If you run a medical practice and you are shopping for a voice AI, the phrase "HIPAA-compliant AI receptionist" should make you slow down, not speed up. Most vendors will say they are compliant. Very few will sign a real Business Associate Agreement, publish a sub-processor list, or commit to a breach notification SLA in writing. The gap between marketing language and contractual reality is where practices get exposed.

This guide is a due-diligence checklist for the buyer side of the table. The 12 controls, 6 vendor questions, and red flags below are what we get asked about when med spas, plastic surgeons, and dermatology groups evaluate AI voice. Use it before the demo, not after the contract.

What "HIPAA-compliant AI receptionist" actually means (and what it doesn't)

HIPAA is a federal framework that governs how Protected Health Information (PHI) is created, stored, transmitted, and disclosed by covered entities and their business associates. A one-sentence framing is enough here: if a vendor touches PHI on your behalf, they are a business associate, and you need a signed BAA on file before any PHI moves.

The market splits AI voice vendors into two practical buckets, and the distinction matters more than most sales pages admit.

HIPAA-aware means the system is intentionally configured to avoid capturing PHI in the first place. The intake flow is scoped to non-clinical questions (name, callback number, service interest, appointment intent), and the agent does not ask for, store, or transcribe diagnoses, medications, or treatment history. No BAA is required because no PHI is in scope. This is appropriate for general inquiry, top-of-funnel booking, and front-desk overflow at aesthetic practices.

HIPAA-compliant means the vendor has signed a BAA, implements the HIPAA Security Rule's administrative, physical, and technical safeguards end-to-end, maintains audit logs, encrypts PHI at rest and in transit, and can document their controls. This is what you need if PHI will actually move through the system (clinical intake, refill requests, anything past the front door).

A surprising number of "HIPAA-compliant" vendor pages turn out to mean "HIPAA-aware." That is not necessarily wrong, but it is not the same thing, and you should know which one you are buying.

This guide is editorial buyer guidance, not legal advice. Consult your compliance officer or HIPAA counsel before signing a BAA.

The Business Associate Agreement (BAA): non-negotiables for AI voice vendors

The BAA is the contract that puts a vendor on the hook for HIPAA. Per HHS guidance, a covered entity that allows a business associate to create, receive, maintain, or transmit PHI without a signed BAA is itself out of compliance. The BAA is not a formality. It is the document the Office for Civil Rights (OCR) will ask for first if something goes wrong.

What a real BAA from an AI voice vendor should include:

Named parties and scope of PHI. The agreement should identify exactly what categories of PHI the vendor handles (call audio, transcripts, caller identifiers, intake notes).
Permitted uses and disclosures. No "for any business purpose" language. PHI use should be limited to delivering the service.
Sub-processor flow-down. Any sub-processor that touches PHI (LLM provider, transcription vendor, storage, telephony carrier) must also be bound by a BAA.
Breach notification. A specific SLA, not "as required by law." Best practice is under 60 days from discovery, with faster internal escalation.
Termination and return of data. A clear timeline for deletion or return of PHI when the contract ends.
Indemnification posture. Whether the vendor accepts liability for their own breaches.

If a vendor will only sign a "Data Processing Addendum" or a generic privacy rider and refuses to issue a BAA, they are telling you something important about how seriously they treat PHI. That answer alone usually settles the evaluation.

12 technical controls to verify before signing

Marketing language is cheap. Controls are not. The HIPAA Security Rule (45 CFR Part 164) lays out the administrative, physical, and technical safeguards required of business associates, and NIST 800-66 Rev. 2 provides the implementation guidance most auditors lean on. The 12 controls below are the operational subset that matters for an AI voice system specifically. Ask the vendor to confirm each one in writing.

Encryption at rest. AES-256 on every store that holds audio, transcripts, or caller records.
Encryption in transit. TLS 1.2 minimum (1.3 preferred) on every API hop, including telephony media and LLM calls.
Audit logs of access. Tamper-evident logs of every read, export, and admin action against PHI, retained for at least six years per HIPAA documentation rules.
PHI redaction at source. Automated redaction of sensitive fields from transcripts and recordings before they are stored or used for training.
Role-based access control. No flat admin tier. Roles scoped to least privilege, with separation between support, engineering, and customer admin.
Voice and transcript retention policy. A documented retention window with the option to shorten it. Indefinite retention is a red flag.
Breach notification SLA under 60 days. Faster is better. The federal floor is 60 days from discovery for breaches affecting 500+ individuals.
Recording storage region and sub-processor disclosure. You should know which country and which cloud region (and which sub-processor) hold your call data.
Publicly available sub-processor list. Linked from the vendor's trust or security page, updated when sub-processors change.
Vulnerability disclosure program. A documented channel for researchers to report security issues, with a stated response window.
MFA on admin accounts. Required, not optional. SSO and SCIM are bonus points.
Data export and deletion timeline on cancellation. A specific number of days, not "upon request." 30 days for export, 60 days for confirmed deletion is a reasonable benchmark.

