HIPAA: how we protect health information on your calls

Healthcare practices, dental offices, home health agencies, behavioral health providers, veterinary clinics, durable medical equipment suppliers, and any business that coordinates with a healthcare provider all run into the same question when they evaluate AI voice agents: "will this keep me HIPAA-compliant?"

The short answer is yes. The longer answer is what this article is about.

What HIPAA actually is

HIPAA — the Health Insurance Portability and Accountability Act — is the U.S. federal law that governs how personal health information (PHI) is collected, stored, used, and disclosed. It was passed in 1996 and has been strengthened several times since, most notably by the HITECH Act in 2009 and the Omnibus Rule in 2013.

HIPAA breaks into three core rules:

• The Privacy Rule governs who is allowed to see and share PHI and under what circumstances

• The Security Rule governs the technical, administrative, and physical safeguards that must be in place when PHI is stored or transmitted electronically

• The Breach Notification Rule governs what must happen when PHI is exposed — including reporting timelines to affected individuals, the Department of Health and Human Services, and in some cases the media

Covered Entities and Business Associates

HIPAA divides the world into two categories of organization that handle PHI.

Covered Entities are the organizations that originate PHI — doctors, hospitals, pharmacies, dentists, health plans, and healthcare clearinghouses.

Business Associates are the vendors who work on behalf of a Covered Entity and touch PHI in the course of that work. A billing company is a Business Associate. A transcription service is a Business Associate. An AI voice platform that answers calls for a medical practice is a Business Associate.

When we handle calls that may contain PHI on behalf of a Covered Entity, we are a Business Associate. And that means we need a written agreement with you — a Business Associate Agreement (BAA) — that spells out our responsibilities under HIPAA.

How we handle PHI on the platform

• All call audio and transcripts are encrypted in transit using TLS 1.2 or higher, and at rest using AES-256

• Access to call recordings and transcripts is restricted to specifically authorized accounts on your team, with all access logged and auditable

• Our internal staff cannot access your calls or transcripts without explicit, documented authorization, and all support access requires your approval for each session

• Call recordings are retained only as long as you configure them to be retained — not longer

• Our infrastructure sub-processors (cloud providers, carriers, AI model providers) are themselves covered by BAAs, and any change in that chain requires explicit review by our compliance team

• Backup copies of PHI follow the same encryption and access controls as production data

• If you delete a recording, the deletion propagates through every backup location within 90 days — and we can provide an attestation to that effect if you need one for your own audit

What the BAA covers

Our BAA is a standard HIPAA Business Associate Agreement that has been reviewed by outside healthcare counsel. It covers:

• Our commitment to use PHI only for the specific services you've engaged us to provide

• Our commitment to apply all HIPAA Security Rule safeguards

• Our obligation to notify you within 24 hours of discovering any breach of unsecured PHI

• Your right to amend or terminate the agreement if we materially breach its terms

• The specific permitted uses and disclosures of PHI

• Requirements for our sub-contractors

We don't charge extra for a BAA. If you're a Covered Entity or Business Associate and you need one, request it from our Trust Center.

What we can and cannot say about "HIPAA compliance"

HIPAA is not a certification. There is no government body that issues a "HIPAA certified" badge. Any vendor that claims to be "HIPAA certified" is either being imprecise with language or actively misleading.

What a reputable vendor can say is: we have implemented the technical, administrative, and physical safeguards required by the HIPAA Security Rule, and we will sign a BAA accepting our obligations under HIPAA as a Business Associate.

That's what we say. Our actual safeguards are audited as part of our SOC 2 Type II audit, and the HIPAA-specific controls are mapped in our Trust Center.

What this means for you

• You can use 365agents to answer patient calls, schedule appointments, collect patient-reported information, and coordinate care without building your own HIPAA program from scratch

• You can produce a signed BAA for your own compliance file

• You can answer auditors' questions about your AI voice vendor with documented evidence

• You can offer your patients a modern front door without creating new privacy risks

What you still have to do

A BAA from us doesn't take you off the hook for your own HIPAA obligations. You still need to:

• Train your staff on what information can and cannot be shared

• Configure your AI agent's instructions so it doesn't invite patients to share more than necessary

• Restrict access to call recordings and transcripts to authorized team members only

• Keep your own HIPAA policies up to date

• Maintain your Notice of Privacy Practices and make sure patients know how their information will be used

We can help with the first two — our onboarding team has a HIPAA-specific configuration checklist for healthcare customers. Just let us know during onboarding.

Requesting a BAA

Visit our Trust Center at trust.365agents.com and request a BAA. Most BAAs are countersigned within two business days. If you're working against a procurement deadline, let us know and we can usually move faster.