An AI receptionist can be HIPAA compliant, but not every vendor is. HIPAA compliance for voice AI in healthcare isn't a checkbox the vendor can self-certify — it's a continuous obligation that shows up in the Business Associate Agreement, the encryption architecture, the vendor chain, and how the platform treats patient data day-to-day. Before you sign anything, run through the checklist in this piece. The differences between "HIPAA compliant" and "HIPAA marketing language" are substantial.
This applies equally to dental, primary care, mental health, and any other covered-entity practice. The specifics of PHI differ slightly by specialty, but the compliance architecture is the same.
What the Vendor Must Have
1. Business Associate Agreement signed before onboarding
If a vendor handles PHI for you, they must sign a BAA before service begins. Not after the first call. Not as an add-on. Not "available on the enterprise tier." If a vendor asks you to sign a Terms of Service that references PHI handling without a BAA, that's a legal problem, not a product problem.
2. Encryption at rest (AES-256) and in transit (TLS 1.3)
All call audio, transcripts, derived data, and metadata must be encrypted at rest. The industry standard is AES-256. For data in transit (between the vendor's systems and yours, or between vendor subcomponents), TLS 1.3 is the expected floor. Ask the vendor for their encryption diagram.
3. Every downstream vendor is covered
This is the most commonly missed piece. An AI receptionist uses voice infrastructure (Twilio, Telnyx), language models (Anthropic, OpenAI, or equivalents), cloud hosting (AWS, GCP), data storage (S3, managed databases), and monitoring tools. Every one of those vendors that might touch PHI must also have a BAA with your vendor. Ask for the full list.
Red flag: vendors who name-drop "enterprise SOC 2" but can't produce a vendor-list-with-BAAs document.
4. Your patient data is never used to train public AI models
This is contractually enforceable and should be explicit in the BAA. Some consumer AI tools have ambiguous language here; medical AI vendors should have crystal-clear prohibitions. If the BAA doesn't address this directly, ask for an amendment.
5. Role-based access controls with audit logging
Only authorized vendor personnel should be able to access PHI, and every access should be logged. The logs should be immutable, retained for at least six years, and available to you on request for audit purposes.
6. Breach notification within 24 hours
HIPAA requires notification within 60 days; anything beyond a few business days signals a vendor that hasn't built real breach response. Good vendors commit to 24 or 48 hours contractually.
7. Configurable data retention
You should control how long call audio, transcripts, and derived data are retained. 30 days is a common floor; some practices retain longer per state recordkeeping rules. The vendor should let you configure this per category and prove deletion on request.
Dental-Specific Considerations
Dental practices have a few HIPAA idiosyncrasies worth naming:
- PMS integration: Most dental PMSs (Open Dental, Dentrix, Eaglesoft, Curve Dental) run on-premise or in private cloud. The AI receptionist's integration path must be architected to avoid bulk PHI egress.
- Treatment notes and imaging: These are explicitly out of scope for a front-desk AI. If a vendor's feature list includes "access treatment notes to answer patient questions," that's a scope expansion you probably don't want.
- Insurance EDI: Eligibility verification creates PHI flow between your vendor and clearinghouses. Confirm BAAs exist all the way through.
Red Flags to Walk Away From
- "We use OpenAI GPT directly — that's enterprise-grade" — the BAA-level details matter; generic API usage without the correct contractual wrapper is a violation.
- "Our analytics show aggregated patient data across all our practices" — unless that's explicitly de-identified under HIPAA Safe Harbor or Expert Determination, it's a problem.
- "We'll sign the BAA at the time of upgrade" — no. Before service begins, every time.
- "Our security page lists SOC 2, HIPAA, and GDPR" — SOC 2 is not HIPAA; different scope, different audit. Ask for the specifics.
- "Encryption is provided by AWS" — true for storage, but transit encryption, key management, and access logging need separate answers.
Your Side of the Obligation
HIPAA is a shared responsibility. The vendor can be fully compliant on their side while you introduce risk on yours:
- Managing who on your team can access the AI admin dashboard
- Ensuring call recordings aren't exported outside your PMS/EHR
- Keeping your Notice of Privacy Practices current to reflect AI involvement in patient communication
- Training your staff on patient escalation paths (the AI will flag things; humans need to follow up)
FAQ
Is SOC 2 the same as HIPAA compliance?
No. SOC 2 is a controls framework — useful signal, not sufficient. HIPAA compliance is a legal obligation that requires a BAA and specific PHI handling. Vendors should have both; neither replaces the other.
Can patients opt out of AI handling under HIPAA?
Patients can request specific handling under the Privacy Rule, though there's no general right to refuse automated processing. Practically, practices honor direct requests for human-only handling; the AI routes those patients to your team.
What happens if the vendor has a breach?
Under HIPAA, the vendor is a business associate and has its own obligations. Your BAA should specify breach notification timing, cooperation, and indemnification. Most well-structured BAAs have the vendor cover reasonable costs for affected-patient notification.
Is AI recording patient calls itself a HIPAA issue?
No — recording is standard practice in healthcare phone lines (voicemail, quality assurance). The HIPAA requirement is how the recording is stored, accessed, and retained. Covered under the BAA.
Do I need to update our Notice of Privacy Practices?
Many practices refresh the NPP when adopting new PHI-handling vendors. It's good practice to reference automated phone handling in your disclosures. Your attorney should review the language.