HIPAA Compliance of Amazon Lex

Amazon recently made an announcement that the Amazon Lex chatbot service is now supporting Health Insurance Portability and Accountability Act (HIPAA) compliance so healthcare organizations can use it without violating the HIPAA Rules.

Amazon Lex provides a service that lets users create conversational interfaces into apps by means of text and voice. It enables making chatbots that use lifelike, normal language to interact with users, ask questions, gather and provide information, and do a variety of tasks including booking appointments. Amazon Alexa also uses this conversational engine powering Amazon Lex.

Until recently, the potential of using Amazon Lex in healthcare is limited because it wasn’t HIPAA-compliant. It is not allowed to use the solution in association with electronic protected health information (ePHI). Amazon’s business associate agreement (BAA) does not cover this service as well.

Amazon affirmed on December 11, 2019 that the AWS business associate agreement (BAA) addendum now includes Amazon Lex. Hence, the service can now be used with workloads in connection with ePHI, as long as there is a BAA in place. Amazon Lex has been put through third-party security checks under several AWS compliance programs. It is not only HIPAA eligible, but it is likewise compliant with SOC and PCI.

Just like with any software program, a BAA doesn’t ensure compliance. Amazon has made certain of the implementation of proper safety measures to protect the integrity, confidentiality, and availability of ePHI. However, it is the obligation of users to implement the solution the right way and to use it in compliance with HIPAA Rules.

Amazon has published a whitepaper on Architecting for HIPAA Security and Compliance on AWS. This provides guidelines for setting up AWS services that hold, process, and transfer ePHI. Instructions on the management of Amazon Lex were also published.