Alexa Plus HIPAA

Alexa plus HIPAA is a rabbit hole we thought about avoiding.  But sometimes you are just destined to discuss a topic you try to avoid.  When that question came in this week on top of the ones we had already planned to cover it was just too perfect.  So this episode answers questions about Alexa plus HIPAA and much more.

HIPAA For MSPs by David Sims Alexa and HIPAA Plus Other Questions
00:00:00 00:00:00

Alexa Plus HIPAA Plus Other Questions

Can a doctor have an Alexa unit in the OR?

Ummm, no is the most simple way to put it.  There is way more to it than just that, though.  Here are some important things you must understand to see why the answer is no.

  • How Alexa works
    • It is always listening for your commands. When it hears the command it has to send that information to cloud servers to evaluate the command and respond.
    • In order to do that it hears other things around the command and sends it to the cloud also.
    • They say they only get a bit but that is too much for use in surgery.
    • Also, based on some evaluations it sometimes gets more than you would expect it to record and send to Amazon.
  • Multiple cases of how much is recorded.
    • Several articles cover the fact that Alexa often hears more than you would think.  One of the best ones even explains how to go listen to yourself what has been recorded and saved at Amazon.
  • Supeona for the Alexa recordings in a murder case.
    • In Arkansas, the Alexa recordings from one home have been requested by subpoena in a murder case.
    • The police are aware that Alexa may have recorded information relating to a murder that took place in the home.
  • Amazon doesn’t list Alexa as one of their services covered by HIPAA.
    • Amazon does sign a BAA for their services to be covered under HIPAA properly, but it only does that for a specific list of services.

All of these devices are very cool but you should evaluate thoughtfully exactly what you are allowing to happen.  Throughout your day to day lives these devices must “listen” to what you are saying in order to operate.

Is it a HIPAA violation for staff to look at their own records or is it an internal policy violation?

Privacy protections do not specifically state exactly that you can’t look at your own record.

Your personal records (as well as your relatives or others you know) fall under the exact same requirements as all other use of PHI.  You must only use or disclose the minimum necessary PHI to complete a task that is part of your job while performing treatment, payment, or healthcare operations duties.  So, the question becomes WHY are you looking into those records.  If you aren’t doing it for TPO that is part of your job, then you shouldn’t be in there.

To make things easier across the board most groups will simply say you can’t look at your own records rather than explain those reasons. So, if that is the rule you are violating internal policy if you are in your records if it is for TPO.  However, even without that blanket policy in place, if you access your own records and it isn’t for TPO purposes following minimum necessary standards, then you are violating HIPAA.

I am a small company and a BA, do I really have to do all of HIPAA compliance requirements?

Yes, you need to do the work. OCR will never say oh, your small so it’s ok if you don’t follow HIPAA. However, they do apply enforcement in a reasonable manner for your environment.  What you must do is define what you believe to be reasonable and why.  Then, follow those reasonable plans accordingly.  That likely means you will have required documentation, basic written policies, and procedures, risk analysis, regular training, and reviews as a minimum.  These are things you can do even with one person.  It requires taking the time to think about security properly and write it down.

If I know my upstream BA or CE isn’t following their HIPAA compliance obligations what am I legally obligated to do?

You have the same options as a CE. But, it is hard to decide.  First, you try to get them to comply.  Next, you try to find someone else to do the job for you. Finally, you report them to HHS if you have no other choice.  When you look at it as someone who is purchasing services you can see how those decisions could play out.  However, when you are the one providing the services you are basically “turning in” your client to OCR for evaluation.  That leaves us all with what really is the bigger question we all are struggling with which is where is the line of liability drawn?  If I continue to work

That leaves us all with what really is the bigger question we all are struggling with which is where is the line of liability drawn?  If I continue to work for a client that I know has little if any intention of meeting their obligations where does their failure end and my liability for knowing it begins?   If you choose to continue to work with these clients then you absolutely MUST document like crazy!!!  Document every conversation and recommendation about HIPAA that you give them.  Do it over and over again to make sure it is clear you have no part in their choices.

An OCR investigator said they have a significant number of cases where IT companies are filing complaints to turn in the clients.  We are very much aware of how often IT companies struggle with this issue from a business and liability stand point.  They also struggle with the feeling that they just want to do the right thing when it comes to protecting all of their clients and the client data.  That includes doing HIPAA compliance but some folks don’t see it as doing the right thing.  They see it as something to make a stand against.

Why would you make daily copies of your visitor logs?  A story.

News report about a robbery where the criminals took the visitors sign in log page.

Goodwin told Willis that he believes the men may have been in the building before for a job interview because he says they passed up some valuables and went right for the computers in the human resources offices.

“They also tore off the visitor log-in page that they may have signed when they came in,” Goodwin said.

Made me think of all the logs I see and where are they stored.