HIPAA Compliance for Amazon Lex

Amazon has revealed that the Amazon Lex chatbot service now supports HIPAA compliance and can be used by healthcare groups without breaching Health Insurance Portability and Accountability Act Rules.

Amazon Lex is a service that permits customers to create conversational interfaces into applications using text and voice. It permits the creation of chatbots that use lifelike, natural language to engage with clients, submit questions, collect and give out information, and carry out a range of different tasks such as scheduling appointments. The conversational engine that powers Amazon Lex is also implemented by Amazon Alexa.

Until recently, there was small amount of potential for use of Amazon Lex in healthcare as the solution was not HIPAA-compliant and could therefore not be used with electronic protected health information (ePHI). The service was also not included by Amazon’s business associate agreement (BAA).

On December 11, 2019, Amazon revealed that Amazon Lex is now included in its AWS business associate agreement (BAA) addendum and that the service is ok for use with workloads that includes ePHI, provided that a BAA is in place. Amazon Lex has been subjected to third-party security assessments under multiple AWS compliance programs, and in addition to being HIPAA eligible also qualifies for PCI and SOC.

As is the case with any software solution, a BAA does not guarantee compliance. Amazon has ensured appropriate security measures have been implemented to ensure the confidentiality, integrity, and availability of ePHI, but it is the responsibility of users to ensure that the solution is set up correctly and used in a fashion that complies with HIPAA Rules.

Amazon has published a whitepaper on Architecting for HIPAA Security and Compliance on AWS, which includes best practices for configuring AWS services that store, process, and share ePHI. uidelines on the administration of Amazon Lex have also been released.

Author: Maria Perez