Drexel's Robert Field and Wharton's Arnold J. Rosoff discuss Amazon's Alexa and HIPAA compliance.

Millions of people use Amazon voice assistant Alexa to play music, make phone calls or order a delivery of dog food. Now they can ask the device to help them find a doctor or check their blood sugar. The tech giant announced this month that Alexa is HIPAA compliant, which means it is allowed to receive and transmit information that is protected under the U.S. Heath Insurance Portability and Accountability Act (HIPAA) of 1996. Amazon is currently working with six business partners — Livongo, Express Scripts, Cigna Health Today, Swedish Health Connect, Atrium Health and ERAS, a program of Boston Children’s Hospital —  to help customers make appointments, access medical instruction, track a prescription and other services. It’s a big step for one of the world’s most powerful companies, giving it a stronghold in the $3.5 trillion health care industry.

While the potential for better health outcomes is huge, observers say there are still significant concerns about patient privacy and how Amazon plans to use the data. The Knowledge at Wharton radio show on Sirius XM invited two experts to discuss the topic. (Listen to the podcast at the top of this page.) Robert Field is a professor of law, and health management and policy at Drexel University and a lecturer at Wharton. Arnold J. “Skip” Rosoff is professor emeritus of legal studies and health care management at Wharton and a senior fellow at Penn’s Leonard Davis Institute for Health Economics.

Following are five key points from their conversation.

The Possibilities Are ‘Intriguing’

Both scholars think it was only a matter of time before voice recognition moved into the health care realm, and they’re not surprised that Amazon was the company to get there first.

“It’s an intriguing possibility,” Field said. “You now have a box on top of your kitchen counter that is essentially your doctor talking to you. The question is, will it be a technology in search of a purpose?”

He pointed out that what Alexa can do is no different than what can be done with a keyboard. Currently, the technology offers the same basic functions as a web search. Alexa can’t yet connect users directly with physicians or other health care providers, but that’s expected to change over time.

Field thinks the future capabilities raise a “fascinating psychological dimension” about how much private information people are willing to share with a device, especially elderly patients. That cohort did not grow up with smartphones and laptops, so they may be less comfortable speaking to Alexa about their personal health issues.

“It’s one thing to say, ‘Alexa, play ‘60s music for me.’ It’s another thing to say, ‘Alexa, I think I have diabetes,’” Field said. “Maybe with time we’ll get used to the idea that this box in our kitchen is our friend, is our physician. But maybe not.”

Rosoff offered a different take, dismissing the stereotype of older people as Luddites who fear technology. Rather, they may have physical or mental obstacles that prevent them from typing, for example.

“I’m not sure that Amazon’s checking off the regulatory box on HIPAA compliance begins to answer the privacy concerns that we ought to have.”–Arnold J. Rosoff

“If all they had to do was talk, they’d be much more willing to share information,” he said. “You go into the kitchen in the morning to get your coffee, and Alexa says, ‘Good morning, did you remember to take your pills?’ I can see how you can form a bond with Alexa, especially if your spouse has passed on and Alexa is the only [voice that] talks to you.”

HIPAA Compliance Isn’t Adequate

Amazon had been working for some time to develop software that would meet federal HIPAA regulations, and it even created a health team within its Alexa division a year ago to work on the project, according to Business Insider. Meeting HIPAA standards is important, but the professors questioned whether it is enough.

“I’m not sure that Amazon’s checking off the regulatory box on HIPAA compliance begins to answer the privacy concerns that we ought to have,” Rosoff said.

He explained that the regulations make a sharp distinction between data that identify patients and data that do not. De-identifiable data are often shared with third parties, including academic researchers and pharmaceutical companies. Identifiable data have to be guarded far more carefully.

“In the evolving digital world, the ways that we can re-identify data have gone up dramatically, and I don’t know that HIPAA compliance adequately addresses that concern,” Rosoff said.

Field agreed, saying the compliance that Amazon has achieved is narrow. As a business associate, Amazon is promising to abide by the same regulations as the health care providers, but that stipulation was originally intended for something like an employee of a copier company seeing a medical record when he or she services the machine or delivers copy paper.

“This is kind of turning the notion of HIPAA privacy on its head. It’s data coming in through the business associate,” Field said. “I’m sure their lawyers have scrutinized this and approved it, but going forward they’re going to have to be very careful to stay within the box because it’s going to be very easy for data to leak out, and then this narrow compliance will no longer protect them.”

