Virtual assistants such as Amazon’s Alexa, Facebook’s Portal, Google’s Nest Hub, and countless others continue growing in popularity as families navigate safely remaining connected with their loved ones receiving long-term care during a continuing pandemic. In some instances, use of virtual assistants has been encouraged directly by facilities hoping to improve isolation, boost morale, and promote independence.
At their core, virtual assistants are passive listening and recording devices. This raises significant compliance concerns not just around the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Law and analogous state laws, but also laws governing the recording of in-person conversations and disability discrimination and accommodations. Further, Virginia recently adopted HB 2154 directing the Virginia Department of Health to establish regulations requiring hospitals, nursing homes, and certified nursing facilities to implement policies that ensure patient access to intelligent personal assistants while protecting their HIPAA privacy rights.
There are many considerations in drafting a virtual assistant policy that supports the positive outcomes of allowing this technology in a long-term care facility, but that also comports with applicable state and federals laws and regulations.
- Where is the facility located? Consider whether this policy will only apply to a particular location or perhaps a group of facilities in a single state? If the policy will be used across states, the strictest set of state rules should govern the limits of the policy, though it is important to consider whether any overlap in state laws could trigger an internal conflict in the policy. Will a single policy govern different types of long-term care facilities (long-term acute care, skilled nursing, or assisted living) or even different types of healthcare facilities across a health system? For example, certain states have laws regulating the use of video cameras that record both video and audio in nursing homes (among other healthcare facilities). These laws could be tripped by virtual assistants with cameras, such as Facebook’s Portal or Amazon’s Echo Show, but may be a non-issue in another residential facility in the same state. States also may have restrictive recording laws that prevent virtual assistants from being used in shared spaces. Note that federal privacy laws, such as the HIPAA Privacy Rule, will apply regardless of location and should be the cornerstone of these considerations for covered entities.
- What is a virtual assistant? In defining “virtual assistant,” the facility should first consider any relevant state law definitions. Different states may also use different terms for these devices, such as “digital assistants” or “intelligent personal assistant.” For example, Virginia defines an “intelligent personal assistant” as “a combination of an electronic device and a specialized software application designed to assist users with basic tasks using a combination of natural language processing and artificial intelligence.” It is also important to consider any exclusions from the definition that make sense for the type of facility and its patient population (e.g., “virtual assistants shall not include any video devices”), as well as exceptions for medical devices that arguably could be classified as virtual assistants (depending on how broad the definition of “virtual assistant” may be).
- Who provides the device and who gets to use one? It is important to consider how antidiscrimination laws, such as the federal Americans with Disabilities Act (ADA), may be tripped by situations in which the facility is providing the virtual assistant and may be required to provide adaptive access to the virtual assistant. Facilities can streamline the ADA and HIPAA Security Rule requirements by requiring patients to bring their own device rather than provisioning a personal device to the patient. The facility should set forth the eligibility requirements for patients to use these devices at the facility. This policy may include rules regarding whether patients’ devices may connect to a facility’s wireless network (e.g., a family member may need to connect to the patient’s personal network to install the device vs. the facility undertaking maintenance within the context of its network security policies); limitations of use in public or shared spaces; and a requirement to sign the appropriate authorization and consent forms. If patients are unwilling or unable to meet these requirements, the policy may prevent them from having a virtual assistant.
- Setting ground rules (ownership, use, misuse, and damage). The policy should set “ground rules” governing ownership of the device and any waivers to facility liability if the virtual assistant is not owned by the facility (or recovering damages if a facility-owned virtual assistant is damaged), as well as what may be considered proper “use” and “misuse” (partly informed by the facility’s general policies, but also by applicable laws and regulations). Facilities may choose to handle some of the thornier issues by adopting some broader ground rules, such as limiting use of virtual assistants solely to private rooms.
- Preparing necessary consent forms and notices. The facility should consider preparing a virtual assistant-specific consent form, which may include HIPAA authorization language and patient consent to any preconditions to be met or acknowledgements to be made in connection with receiving or being allowed to use a virtual assistant in the facility. The facility should confirm whether posting any “recording” warnings in spaces in which virtual assistants are used is required by state law and, if not, whether it is still advisable to consider requiring such signage to prevent inadvertent privacy disclosures.
- Always allow for facility discretion and professional judgment. The policy should give the facility ultimate discretion (and protect providers’ professional judgment) in connection with the use of a virtual assistant. In particular, consider actions such as disabling a device when appropriate, whether it is due to misuse or to protect a patient’s privacy (e.g., muting an Alexa device when a provider is examining a patient or discussing protected health information), so that patients’ care is not compromised by access or use of virtual assistants in the facility.
There is no one-size-fits-all virtual assistant policy and the complexities of these considerations will continue to evolve as more states begin to regulate the use of virtual assistants in healthcare spaces, not just for long-term care facilities. Ultimately, the most important goal in preparing these policies is to protect the well-being and privacy of all patients receiving care at the facility.
Special thanks to Adriante Carter (3L University of Florida), a Bradley summer associate, for her thorough research and contributions to this article.
 Va. Code Ann. § 32.1-127(B)(29).