LeadingAge CAST Supporter BlueOrange Compliance generously partnered with CAST to provide this article on how providers can take advantage of opportunities and mitigate risks with smart speakers and voice-controlled devices. It addresses relevant issues in nursing homes, assisted living, and independent living. Guidance on policies, procedures, training, and monitoring are included, along with sample VcD policy and procedure guidance.

Just as senior living communities have comfortably integrated internet policies into their communities, new smart speakers and voice-controlled devices (VcDs) are presenting a new set of opportunities and risks. The Internet of Things (IoT), which allows technology and devices to connect, interact, and exchange data, enhances quality of life and care for residents, but may pose added cybersecurity and privacy concerns.

Reducing loneliness, reminding residents about appointments, educating them about nutrition, and bringing the world to people without having to use a computer keyboard are just a few examples of how the current IoT “listening,” and sometimes “seeing,” devices can have a tremendous impact on daily life. The VcD can provide companionship directly or by being a portal to other loved-ones. It can entertain, and it can certainly enhance resident experiences and satisfaction. A care provider can even communicate information and reminders via the VcD to a resident.

While these devices and the things they are interacting with are getting more versatile at a remarkable pace, reasonable-use parameters and the ability to provide technical support are critical; similar to any new technology in a semi-private setting. At the very basic information-security level, a senior living community should not connect IoT device (including a VcDs) to the network that is used for its corporate, financial, health or other sensitive information until protections are in place. Other considerations include:

• Where is the device being used within the life plan community (i.e., nursing-unit, assisted living, or independent living)? 
• Will the device be used only in private rooms or apartments, or in shared rooms, nurse stations, treatment areas, or common spaces?  
• Are residents bringing their own devices or are they being provided by the community as an amenity or service?
• Will the device be enabled with acceptable security, and accompanied by facility-acceptable use guidance and procedures?

According to the National Law Review, as healthcare providers continue to design new ways to use VcDs, the problem remains that the devices are not in themselves “compliant with federal privacy law protections under the Health Insurance Portability and Accountability Act (HIPAA). Although HIPAA compliance is expected to occur in the near future, the proper technical and security safeguards have not been implemented.” 

Although there are minimum privacy and information-security standards in the HIPAA regulations developed many years ago, they did not anticipate IoT. More recent state laws may be more restrictive, and the journal warns any use of a VcD or other IoT devices “would also have to be compliant with applicable state law.”

However, in April 2019, Amazon announced that its Alexa Skills Kit now enables select Covered Entities and their Business Associates to handle health information as part of an invitation-only program. As VcDs continue to advance in the healthcare space, this is good news for the industry. Amazon has developed a HIPAA-compliant method for a defined set of Amazon “healthcare skills” for those six covered entities. This will allow people who are clients of the six organizations to interact using Alexa and their defined relevant health data will be stored and maintained by that organization. However, the Amazon announcement does not mean that Alexa can be used unilaterally as HIPAA compliant. Senior living organizations covered by HIPAA should continue to follow recommended guidance for non-HIPAA compliant VcDs. Please note that there are vendors that have created HIPAA compliant management software allowing them to be implemented in senior living settings as well as other healthcare settings.

Another important consideration is passive “listening” as it relates to HIPAA and ePHI. Many IoT devices are designed to identify acoustic patterns that match the “wake word.” In most cases the VcD technology allows the microphone to be turned off, preventing the device from “listening,” and/or streaming audio to the cloud, even when the user says the chosen wake word. Also, with most VcDs the voice recordings associated with a user’s account can be reviewed and deleted. 

While these precautions are seemingly simple, managing this technology for many residents at one time has the potential to become extremely burdensome and complicated with compliance and other legal implications. The National Law Review recommends that providers undergo a privacy and information-security review to ensure all state and federal legal and regulatory requirements are met prior to implementing new technology.  

The challenge is particularly daunting in life plan communities as residents move along the continuum of care within the community. To compensate for varying levels of how VcDs may be used, operators should take precautions at the highest level with a more stringent and comprehensive approach to internet and data security, possibly using firewalls and other tools to either segregate or integrate data. 

VcD Applications in Nursing Homes

At the strictest level, the Nursing Homes (NH) environment, as a defined covered entity, must always comply with HIPAA/HITECH regulations and adopt evolving procedures to conform to new technologies. Among other things, these procedures need to address potential business associates and workforce training, anticipating and protecting against electronically stored protected health information (ePHI) breaches, all within a framework of resident rights. 

Voice-enabled technology can be highly beneficial for clinicians in multiple ways—using VcD to obtain/ access a resident’s electronic health record, remind a resident to exercise, take a medication or void, and capture examinations to support accurate coding and billing. Any type of interactive recording will probably be accessible for Quality Assurance purposes, as well as third-party audits, so a facility should be skilled at maintaining and securing these tools and including them as part of the annually required risk assessment.

