent or authorization for the transfer has been obtained from the data subject.
  • Limit the offering and use of digital music services on Registered Devices to the use of End Users in private areas (that cannot be used by more than one person or an unspecified number of people) within the Property.
  • Provide in-room collateral in Japanese.

Properties located in the United States

For properties located in the United States (US), you must adhere to the following requirements:

  • Provide guests with in-room collateral that explains the device, how to use it, and suggested interactions. This collateral should always be in English, with optional translations side-by-side in other languages for convenience. All collateral must include the following disclaimer, which informs the user of the Alexa Terms of Use and applicable Amazon Privacy Notice, and provides a link to the Alexa Smart Properties End-User FAQ page.

    Disclaimer – Amazon processes and retains Alexa interactions and other data in the cloud to provide and improve our services. Your interactions with this device are subject to the Alexa Terms of Use and the Amazon.com Privacy Notice. To learn more, go to Alexa Smart Properties End-User FAQs.

    • Rooms with Echo devices without screens must have printed collateral next to the device. The printed collateral can also include other relevant information, such as invocation phrases and sample utterances.
    • Rooms with Echo devices with a screen can meet this requirement by displaying the information digitally on-screen prior to guests engaging with the device.

Alexa Smart Properties in healthcare

Requirements for integrating with ASP in healthcare REST APIs

When integrating with Alexa Smart Properties in healthcare APIs, customers must adhere to the following requirements, listed below.

  1. Healthcare Subscription Usage. If a facility is a covered entity under HIPAA, it must be enrolled in the Alexa for Healthcare subscription. If the facility qualifies as a HIPAA hybrid entity (e.g., it offers both Independent Living and Skilled Nursing), the Alexa for Healthcare subscription must be used to service any health care component(s) of the facility. Where permitted by applicable law, a separate property unit may be used to enroll the non-covered portion(s) of the HIPAA hybrid entity in another Alexa Smart Properties subscription.
  2. Free Text Fields. Do not enter Protected Health Information (PHI, as defined under HIPAA) or any information that could directly or indirectly identify individuals in Free Text Fields (for example, SSID Name) in messages created using the Notifications API, Reminders API, or the Proactive Suggestion API, in Name fields (for example, Device Friendly Name, Device Group Name, Unit Names, Address Book Name, Contact Name, and so on), and so on. Use of a room number or a generic room name, such as "restaurant" or "barbershop" is acceptable. The name of a patient or resident never should be included. PHI is also prohibited in text fields in the Notifications API, Reminders API, and the Proactive Suggestion API.
  3. Address Books. The address book should not name a patient or resident; however, a room number is acceptable. Do not create a personalized address book that includes a relative of the individual (e.g., daughter, son, mother, or father). It is acceptable to include healthcare providers for the individual in the address book.
  4. Skill Enablement. Enablement of any skill that collects users’ personal information is prohibited.
  5. Automation. Do not enter Protected Health Information (PHI, as defined under HIPAA) or any information that could directly or indirectly identify individuals when using the Automation API to create an automation or define the custom utterance used to trigger the automation (for example, patient's names, doctor's names, medication name, medical conditions, and so on). For example, you can create a custom utterance of "Alexa, goodnight" with the action to announce "Take your medication." You cannot create a custom utterance of "Alexa, goodnight" with the action to announce "Sally, take your Lisinopril."
  6. Alarms. You will call the Delete all alarms for a unit API when the room is vacated by the current user, and readied for a new user.
  7. Reminders. You will call the Delete all reminders for a unit API when the room is vacated by the current user, and readied for a new user.
  8. Timers. You will call the Delete all timers for a unit API when the room is vacated by the current user, and readied for a new user.
  9. Drop In
    1. Only the following use cases are allowed:
      • Drop In from care staff onsite to patient/resident units
      • Drop In from onsite visitation rooms to patient/resident units
    2. The Property must notify the patient/resident that there is an Alexa enabled device in the room and they can disable or remove on request.
    3. The Property will provide training and collateral materials that describe Drop In to healthcare staff and patients/residents which will include the following:
      • Healthcare staff Drop In instruction: instruction on how healthcare staff can initiate Drop In
      • Instructions for Patient/Resident device: instruction on how to enable Do Not Disturb
      • Suggested FAQs for patient/resident device: include suggested Drop In related FAQs for patient/resident device

Drop In FAQ

  1. What is Drop In?
    Drop In allows the caller to simply appear on a recipient’s device (the recipient does not need to answer the call).

  2. When someone drops in on my device, what do they hear and see?
    When a contact drops in on your Echo device, you will hear an audio tone and see a visual indicator that someone is dropping in on you. The contact on the other side of the Drop In will automatically hear audio through your device. You may end the Drop In by saying “Alexa, hang up.”
    The caller will see a frosted glass view from your device’s camera. The frosted glass view will automatically transition to clear video over a short period of time. You will see the caller’s video (and a picture-in-picture view of your own video) when the Drop In is in progress. You can end a Drop In by tapping the End icon on the screen, or you can disable the camera while continuing an audio conversation by saying “Alexa, video off”, or tapping the Video Off icon on the screen.

  3. How do I disable Drop In?
    You can turn on Do Not Disturb on your Echo device to prevent being dropped in on. You can also disable Drop In permission from certain contacts by working with your prop erty or by viewing the contact card on your Echo device with a screen.

HIPAA Eligible Skills

Refer to Certification Requirements for general requirements that apply to all skills. For HIPAA Eligible skills in Enterprise environments, please refer to the guidelines below.

Requirements for Skills that are HIPAA-Eligible

An Alexa skill can be HIPAA-eligible if the developer is a HIPAA Covered Entity (CE) or Business Associate (BA), uses the means we provide to identify the skill as one that processes Protected Health Information (PHI), and agrees to the Alexa Business Associate Agreement (BAA). HIPAA-eligible Alexa skills must also adhere to the requirements listed below and pass a certification review. Note that these guidelines might change over time.

HIPAA-Eligible skill submission checklist

  1. The developer account must be owned by the Covered Entity or Business Associate that will publish the skill.
  2. The developer name of the account must represent the legal name of the Covered Entity or Business Associate that will publish the skill.
  3. You must indicate in the developer console (requires login) that you intend for your skill to handle protected health information (PHI)
  4. You must agree to the Alexa Skills Business Associate Agreement (BAA) with Amazon, made available in the developer console (requires log-in).
  5. Your skill must never have been published prior to when you indicate that you intend for your skill to handle PHI and/or agree to the BAA.
  6. Your skill will not send Amazon information that includes patient name or other patient personal information, (e.g., Room 101 needs pain meds and not John Smith needs pain meds).
  7. Your skill must be published live, but hidden from the skill store.
  8. Your skill must only be made available and distributed in the United States.
  9. Your skill cannot use PHI for development, testing, or certification purposes.
  10. Your skill must include a link to a privacy policy URL in the skill description.
  11. Your skill can only use Approved APIs and services.
  12. Your skill must not be Child Directed.

Approved APIs

HIPAA-eligible skills can only use the following APIs.

Was this page helpful?

Last updated: Jul 19, 2024