Trusted by established practices
FrontDesk AI | HIPAA Compliance
AI receptionists handle patient names, dates of birth, insurance information, and health concerns — all Protected Health Information under HIPAA. This guide gives you the specific questions to ask, the red flags to watch for, and a pre-deployment checklist you can use with any vendor.
Not every piece of software a medical practice uses is covered by HIPAA. The law applies specifically to systems that create, receive, maintain, or transmit Protected Health Information (PHI) — individually identifiable information related to a person's health condition, healthcare provision, or payment.
An AI receptionist sits squarely in HIPAA territory. When a patient calls and says "I need to book a follow-up for my glaucoma treatment" and provides their name and date of birth, that conversation contains PHI. When the AI writes intake information into your EHR, it is transmitting PHI. When call recordings are stored, they contain PHI.
This means the vendor providing your AI receptionist is a Business Associate under HIPAA — a third-party service provider that handles PHI on your behalf — and all the obligations that come with that designation apply.
Critical: If an AI vendor handles patient calls but refuses to sign a Business Associate Agreement (BAA), deploying their system in your practice creates a HIPAA violation — regardless of how good their product otherwise is. A BAA is not optional.
The foundational legal requirement. The vendor must sign a BAA defining their obligations for handling PHI, security requirements, breach notification procedures, and subcontractor oversight. Without this, you cannot legally use their system.
All PHI must be encrypted both in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent). Ask vendors to specify their encryption standards explicitly — vague answers are unacceptable.
Access to PHI must be limited to authorized personnel on a minimum-necessary basis. The vendor must maintain audit logs documenting who accessed what PHI and when, available for compliance review.
If PHI is compromised, the vendor must notify you within 60 days of discovery. Your BAA should specify notification timelines, information provided, and their obligations for investigating and containing the breach.
AI systems rely on multiple underlying technologies — cloud hosting, speech recognition, NLP APIs, telephony. HIPAA requires that Business Associates ensure their subcontractors are also HIPAA compliant.
The vendor must have documented policies for how long PHI is retained and how it is securely disposed of when retention periods end. Call recordings and transcripts containing PHI must be handled under these policies.
Don't rely on a vendor's website claiming "HIPAA compliant." Ask these specific questions and insist on specific answers.
Yes, without hesitation. A vendor who hedges or charges extra for a BAA is a red flag.
Specific standards: TLS 1.2+ in transit, AES-256 at rest. Vague answers are unacceptable.
PHI should be stored on US-based servers. International storage introduces complex compliance issues.
They should name subcontractors (AWS, Google Cloud, etc.) and confirm BAAs are in place with each.
Clear policies on storage duration, access controls, and disposal. Recordings must be encrypted.
Notification within 60 days of discovery, with specific procedures for investigation and containment.
Yes, with logs available for your review on request. This is a HIPAA requirement for Business Associates.
SOC 2 Type II report or HIPAA-specific audit results give you independent verification of their claims.
Be cautious about AI models trained on your patients' call data without explicit consent frameworks.
Clear data return and deletion procedures within a specific timeframe after contract termination.
Recovery time and recovery point objectives that protect PHI availability.
Documented HIPAA training for all staff who may interact with PHI, with refresher schedules.
These are non-negotiable deal-breakers. If you encounter any of the following, end the evaluation.
Refuses to sign a BAA or claims their system is "technically HIPAA compliant" without one. This is not how HIPAA works.
Vague encryption answers — "we use industry-standard encryption" without specifying protocols often means they don't know.
PHI stored outside the US without a clear legal framework for international data handling.
No documentation of subcontractor compliance — if they use third-party AI or cloud services and can't confirm HIPAA BAAs with those providers, you're exposed.
Training AI on your patient data without explicit data processing agreements and patient consent frameworks.
No SOC 2 report or equivalent audit and an inability to explain security posture in specific terms.
Charging extra for HIPAA compliance — HIPAA compliance is a baseline requirement, not an add-on feature.
HIPAA compliance is not solely the vendor's responsibility. Deploying an AI receptionist creates obligations for your practice as well.
Introducing a new vendor that handles PHI triggers an update to your risk analysis. Document the assessment and how identified risks are being mitigated.
Every covered entity must maintain a current list of Business Associates and the BAAs in place with each. Add your AI receptionist vendor when you sign the BAA.
Staff who interact with the AI system — configuring it, reviewing call logs, managing escalations — should receive training on what PHI the system handles and how to use it compliantly.
Configure your AI system to collect only the PHI that is actually necessary for its function. If the AI doesn't need a patient's full SSN to schedule an appointment, don't configure it to collect one.
HIPAA compliance isn't a one-time checkbox. Review your vendor's compliance posture annually and whenever there is a significant change to how they process your PHI.
Use this checklist before going live with any AI receptionist system. Work through it with your vendor and file it with your compliance documentation.
FrontDesk AI signs Business Associate Agreements with all practice partners as standard — before any patient call data is processed. All PHI is encrypted in transit and at rest, stored on US-based infrastructure, and subject to documented breach notification and data disposal procedures. We sign BAAs at no extra charge.
FrontDesk AI is fully HIPAA compliant, signs BAAs with every practice as standard, and has answered every compliance question on this page. Let us show you how easy it is to get started.
Schedule a DemoTrusted by established practices