“We can speculate about what it’s going to do to industry structure, and there are some fascinating possibilities.”–Robert Field

What Happens to the Data?

Concerns about privacy are intertwined with worries about data. Amazon may be the world’s largest retailer, but it’s really a tech company that has been built on the bedrock of data generation and analysis.

Under HIPAA, patient consent is required for the release of data to anyone except for clinicians treating the patient, the insurer or payer, a clearinghouse that’s collecting the data, or for the operations of the provider. “Amazon would be bound by this as well, which raises the question: What are they going to do with the data?” Field said. “If it’s patient-identified data, can they use their traditional business model of targeting people for advertising? They answer should be no. But they must have some idea in mind, because that’s the way they do things. “

Rosoff mentioned Xealth, a Seattle-based health care platform that is integrated with Amazon. The platform works with physicians to put together a list of products and services that may benefit a patient’s specific condition, such as knee replacement surgery. The doctor can offer the list to the patient through Amazon, which links the patient directly to web pages to purchase the items, such as an ice pack for the knee. What happens if those items start appearing as pop-up ads on a patient’s smartphone or computer, or if Alexa verbally offers the product?

“That’s very much like having detail men — salespeople … who go to doctors’ offices to pitch products and services,” Rosoff said. “We’ve got laws governing that because it’s regarded as a risky thing. This is maybe an end-run around the anti-detail men regulations.”

Field also wondered about data that don’t fall under HIPAA, such as asking Alexa general web search questions about antihistamines or diabetes drugs. If Amazon collects and sends that data to a hospital, pharmacy or provider, it then becomes protected health care data.

“Right now, the data are controlled by the doctors, perhaps the hospital that they’re affiliated with, and the company that maintains the software,” Field said. “Now, we’ve got one of the nation’s largest retailers in the mix as well, and the retailer is interested in specifically advertising and marketing. That adds a new element to the mix that is potentially combustible.”

Amazon Leads, Other Tech Companies Follow

The professors expect that other tech companies will scramble to follow Amazon’s lead into HIPAA compliance. But they may have trouble catching up.

“We have to be careful that our excitement about the positive potential doesn’t blind us to the risk.”–Arnold J. Rosoff

“If you look at the innermost concentric circle, you’ve got the competition between Amazon, with their Echo and Alexa, and Google,” Rosoff said. “Amazon’s way ahead with Alexa at this point, and this gives them a tremendous advantage in the short run for being able to recruit other partners in the industry so that they can come up with all kinds of applications.”

Amazon is also on a parallel track to refine its artificial intelligence, which has implications for both the service aspect of health care, as well as advertising and marketing.

“We can speculate about what it’s going to do to industry structure, and there are some fascinating possibilities,” Field said. “For example, if you want to communicate with your local hospital and doctor, will you have to use one product or the other? Will there be antirust issues? I think we’re seeing a whole Pandora’s Box of issues here.”

Nevertheless, there is plenty of money to be made in the sector. Health care makes up nearly one-fifth of the nation’s economy. If Amazon or other tech companies can claim even a “tiny slice of that,” it’s a win, Field said.

“I think they are testing the water here, but the potential is so huge that my guess is they’re willing to take some risks,” he noted.

Privacy Concerns Persist

If Amazon wants to be first in the voice-assisted health care space, then it needs to get it right. The professors said the company will be under pressure for how it handles patient privacy, how well it safeguards data and how it uses data for advertising and marketing.

“The challenge for the Amazons or the Googles or the Apples is going to be to do the targeting and still get around HIPAA. That is supposed to be prohibited,” Field said.

As an example, Rosoff compared an HIV-positive patient who relies on Alexa to give daily verbal reminders about taking maintenance medication vs. a diabetic who does the same.

“Revealing to Alexa that your A1C is up a little bit is one thing; having Alexa remind you that you didn’t take your HIV meds is another,” he said. “I’d feel very different if one of those got out into the world than the other.”

The example shows that there is still so much to explore in the intersection of health care and technology.

“I think there’s a tremendous amount of positive potential there, but there’s also risk,” Rosoff said. “We have to be careful that our excitement about the positive potential doesn’t blind us to the risk.”