Requirements for Skills that are HIPAA-Eligible

An Alexa skill can be HIPAA-eligible if the developer is a HIPAA Covered Entity (CE) or Business Associate (BA), uses the means we provide to identify the skill as one that processes Protected Health Information (PHI), and agrees to the Alexa Business Associate Agreement (BAA). HIPAA-eligible Alexa skills must also adhere to the following requirements, listed below, in order to pass a certification review. Note that these guidelines might change over time.

HIPAA-Eligible skill submission checklist

  1. The developer account must be owned by the Covered Entity or Business Associate that will publish the skill.
  2. The developer name of the account must represent the legal name of the Covered Entity or Business Associate that will publish the skill.
  3. You must indicate in the developer console (requires login) that you intend for your skill to handle protected health information (PHI)
  4. You must agree to the Alexa Skills Business Associate Agreement (BAA) with Amazon, made available in the developer console (requires log-in).
  5. Your skill must never have been published prior to when you indicate that you intend for your skill to handle PHI and/or agree to the BAA.
  6. Your skill will not send Amazon information that includes patient name or other patient personal information, (e.g., Room 101 needs pain meds and not John Smith needs pain meds).
  7. Your skill must be published live, but hidden from the skill store.
  8. Your skill must only be made available and distributed in the United States.
  9. Your skill cannot use PHI for development, testing, or certification purposes.
  10. Your skill must include a link to a privacy policy URL in the skill description.
  11. Your skill can only use Approved APIs and services.
  12. Your skill must not be Child Directed.

Approved APIs

HIPAA-eligible skills can only use the following APIs.

Was this page helpful?

Last updated: Apr 30, 2024