HIPAA Compliance Checklist for AI Phone Systems in Healthcare

AI phone systems are transforming healthcare front offices. But before you deploy one, you need to know: is it actually HIPAA compliant?

Many AI voice platforms market themselves to healthcare without meeting basic compliance requirements. Some don't sign BAAs. Others store call recordings on non-compliant infrastructure. A few process PHI through third-party models with no data agreements in place.

This guide is the checklist we wish existed when we built MedReceptionist. Use it to evaluate any AI phone system for your practice.

The 10-point HIPAA compliance checklist

1. Business Associate Agreement (BAA)

The most fundamental requirement. Any vendor that handles Protected Health Information (PHI) on behalf of a covered entity must sign a BAA before any data is processed.

✓ Vendor provides a signed BAA as part of the onboarding process
✓ BAA covers all subprocessors (cloud hosting, AI model providers, telephony)
! RED FLAG: Vendor says "we're HIPAA compliant" but won't sign a BAA

2. Data encryption

All PHI must be encrypted both at rest (stored data) and in transit (data moving between systems). The standard is AES-256 encryption.

✓ AES-256 encryption at rest for all stored data (call recordings, transcripts, patient info)
✓ TLS 1.2+ encryption in transit for all API calls and data transfers
! RED FLAG: Recordings stored in plain text or on non-encrypted storage

3. Access controls

Only authorized users should be able to access patient data. The system needs role-based access controls (RBAC) and audit logging.

✓ Role-based access: admin, provider, staff, read-only
✓ Multi-factor authentication (MFA) for dashboard access
✓ Complete audit trail of who accessed what data and when

4. Data retention and deletion

HIPAA requires that PHI is retained only as long as necessary and can be securely deleted when no longer needed.

✓ Configurable data retention policies (30, 60, 90, 365 days)
✓ Secure deletion (data is cryptographically erased, not just marked as deleted)
✓ Patient data can be exported or deleted on request (right to access/erasure)

5. Call recording handling

If the AI system records calls (and most do, for quality assurance), those recordings contain PHI and must be treated accordingly.

✓ Recordings encrypted at rest with AES-256
✓ Recordings stored on HIPAA-compliant infrastructure (BAA-covered cloud)
✓ Auto-deletion after configurable retention period
! RED FLAG: Recordings accessible via public URLs or stored without encryption

6. AI model data handling

This is where many AI phone systems fail. If the AI model processes patient conversations, that data must not be used for model training without explicit consent.

Critical question to ask any vendor: Does patient conversation data get sent to a third-party AI model? If so, does that model provider have a BAA in place? Is the data used for model training?

✓ AI model provider has a signed BAA (e.g., Google Cloud, Azure OpenAI)
✓ Patient data is NOT used for model training
✓ Data is processed in BAA-covered regions (US data stays in US)

7. Telephony infrastructure

The phone system itself (SIP trunking, call routing, number provisioning) must also be HIPAA compliant.

✓ Telephony provider has a signed BAA (e.g., Twilio HIPAA-eligible)
✓ Call audio encrypted during transmission
✓ No third-party call analytics that access PHI without BAA

8. Breach notification procedures

HIPAA requires covered entities and their business associates to have breach notification procedures in place.

✓ Vendor has a documented incident response plan
✓ Breach notification within 60 days (HIPAA requirement)
✓ Regular security assessments and penetration testing

9. SOC 2 compliance

While not required by HIPAA, SOC 2 Type II certification is the industry standard for demonstrating security controls. It shows that a vendor's security practices have been independently audited.

✓ SOC 2 Type II certified (covers Security, Availability, Confidentiality)
✓ Audit report available upon request under NDA

10. Staff training and policies

The vendor's own employees who have access to your data must be trained on HIPAA requirements.

✓ Annual HIPAA training for all vendor employees
✓ Background checks for employees with PHI access
✓ Written information security policies and procedures

How MedReceptionist handles compliance

Every item on this checklist is something we address at MedReceptionist:

BAA signed before onboarding — no data is processed until the BAA is in place
AES-256 encryption at rest and TLS 1.3 in transit
Google Cloud with BAA — all infrastructure runs on HIPAA-eligible GCP services
Zero model training on patient data — conversations are processed but never used to train AI models
SOC 2 Type II audited annually
Configurable data retention with secure deletion
HIPAA-eligible Twilio for all telephony

We built MedReceptionist for healthcare from day one — not as an afterthought bolt-on to a general-purpose AI platform.

Questions about compliance?

Our team will walk you through our security architecture and provide BAA documentation during your demo.

Book a Compliance-Focused Demo

Questions to ask any AI phone vendor

Before signing with any AI receptionist service, ask these questions:

Will you sign a BAA before we start?
Where is patient data stored, and is the infrastructure BAA-covered?
Is patient conversation data used to train your AI models?
Do you have SOC 2 Type II certification?
How are call recordings encrypted and stored?
What is your breach notification timeline?
Can we configure data retention and deletion policies?
Who at your company has access to our patient data?

If a vendor can't answer these questions clearly, or pushes back on signing a BAA, walk away. The HIPAA penalties for a breach involving an uncovered business associate can reach $1.5 million per violation category per year.

Back to MedReceptionist · Book a Demo