An AI phone receptionist that handles patient calls touches protected health information (PHI) — names, appointment details, dates of service. That makes the vendor a HIPAA Business Associate, full stop. Before you turn on any AI answering service, you need a signed Business Associate Agreement (BAA) and documented safeguards. Here's exactly what to look for, what the safeguards should cover, and the seven questions to ask every vendor before you go live.
Any vendor that creates, receives, maintains, or transmits PHI on your behalf is a Business Associate under HIPAA. Before that vendor processes a single patient call, your practice must have a signed BAA in place. The BAA isn't optional paperwork — it's the legal instrument that obligates the vendor to protect PHI, limit how it's used, and notify you of any breach. Without one, using an AI answering service puts your practice out of compliance regardless of how the vendor markets itself.
MedReceptionist signs a HIPAA BAA with every practice before go-live — included in the plan, not offered as a paid compliance add-on. The platform is designed around HIPAA's required administrative, physical, and technical safeguards, applies minimum-necessary data handling on every call, and is built and operated by AI Scan Solutions. Plans run $79–$449/month, and practices are typically live in about 24 hours.
HIPAA's Privacy, Security, and Breach Notification Rules apply any time PHI moves through a third-party system. Here's what that means for an AI receptionist specifically.
| HIPAA Requirement | What It Means for an AI Receptionist | Red Flag If… |
|---|---|---|
| Signed BAA | A written contract must be executed before any PHI is processedRequired under 45 CFR §164.308(b) | Vendor offers a BAA as a paid upgrade, or declines to sign one at all |
| Encryption in Transit | Call audio, transcripts, and SMS must be encrypted while moving between systemsTLS or equivalent; prevents interception | Vendor cannot confirm transport-layer encryption on voice and messaging paths |
| Encryption at Rest | Stored call records, transcripts, and PHI must be encrypted at restUnreadable without authorized decryption | Vendor stores data in plaintext or cannot describe their storage security |
| Access Controls | Only authorized personnel and systems may view or modify PHIRole-based access; least privilege | PHI is broadly accessible within the vendor's organization with no role controls |
| Audit Logging | System logs record who accessed PHI and when, for review if a breach occursSupports breach investigation and OCR audits | No access logs exist or logs are not retained for a reasonable period |
| Minimum Necessary | The system collects and uses only the PHI needed to complete the appointment or messageDoes not harvest excess patient data | System retains full call transcripts indefinitely with no data minimization policy |
| Breach Notification | Vendor must notify your practice of a breach within 60 days of discovery45 CFR §164.410 — required in the BAA | Vendor's BAA omits or weakens breach notification timelines |
A phrase you'll see constantly in AI answering service marketing. Here's why it means nothing under the law.
These phrases have no legal definition under HIPAA. A vendor can print any of them on their homepage without signing a BAA, without implementing documented safeguards, and without any third-party validation. The terms signal good intent at best — and deliberate ambiguity at worst. They do not satisfy your practice's compliance obligations under the Privacy or Security Rule. If a vendor will not commit to a signed BAA, these labels offer no protection.
A properly compliant AI answering service will: (1) execute a BAA before any patient data flows through the platform; (2) document the administrative, physical, and technical safeguards applied to PHI; (3) describe how subprocessors — the telephony carriers, cloud hosting, and AI inference layers underneath the product — are also covered under the BAA chain; (4) have a written breach notification process with a clear timeline; and (5) be able to answer specific, direct questions about encryption, access control, and data retention without deflecting to marketing copy.
Run this checklist before signing any AI phone answering contract. If a vendor cannot answer all seven directly, treat that as a compliance risk.
| # | Question to Ask the Vendor | Why It Matters |
|---|---|---|
| 1 | Will you sign a HIPAA BAA before the service goes live?Not as a paid add-on — as a standard requirement | Without a signed BAA, using the service is a compliance violation. Full stop. |
| 2 | Is PHI encrypted in transit and at rest?Ask for specifics: TLS version, storage encryption standard | Unencrypted data in transit or at rest is a breach waiting to happen — and a direct Security Rule gap. |
| 3 | How is access to PHI controlled and logged?Role-based access; who can see call transcripts and when | Audit logs are required. Broad internal access with no controls violates the minimum-necessary standard. |
| 4 | What is your breach notification process and timeline?Should match or beat the 60-day HIPAA requirement | A BAA that vagues out breach notification timelines leaves your practice exposed. |
| 5 | Does the system apply minimum-necessary data handling?Collects only what's needed to book or message — nothing more | HIPAA requires limiting PHI to what is necessary for the intended purpose. |
| 6 | Where is PHI stored and how long is it retained?Data center jurisdiction; retention and deletion schedule | Indefinite retention of full call transcripts increases your breach exposure surface. |
| 7 | How are your subprocessors — telephony, cloud, AI — covered under PHI obligations?The BAA chain must extend to each layer that touches patient data | A vendor with a solid BAA but unprotected subprocessors is still a compliance gap under HIPAA's conduit exception rules. |
It depends on the vendor. An AI receptionist that handles protected health information (PHI) — such as patient names, appointment details, or dates of service — is a HIPAA Business Associate under the Privacy and Security Rules. To be considered HIPAA compliant, the vendor must sign a Business Associate Agreement (BAA) with your practice, implement required technical and administrative safeguards, and limit PHI use to the purpose of providing the service. MedReceptionist signs a BAA with every practice at no additional cost.
A Business Associate Agreement (BAA) is a written contract required by HIPAA whenever a covered entity (your practice) shares PHI with a vendor that handles it on your behalf. Without a signed BAA, using an AI phone answering service that touches patient data puts your practice out of compliance — regardless of how the vendor markets itself. The BAA legally obligates the vendor to protect PHI, report breaches, and use the information only for the agreed service. Always obtain a signed BAA before going live.
Standard HIPAA technical safeguards for AI phone answering include: encryption of data in transit (using TLS or equivalent) so call content and any transcribed text cannot be intercepted; encryption of data at rest so stored call records and PHI are unreadable without authorization; access controls so only authorized personnel and systems can view PHI; and audit logging so the system records who accessed what data and when. A well-designed system also applies the minimum-necessary standard — collecting only the PHI required to complete the booking or message, and no more.
Many vendors claim to be “HIPAA aware” or “HIPAA friendly” without committing to a signed BAA or documented safeguards. These terms have no legal meaning under HIPAA. True compliance requires a signed BAA, documented policies and procedures, technical safeguards for PHI, staff training, and a breach notification process. If a vendor will not provide a signed BAA, they are not an appropriate Business Associate for a covered healthcare practice — regardless of their marketing language.
Yes. MedReceptionist signs a HIPAA Business Associate Agreement with every practice at no additional cost. The BAA is included as part of onboarding, not offered as a paid add-on. MedReceptionist is built and operated by AI Scan Solutions and is designed around HIPAA’s required administrative, physical, and technical safeguards.
Seven questions every practice should ask: (1) Will you sign a HIPAA BAA before go-live? (2) Is PHI encrypted in transit and at rest? (3) How is access to PHI controlled and logged? (4) What is your breach notification process and timeline? (5) Does the system apply minimum-necessary data handling — collecting only what is needed for the appointment? (6) Where is PHI stored, and how long is it retained? (7) How do your subprocessors (telephony, cloud infrastructure) handle PHI, and are they covered under a BAA chain? A vendor that cannot answer all seven confidently is a compliance risk.
20-minute demo. We configure it for your specialty and call your practice number live.