If you're a healthcare provider deploying AI voice agents, HIPAA compliance is non-negotiable. This guide covers what you need, what to avoid, and which platforms offer BAAs.

Important legal disclaimer

This guide is informational, not legal advice

HIPAA is complex and penalties are severe. Consult a healthcare attorney and your compliance officer before deploying AI voice agents in any healthcare setting. This guide covers general principles as of early 2026.

HIPAA basics for AI voice

HIPAA (Health Insurance Portability and Accountability Act) protects Protected Health Information (PHI) — any individually identifiable health information. If your AI voice agent collects, stores, or transmits PHI, HIPAA applies.

What counts as PHI in AI voice calls:

  • Patient name + appointment type (implies condition — e.g., "John Smith, fertility consult")
  • Patient name + doctor specialty (e.g., "Jane Doe calling oncology")
  • Any symptom description ("I have chest pain")
  • Any medication names
  • Any diagnosis information
  • Insurance information tied to a patient
  • Date of birth tied to health services

Even basic appointment scheduling captures PHI if the appointment type reveals anything about the patient's health (which it almost always does).

Business Associate Agreements (BAA)

If your AI voice platform processes PHI on your behalf, they are a "Business Associate" under HIPAA. You must have a signed BAA with them before any PHI is shared. Without a BAA, you cannot use the platform for healthcare.

Major platforms' BAA support:

PlatformBAA available?Cost premiumPlan required
VapiYes$200-$500/monthEnterprise
Retell AIYes$200-$500/monthEnterprise
SynthflowYes$200-$500/monthBusiness or Enterprise
Bland AIYes$200-$500/monthEnterprise

The BAA premium roughly doubles your platform cost. Budget accordingly.

Minimum necessary standard

HIPAA's "minimum necessary" standard requires you to collect only the PHI needed for the specific purpose. For AI voice agents, this means:

  • Don't collect diagnosis information — capture chief complaint in general terms only
  • Don't collect medication lists — route medication questions to clinical staff
  • Don't collect detailed medical history — route to intake staff
  • Don't repeat PHI back — "I have you down for a cardiology appointment on Tuesday" is OK; "I have you down for a follow-up on your heart murmur" is not
  • Limit disclosure — only collect what's needed to schedule or route the call

Sample HIPAA-compliant intake flow:

"Hi, I'm Riley, ABC Medical's virtual assistant. How can I help?

[Caller: I need to schedule an appointment.]

Are you a current patient?

[Caller: Yes, my name is John Smith.]

Great, John. What type of appointment do you need — annual physical, follow-up, or something else?

[Caller: Follow-up.]

OK. What's a good day and time for you? We have Tuesday at 2pm or Thursday at 10am available.

[Caller: Tuesday at 2pm works.]

Perfect. What's your date of birth for verification?

[Caller: 05/15/1980.]

Thank you. I have you scheduled for Tuesday, May 14th at 2pm. You'll get a text confirmation shortly. Is there anything else?

Notice: no diagnosis, no medications, no detailed medical history. Just what's needed to book the appointment.

Call recording and PHI

If you record calls (recommended for QA), the recordings become PHI and must be stored in a HIPAA-compliant manner:

  • Use platform's HIPAA-compliant storage — typically an enterprise-tier feature
  • Disable recording if BAA not in place — non-BAA storage of recorded PHI is a violation
  • Auto-delete recordings after defined retention period (typically 90-180 days)
  • Restrict access — only staff with need-to-know should access recordings
  • Audit access — log who accessed which recording and when
  • Encrypt in transit and at rest — all major BAA-tier platforms do this

Patient disclosure requirements

Your Notice of Privacy Practices (NPP) must disclose AI use. Update your NPP to include:

  • Use of AI voice agents for call handling
  • What information is collected by the AI
  • How that information is used and shared
  • Patient rights regarding AI-collected information
  • How to request a human instead of AI

Display the updated NPP on your website, in your waiting room, and provide to new patients at intake.

HIPAA-compliant platform setup

  1. Sign BAA with platform (Enterprise tier required)
  2. Configure AI to never collect diagnosis, medications, or detailed medical history
  3. Disable call recording if not using HIPAA-compliant storage
  4. Configure auto-deletion of recordings and transcripts (90-180 days)
  5. Set up access controls — only authorized staff can access call data
  6. Enable audit logging
  7. Update Notice of Privacy Practices
  8. Train staff on AI voice agent and HIPAA compliance
  9. Configure "press 0 to speak to a human" option
  10. Test with non-PHI scenarios first, then live with PHI

Frequently asked questions

Do I really need a BAA if I'm just scheduling appointments?

Yes. Appointment scheduling captures PHI (patient name + appointment type = condition implication). Any platform processing this on your behalf needs a BAA.

What if I only use AI for after-hours calls and don't collect any medical information?

Still risky. Callers may spontaneously share medical information even when not asked. The safest approach is BAA + minimum necessary configuration. Without BAA, you're gambling.

Can I use a non-BAA platform if I have callers sign a waiver?

No. HIPAA doesn't allow patients to waive their rights. You're responsible for protecting PHI regardless of patient consent.

How much does HIPAA compliance add to AI voice cost?

Typically $200-$500/month extra for BAA-tier platform access. Plus initial setup ($500-$2,000 for HIPAA-compliant configuration), staff training ($500-$2,000), and NPP updates ($200-$1,000 if using a healthcare attorney).