hipaa and ai voice: what clinic operators actually need to know

that's not a knock on clinic operators. hipaa is genuinely complicated, and the way vendors talk about compliance ranges from precise to completely made up.

hipaa applies to protected health information — any individually identifiable information relating to someone's health condition, treatment, or payment for healthcare.

a call that only involves scheduling might not generate phi in the strict technical sense. in practice, most clinical calls involve enough context that they should be treated as phi-generating.

if your ai voice vendor handles calls that involve phi, they are a business associate under hipaa. you are required to have a signed baa with them before they touch any patient data. this isn't optional.

when you ask a vendor for their baa and they can't produce one, that's a significant red flag.

a baa establishes that the vendor understands they're handling phi, commits them to appropriate safeguards, and allocates liability in the event of a breach. it doesn't transfer your hipaa obligations to the vendor.

this means that even with a signed baa, you should understand what safeguards the vendor actually has in place.

• encryption at rest and in transit: aes-256 at rest, tls 1.2+ in transit
• access controls: who at the vendor can access call recordings, and is that access logged
• data residency: where is phi stored, us-based storage is a common requirement
• retention and deletion: how long are recordings kept, can you trigger deletion
• breach notification: vendor process if a breach occurs, hipaa requires notification within 60 days
• subprocessors: does the vendor use third parties to process phi

hipaa doesn't require specific consent for routine treatment-related communications. state law may require something different for call recording.

even where it isn't legally required, we think ai-answered calls should include a brief disclosure at the start. something like: 'hi, this is [practice name]. you've reached our ai receptionist. this call may be recorded.'

soc 2 type ii isn't a hipaa requirement, but it matters. it's an independent audit of a vendor's security controls, conducted by a third-party auditor.

a vendor who self-attests to security controls without independent verification is asking you to take their word for it. in healthcare, that's not good enough.

• signed baa in place before the vendor touches any patient data
• vendor can describe their encryption standards clearly
• documented breach notification process with defined timelines
• us-based data residency confirmed
• recording consent handled appropriately for your state
• soc 2 type ii completed or actively in progress

hipaa doesn't prohibit ai voice tools in healthcare. it requires that they be deployed with the right agreements, safeguards, and operational controls.