HITRUST CSF certification is a useful proxy for "this vendor has been through a real audit," but it is not a substitute for the controls above. Ask for both.

How AI receptionists handle PHI differently from human answering services

A traditional HIPAA-compliant answering service or HIPAA-compliant call center sits operators inside a controlled facility. Calls are recorded into a vetted platform, operators are trained on PHI handling, and the BAA covers the people and the building. The risk surface is mostly human.

An AI receptionist (or any HIPAA-compliant virtual receptionist that runs on voice AI) has a fundamentally different shape. The call audio gets transcribed by a speech-to-text model, passed to a language model to interpret intent, and possibly written into a CRM or scheduling system. Every one of those hops is a potential PHI exposure, and every vendor in the chain becomes a sub-processor that needs a flow-down BAA.

That is why the sub-processor list matters so much more for AI voice than it does for a traditional HIPAA-compliant phone service. A practice can have a clean BAA with the primary vendor and still be exposed if the underlying LLM provider is not bound by one. If you want a deeper teardown of how AI agents differ from human services on availability, cost, and PHI surface area, our comparison on AI receptionist vs virtual receptionist cost walks through the trade-offs in plain numbers.

Common vendor red flags

After several hundred conversations with practice owners and vendors, the same red flags keep showing up. Any one of these should slow the deal down.

"We are HIPAA-compliant" with no BAA on the website and no security page. If the controls are real, the documentation exists.
BAA only available after contract signature. Reverse that. You sign the BAA before PHI ever moves.
No published sub-processor list. This is now table stakes. SOC 2 auditors expect it.
Indefinite or unspecified recording retention. Translates to "we keep your call data until we feel like deleting it."
Training on customer data without an opt-out. Your call audio should not become training corpus for someone else's model.
Per-minute pricing without a documented PHI handling policy. Pricing model is unrelated to compliance, but vendors selling on price often skip the security investment.
Breach notification "as required by law" instead of an SLA. The law is the floor, not the ceiling.
No incident response plan they will share. Even a one-page IR summary tells you whether the program exists.

The OCR breach portal is public. It is worth a quick scan to see whether a vendor or their parent company has appeared on it.

Vertical scenarios: med spa, plastic surgery, dermatology

Med spa. Most inbound calls are general inquiry (pricing, availability, treatment overview). A HIPAA-aware configuration that explicitly avoids PHI during intake is usually sufficient, paired with a BAA for any clinical follow-up. The risk is letting a chatty caller volunteer medical history into a transcript that was not scoped to handle it.

Plastic surgery. Higher PHI surface area. Pre-op and post-op calls routinely touch medications, prior procedures, and clinical questions. Compliance posture has to be full HIPAA-compliant, with a signed BAA, audit logs, and a strict retention policy. Volume is lower per practice but each call carries more PHI weight.

Dermatology. The hybrid case. Cosmetic dermatology behaves like a med spa. Medical dermatology behaves like a clinic, with prescription refills, biopsy follow-ups, and insurance verification all touching PHI. Practices in this category usually need separate intake flows for cosmetic and medical lines, with the medical line on a stricter compliance footing.

Pricing reality: why HIPAA-compliant AI costs more than consumer voice AI

The going rate for consumer-grade voice AI is dropping every quarter. HIPAA-compliant AI is not. The reason is structural: a BAA-bound stack requires HIPAA-eligible cloud infrastructure, audited sub-processors, separate model deployments that exclude customer data from training, encrypted storage with longer retention requirements, and a security program that can survive an audit. Each of those line items adds real cost.

For context on what "fair" looks like, our breakdown on how to evaluate an AI receptionist covers the pricing models in the market and where compliance overhead actually shows up on the invoice. Practices comparing legacy phone trees to modern voice agents should also read auto attendant vs AI receptionist in 2026 for a fair side-by-side.

AutoMeit's plans run $297 to $697 per month, flat, with no per-minute billing, month-to-month, and a two-week setup. Our voice agent, Aria, is designed to operate in HIPAA-adjacent environments. The intake flow is configured to avoid capturing PHI during general inquiry calls, which is the right posture for med spa front-of-funnel volume. You can review the tiers on the pricing page or look at the full feature set on the services page.

The 6 questions to ask every vendor before a demo

Save the demo for vendors who clear these. If a sales rep cannot answer all six on the first call, that is the answer.

Will you sign a BAA? Yes or no. If yes, can you send the template now?
Where are call recordings and transcripts stored geographically? Country, cloud region, primary sub-processor.
Who at your company can access PHI, and under what audit? Role list, access controls, log retention.
What is your breach notification SLA? Specific number of days, not "as required by law."
Can I see your sub-processor list? Public link, last updated date.
On cancellation, what is the deletion timeline for my data? Days to export, days to confirmed deletion.

If a vendor clears those six questions, sign the BAA, run a pilot on a non-clinical line, and watch the audit logs. If they cannot, keep shopping.

Want to see how Aria handles a real call, with the PHI guardrails turned on? Book a 20-minute walkthrough and we will run a live call against your intake script, share our BAA template, and answer all six questions above on the same call.