By Rossanna Howard and Beth Anne Jackson, Brown & Fortunato, P.C.
In July, it was revealed that four healthcare workers filed a class-action lawsuit, Terpening v. Amazon.com Inc., alleging that Amazon’s voice-activated virtual assistant technology, “Alexa,” recorded private conversations without the individual users’ intent. Those conversations may have included protected health information (PHI), which is protected by HIPAA. Generally, the suit seeks to hold Amazon liable for the Alexa functionality in certain devices, arguing that the technology activates more often than it should, resulting in recorded and stored conversations that the users never intended for Alexa.
Amazon has a number of Alexa-enabled devices, like the Echo and Echo Dot, as well as Alexa-
compatible devices like the Kindle Fire and Amazon TV. All of these devices have the capability of recognizing a user’s voice and switching on when a “wake word” is spoken. Generally, the “wake word” is “Alexa;” however, the healthcare workers allege that the devices can be activated inadvertently by speaking words that the devices mistake for a “wake word,” including “unacceptable,” “election,” or “a letter.” In such cases, Alexa will activate, record, and store the question, sentence, or conversation for Amazon personnel to listen to and analyze at a later date. The complaint states that the plaintiffs’ devices were awakened between 1.5 to 19 times per day without the presence of any “wake word.” It further alleges that Amazon failed to disclose that it makes, stores, analyzes, and uses recordings collected by Alexa-enabled devices and, further, that it uses human and artificial intelligence to analyze and interpret the records for its business purposes.
Each of the plaintiffs had Alexa-enabled or compatible devices in their homes, where they also conducted work in the health care field. Each plaintiff stated that the devices may have captured private conversations, including HIPAA-protected information, without their knowledge or intent. In all but one instance, when the plaintiffs learned that the Alexa-enabled devices in their homes and offices may be recording, storing, and listening to their conversations, they stopped utilizing the devices. One plaintiff opted to purchase a newer device that came equipped with a “mute” function, which allows the user to turn off the voice-activation functionality. The plaintiffs in this suit allege violations of the Federal Wiretap Act, the Washington Consumer Protection Act, and the Washington Wiretapping Law because there is no private cause of action under HIPAA.
HIPAA, enacted in 1996, and HITECH, enacted in 2009, are broad-sweeping patient privacy laws that are aimed at protecting patient data, including electronic patient data. HIPAA places requirements and restrictions on healthcare providers, health plans, and healthcare clearinghouses, collectively called “covered entities,” to safeguard PHI. PHI includes any information that can be used to identify a person and that relates to that person’s health, a medical condition that they have or had in the past, or payment for the provision of health care to the person. In the hands of a covered entity, a person’s name, address, credit card number, diagnoses, care plans, and prescriptions are all considered PHI.
While it is still too early to predict how this suit will be resolved, and what its implications may be for healthcare workers in the future, it serves as an important reminder of the need to stay vigilant in applying safeguards and protocols to new technologies that enter our home and workspaces, which can often overlap. With respect to voice-activated technologies, a person’s watch, phone, tablet, computer, laptop, or television could all have voice-activated features.
Pre-electronic media, safeguarding a patient’s PHI meant locking a filing cabinet or office door. Today, healthcare providers must ensure not only that they are keeping devices password protected, secure, and accessible only to authorized personnel, but also that patient, staff, and workplace devices like phones, watches, and tablets in their office spaces, public clinic areas, and private patient meeting spaces do not record and store snippets of conversations that would be considered PHI. Under HIPAA it is the covered entity’s obligation to stay well-informed of the capabilities of current and emerging technologies, how to exercise available privacy options to prevent the unintended recording of PHI, and adapt HIPAA policies and procedures accordingly. Be aware, however, that there are limitations to steps one can take to stop inadvertent recordings: federal law prohibits using any type of jamming equipment that interferes with cell phones, GPS, and other communication services, and these laws are actively enforced by the Federal Communications Commission (FCC). Microphone jamming technology, which scrambles speech so that it cannot be secretly recorded, may or may not be legal, depending on the technology and how it is used. Consult with your favorite technology expert to optimize the settings on your equipment to enhance privacy, as well as with a qualified lawyer to ensure that any policy changes are both HIPAA-compliant and otherwise legal.