Privacy and Security in Assisted Living Settings

A potential liability for assisted living providers is home-health caregivers delivering services in a resident’s apartment. Depending on how the assisted living provider is required to comply with state or federal privacy requirements, they along with the home-health provider should be aware of how the VcD is intentionally or passively involved with health information privacy, security, and documentation issues.  The risks in this situation could rise to HIPAA violations if the ePHI is breached due to an unsecured network or other unmitigated risks. 

Considerations for Independent Living

While information security and privacy may not be regulated for independent living, the liability and a community’s reputation are still concerns, whether the device is provided by the community or resident. In instances where residents bring their own devices, providing a secured, protected, and perhaps dedicated WIFI network, as well as securing a signed agreement with the resident (and possibly device manufacturer) that covers expected management of malware and ePHI.  Another dynamic to consider is the potential of one resident visiting another and sharing what would be considered ePHI while a VcD is “listening,” i.e., has its microphone on and monitoring for the wake-up phrase. As in other residential community settings, the community must take responsibility for how devices will be secured against potential violations. 

Legal Considerations

Because VcDs may mishear a word that sounds like the wake word—they open up a new concern as possible digital evidence in lawsuits. While companies may be resistant to releasing information stored in the cloud, a subpoena can demand this evidence of resident care encounters. As a precaution, providers should consult with their legal counsel regarding the inclusion or amending of resident contracts to account for privacy and/or liability issues related to VcDs. 

Balancing Opportunities with Privacy and Security Risks

The intersection of IoT, internet security, healthcare, and senior living has incredible potential, but along with it a complex set of challenges that warrant careful monitoring and vigilant compliance—all changing at an accelerated pace. Providers and vendors need to know how to not only keep the VcD functioning, but also protect individuals and organizations from unnecessary concern while understanding and managing the organizational privacy, security and compliance risk introduced by the use of these devices. In addition to keeping up with literature and industry resources, it is often valuable to have a privacy and information-security consultant provide current conforming procedures, as well as legal counsel since digital recordings could be used as evidence. 

Policies, Procedures, Training and Monitoring

In addition to the above considerations and identified privacy, security and compliance risks, providers should consider having policies, procedures, and training to mitigate the accepted risks associated with the deployment and use of VcDs that are appropriate to the care setting, application, deployment circumstances and monitor the enforcement of such policies and procedures. 

These should include: 

• A clear policy on allowing or barring the use of such devices, whether brought by staff, resident/family-furnished devices, and offered by the organization, in each of their care settings. The policy should detail not only what platforms are allowed, for example a strictly HIPAA-compliant VcD (e.g., SoundMind, Aiva Health, or others), but also where they are conditionally allowed, or prohibited (e.g., in semi-private NH rooms).  
• When allowed, the policies should specify preferred or mandated settings for VcDs and network requirements that warrant the security of the information depending on the care setting and the application; for example, whether they should connect to a resident’s virtual private network, that is logically and/or physically separate from the provider’s business network when the VcD is resident/family-furnished. 
• Where allowed, the policies should include clauses about posting clear visible notices and/or having disclosures about the presence of audio recording/ monitoring devices to staff, residents and visitors, as well as advising them to refrain from discussing personal, health information, or having private sensitive conversation. In addition, the policies should dictate obtaining and keeping consents where applicable (e.g., from co-habitants in semi-private rooms and their family).
• Providers should have policies as well as instructions and training for staff, and potentially residents, to turn off, unplug, or mute non-HIPAA compliant VcDs when not in use, especially before discussing personal, health information, or having private sensitive conversation. 

VcD Policy Guidance

It is the policy of to allow the installation and operation of Voice Controlled Devices (VcD’s) only as specifically identified in this and other applicable policy and procedures. 

It is the policy of that the IT Department shall establish and implement procedures to evaluate and authorize the HIPAA compliant VcD devices that have applications or skills designed to operate in a clinical environment.

It is the policy of that Workforce Members may not intentionally activate VcDs for the communication of Protected Health Information (PHI) unless the application or skill has been approved and authorized by the IT department as HIPAA compliant.

It is the policy of that if a Workforce Member is aware that a non-HIPAA compliant VcD device or skill has been activated in “listening” mode, Workforce Members shall not discuss PHI, even at the request of a resident of family representative. 

VcD Procedure Guidance

For more information on privacy and security best practices as they relate to smart speakers and voice-controlled devices download the guidebook Smart Speakers and Voice-Controlled Devices in Senior Care: New Opportunities and Risks.

.