Skip to main content
RingDispatch
Get started

What Makes an AI Phone Receptionist HIPAA-Compliant?

6 min read
HIPAAcomplianceAI receptionistdentalmedical

If you run a dental practice, medical clinic, therapy office, chiropractic, mental health, or any other business that handles Protected Health Information (PHI), the AI receptionist conversation is a different conversation. 'HIPAA-compliant' isn't a marketing badge — it's a four-part technical and legal checklist that vendors either meet or don't. This post walks through what each part actually means and how to verify it before signup.

Quick refresher: what counts as PHI on a phone call?

Protected Health Information is any 'individually identifiable health information' — that means name + any health detail together qualifies. On an AI receptionist call, PHI usually shows up as:

  • Caller names tied to appointment types ('John Smith for his dental cleaning')
  • Symptoms ('I've had jaw pain for three days')
  • Treatment requests ('I need a refill on my Wellbutrin')
  • Insurance details (member ID, plan name) tied to a patient name
  • Anything in the transcript that links a person to a health condition, even by inference

If your AI receptionist is collecting any of that — and for booking purposes it usually is — you need HIPAA compliance from the vendor. Period.

The four pillars of HIPAA-compliant AI phone answering

1. Business Associate Agreement (BAA)

Under HIPAA, any third party that handles PHI on your behalf is a 'Business Associate' and must sign a Business Associate Agreement (BAA) with you. The BAA is a contract that holds the vendor to the same safeguards you're held to, with specific clauses about breach notification, subcontractors, and data destruction.

Without a signed BAA, you cannot legally share PHI with the vendor. Most consumer AI services don't sign BAAs at all (Google Workspace requires you to buy the BAA-eligible plan; ChatGPT doesn't sign them on consumer plans, etc.). For AI receptionists, the BAA is usually offered on the HIPAA-mode upgrade — typically $99-$249/month extra.

2. Retention windows

HIPAA requires you to retain records for at least 6 years from the date of creation or the date when last in effect, whichever is later. That clock applies to the transcript of every PHI-containing call.

Standard AI receptionist retention is 90 days. For HIPAA, you need 6 years. Vendors offer this through a HIPAA tier; verify before signing up that the retention bump is included, not an additional add-on.

3. Recording consent (per-call)

Under HIPAA AND under state two-party-consent recording laws (California, Florida, Massachusetts, etc.), the caller must explicitly consent to having their call recorded — and you must log that they did.

What this means in practice for an AI receptionist:

  • The AI must disclose at the start of every call: 'this call may be recorded for quality and recordkeeping.'
  • The AI must capture an affirmative 'yes' before retaining the transcript.
  • If the caller declines, the transcript should be redacted or discarded (the AI can still take the booking — it just can't retain the audio + transcript).
  • The consent decision per call must be auditable from your dashboard, with timestamp.

Vendors that record everything by default without explicit consent are not HIPAA-compliant for healthcare use — even if they offer a 'HIPAA tier.' Verify by asking to see a sample HIPAA-mode call disclosure script.

4. Access controls + audit logs

HIPAA requires that only authorized people inside your practice can access PHI, and that every access is logged. For an AI receptionist that means:

  • Role-based access in the dashboard — your front desk sees scheduling info; only the office manager and providers see transcripts.
  • Audit log of who read which transcript and when. Required for breach investigation.
  • Encryption at rest (the database storing transcripts) and in transit (HTTPS between you and the vendor).
  • Multi-factor authentication for owner / admin accounts (table stakes by 2026; verify if not offered).

What HIPAA-mode is NOT

Worth dispelling some marketing-page myths:

It's not just 'encrypted'

Encryption is necessary but not sufficient. The four pillars above are the actual compliance bar. A vendor that says 'we're HIPAA-compliant because we use TLS' doesn't understand HIPAA.

It's not 'we don't see your data'

HIPAA is about how PHI is handled, not about whether the vendor 'sees' it. The vendor IS a Business Associate by definition — they're processing PHI on your behalf. The compliance question is whether they handle it correctly, not whether they touch it.

It's not the same across vendors

Some vendors offer HIPAA-mode but don't sign BAAs for subcontractors (so your data flows through non-BAA-bound Anthropic, ElevenLabs, etc.). Others sign BAAs through the entire stack. Ask specifically.

Practice areas that DEFINITELY need HIPAA-mode

  • Dental (general, pediatric, orthodontics, oral surgery)
  • Medical (family medicine, internal medicine, specialty, urgent care)
  • Mental health (therapy, psychiatry, counseling, addiction recovery)
  • Chiropractic, physical therapy, occupational therapy
  • Vision (optometry, ophthalmology) when scheduling exams
  • Alternative medicine that takes insurance (acupuncture, massage therapy in some states)
  • Veterinary if you receive pet-owner health info through HSA/FSA accounts

Practice areas that probably don't (but check)

  • Cosmetic-only dental (whitening, veneers) without insurance
  • Med spa services that aren't medically necessary
  • Personal training, yoga studios (general fitness, not therapy)
  • Massage therapy in single-party-consent states without insurance

When in doubt, ask your malpractice carrier. They have HIPAA-experienced compliance officers and will give you a free read on whether your practice is in scope.

How RingDispatch handles HIPAA

RingDispatch's HIPAA add-on is $149/month on any tier. It includes:

  • Signed BAA with you. Sub-processor BAA flow-through with Anthropic, ElevenLabs, and Twilio is executed at HIPAA-tier signup, contingent on each vendor's current BAA-eligibility on the plans we operate under — we confirm the active sub-processor BAA chain to you in writing before any PHI is processed.
  • 6-year transcript retention (configurable longer if your state requires it)
  • Explicit per-call recording consent, with the AI asking for confirmation and logging the decision
  • Audit log of every transcript read with timestamp + reader identity
  • Encryption at rest (AES-256) and in transit (TLS 1.3)
  • MFA on the owner dashboard account, role-based access for front-desk staff

Required for dental, medical, therapy, chiropractic. See /pricing for the add-on details, or read the privacy policy at /privacy for the full data-handling specifics.