top of page
Search

Alexa, Are You Listening?

  • Writer: Jessica Zeff
    Jessica Zeff
  • Mar 6
  • 3 min read
HIPAA smart speaker compliance illustration showing a voice-activated smart speaker emitting sound waves toward a medical records folder, separated by a pink warning shield, representing the risk of passive listening and unintended exposure of protected health information.

A few weeks ago, I was visiting a provider client’s office for a routine compliance review. While walking through their shared workspace, I heard something I hadn’t expected—Alexa chiming in with a weather update. “She keeps us company during long charting sessions,” one staffer joked.


I smiled, but inside I was calculating the potential HIPAA exposure. Not long after, another client raised a similar concern—but this time about their remote workforce. “Do we need a policy on employees using voice assistants at home while working with patient data?”


The short answer: yes, you do.


Let’s talk about why.


Smart Speakers: Helpful Tech or Hidden Risk?

Amazon Echo, Google Nest, Apple HomePod—these voice assistants can turn on lights, set reminders, even play your favorite compliance podcast. But they also listen continuously for their “wake word”—and that passive listening introduces risk.


Even if a device is not recording 24/7, it is processing sound in its environment. That means:


  • Patient names

  • Diagnosis details

  • Appointment times

  • Billing questions


…can be picked up unintentionally, especially in environments where work calls, telehealth visits, or screen-read-aloud features are active.


For healthcare organizations bound by HIPAA, this creates a privacy vulnerability.


HIPAA Implications: The “Minimum Necessary” Goes Both Ways

HIPAA doesn’t just govern what you disclose—it governs what’s accessible. If a non-compliant third-party device can overhear PHI (Protected Health Information), then you have a potential unauthorized disclosure.

Smart speakers are not covered entities, not business associates, and not secure by default.


Imagine a staff member working from home, discussing a patient’s test results on speakerphone, while Alexa is active nearby. That conversation could inadvertently be captured, even briefly, by the device’s software or cloud processing services.

And if it’s captured, stored, or even analyzed for service improvement, you've got an exposure event—and no business associate agreement to shield you.


What a Smart Speaker Policy Should Include

To manage this risk, compliance leaders should draft a clear policy that addresses both in-office and remote work environments.


Here’s what a good smart speaker policy should cover:


Prohibited Use

  • Smart speakers and voice assistants must not be used in any setting where PHI is discussed, stored, or accessed.

  • Applies to both organization-owned and personally owned devices.


Remote Work Guidance

  • Employees working from home must disable or unplug all smart speaker devices in their work area during work hours.

  • If the device is built into a phone or operating system (e.g., Siri, Google Assistant), it should be disabled in work profiles.


Workarounds Not Allowed

  • Muting the microphone or “not using the wake word” is not sufficient. Devices must be fully powered off or removed from the workspace.


Enforcement and Acknowledgment

  • Add the policy to your broader HIPAA training and security awareness program.

  • Have remote workers sign an acknowledgment form confirming their understanding and compliance.


The Privacy Culture Message

This isn’t about being anti-technology. It’s about thinking like a compliance officer, even when no one is watching. Privacy isn’t just about breaches—it’s about creating a workplace culture where confidentiality is respected in every environment, including your home.


As privacy professionals, we ask our teams to:

  • Lock screens

  • Use secure VPNs

  • Shred documents

  • Avoid discussing PHI in public


So it’s not a stretch to also say: “Unplug Alexa when you’re working.”



What You Can Do Today

Here’s your quick action list:

  1. Draft a Smart Device Use Policy specific to your organization’s environment.

  2. Train staff—both clinical and non-clinical—on why it matters.

  3. Update your telework or remote access agreements to include these restrictions.

  4. Do a technology walk-through in your own office or home setup. You might be surprised what’s listening.


And if you’re ever in doubt, ask yourself this:


Would you allow an unknown vendor to sit in the room and listen to your patient calls?

If not—then Alexa doesn’t belong there either.

 

Comments

bottom of page