Requirements for Skills that are HIPAA-Eligible
An Alexa skill can be HIPAA-eligible if the developer is a HIPAA Covered Entity (CE) or Business Associate (BA), uses the means we provide to identify the skill as one that processes Protected Health Information (PHI), and agrees to the Alexa Business Associate Agreement (BAA). HIPAA-eligible Alexa skills must also adhere to the following requirements, listed below, in order to pass a certification review. Note that these guidelines might change over time.
HIPAA-Eligible skill submission checklist
- The developer account must be owned by the Covered Entity or Business Associate that will publish the skill.
- The developer name of the account must represent the legal name of the Covered Entity or Business Associate that will publish the skill.
- You must indicate that you intend for your skill to handle protected health information (PHI), made available in the developer console (requires log-in).
- You must agree to the Alexa Skills Business Associate Agreement (BAA) with Amazon, made available in the developer console (requires log-in).
- Your skill must never have been published and available to customers prior to when you indicate that you intend for your skill to handle PHI and/or agree to the BAA.
- Your skill must be set to public availability.
- Your skill must only be made available and distributed in the United States.
- Your skill cannot use PHI for development, testing, and certification purposes.
- Your skill can only use Approved APIs and services.
- Your skill must not be Child Directed.
- Your skill must use account linking and PIN confirmation before reciting any PHI data.
- If your skill uses PIN confirmation, it must use the mandatory user flow. For more details about the PIN confirmation mandatory user flow, see User flow for PIN confirmation.
- Your skill must use PIN confirmation and personalization together. For more details about skill personalization, see Add Personalization to Your Skill.
- If your skill provides information on drug dosage, usage, or administration you must show that you are affiliated with, or acting at the direction of, the manufacturer or prescriber of the drug, and your skill must meet the following criteria:
- Developer will provide disclaimer and at invocation similar to “This skill does not provide medical advice, and is for informational and educational purposes only, and is not a substitute for professional medical advice, treatment or diagnosis. Call your clinician to receive medical advice. If you think you may have a medical emergency, please dial your local emergency response phone number.”
- When user makes a request for drug dosage guidance skill will confirm precise drug name and dosage.
- When user makes a request for drug dosage guidance skill will precisely define the unit of dose.
- When user makes a request for drug administration guidance skill send label information to Alexa app a home card and customer must confirm receipt of label information either by voice or clicking on home card or multi modal screen.
- Skill must provide educational materials about other treatment options that are also FDA approved for the label-indicated health condition (e.g., generics available; consultation with clinician).
HIPAA-eligible skills can only use the following APIs.
- Account Linking – For more details, see Understand Account Linking for Alexa Skills.
- Alexa Dialog API – For more details, see Dialog Interface Reference.
- Alexa Response API – For more details, see Response Building.
- Alexa Presentation Language (APL) – For more details, see Alexa.Presentation.APL Interface Reference.
- Alexa Skill Events API – For more details, Skill Events in Alexa Skills.
- Alexa UI APIs – For more details, see Include a Card in Your Skill Response.
- Permissions – You can only enable permissions for device address, customer name, customer email address, customer phone number, and location services. For more details, see Configure Permissions for Customer Information in Your Skill.
- Skill building using the Alexa Skill Management API (SMAPI) – For more details, see Get Started with SMAPI.
- Skill connections – You can only use Skill Connections for PIN confirmation as defined in Send a Connections.StartConnection directive. For more details, see PIN Confirmation for Alexa Skills and Use Skill Connections to Request Tasks.
Was this page helpful?
Last updated: Oct 13, 2023