Four healthcare workers have filed a lawsuit against Amazon, alleging their Amazon Alexa devices may have recorded conversations without their intent or consent and may have captured health information protected under HIPAA.
The plaintiffs allege “Amazon’s conduct in surreptitiously recording consumers has violated federal and state wiretapping privacy and consumer protection laws,” and state, “Despite Alexa’s built-in listening and recording functionalities, Amazon failed to disclose that it makes, stores, analyzes, and uses recordings of these interactions at the time plaintiff’s and putative class members’ purchased their Alexa devices.”
Amazon Alexa devices listen for words that wake up the devices and trigger them to start recording. Specifically, the devices listen for the word “Alexa,” and will then attempt to answer a question that is asked. However, the plaintiffs claim that there are other words and phrases that will awaken the devices and trigger them to start recording when it is not intended by users of the devices.
The lawsuit cites a study conducted at Northeastern University which showed the devices wake up and record in response to statements such as “I care about,” “I messed up,” and “I got something.” The study also found that the devices wake up and record in response to the words “head coach,” “pickle”, and “I’m sorry.”
In 2019, Amazon announced that it would ensure that all transcripts would be deleted from Alexa servers when customers delete voice recordings. In 2020, Amazon announced that customers could opt out of human annotation of transcribed data, could configure the devices to automatically delete voice recordings older than 3 or 18 months, or could opt out entirely and not have their recordings saved at all.
The plaintiffs allege that by that time, Amazon analysts may have already listened to recordings that included protected health information. They also claimed that had Amazon informed them that the company permanently stored data or that its employees listened to recordings, they would not have purchased the devices.
Amazon said only a fraction of one percent of voice recordings are reviewed by its staff and that “Our annotation process does not associate voice recordings with any customer identifiable information.”
All four plaintiffs have said that they stopped using their devices all together or purchased newer models that had a mute function out of concern that the devices may be recording sensitive information.
The class action lawsuit seeks to represent all adults in the United States who have owned an Alexa device since 2017. The lawsuit seeks damages, an order declaring Amazon’s acts and practices violate state and federal privacy laws, and a permanent injunction to prevent Amazon from continuing to harm patients, class members, and the public.
Issue:
It is essential that all healthcare workers understand HIPAA requirements and how they must be followed to secure protected health information (PHI). The Privacy Rule allows access to information needed to ensure high quality healthcare for patients, and facilities must promptly provide requested information to authorized individuals. All staff members at all levels must demonstrate understanding of the Privacy Rule, HIPAA, and how to protect PHI. The outcome of this litigation could affect the use of Amazon Alexa in resident rooms and common areas. Additional information is available in the Med-Net Corporate Compliance and Ethics Manual, Chapter 5 Privacy Plan, PP 2.0 Privacy Policy and Procedure.
Discussion Points:
- Review policies and procedures related to HIPAA, PHI, and Privacy. Ensure that they address how health information exchanges should be conducted between healthcare associates and timely response to requests from authorized individuals.
- Train all staff on HIPAA, PHI, and Privacy, including responding timely to requests for records, minimally upon hire and annually. Educate staff not to conduct conversations that include PHI in areas where an Alexa or similar listening device is present, or to mute the device by following manufacturers’ instructions during such conversations. Document that these trainings occurred and file the signed training document in the employees’ education files.
- Periodically audit to ensure that facility’s policies and procedures for HIPAA, PHI, privacy, and record release are being followed by all staff, and that each person demonstrates understanding and competency.
