HIPAA and AI Receptionists: A Compliance Guide for US Clinics

If your US healthcare clinic uses an AI receptionist that handles patient phone calls, HIPAA applies. Any AI system that processes protected health information (PHI), which includes patient names, phone numbers, appointment details, insurance information, and reasons for calling, must meet the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule requirements. This guide covers what HIPAA requires from AI receptionist vendors, what your clinic needs to verify before signing up, and the specific compliance elements most clinics overlook.

---

Why HIPAA Applies to AI Receptionists

HIPAA applies whenever a "covered entity" (your clinic) shares PHI with a "business associate" (the AI vendor). When a patient calls your clinic and an AI system answers, the AI processes PHI: the patient's name, reason for calling, appointment details, and potentially insurance or clinical information.

The AI vendor is a business associate. That triggers three core requirements: a signed Business Associate Agreement (BAA), technical safeguards meeting the HIPAA Security Rule, and breach notification obligations if PHI is compromised.

Some clinic owners assume that AI phone systems don't handle "real" PHI because they're just scheduling appointments. That's incorrect. A patient's name combined with their appointment time at a healthcare facility is PHI under HIPAA. So is a message saying "I need to cancel my appointment with Dr. Smith on Thursday." The bar for what constitutes PHI is lower than many clinics realise.

---

The Business Associate Agreement: Non-Negotiable

A BAA is a legal contract between your clinic and the AI vendor that specifies how the vendor will handle, protect, and report on PHI. Without a signed BAA, using an AI receptionist that processes PHI violates HIPAA, regardless of how good the vendor's security actually is.

What the BAA should cover: Permitted uses and disclosures of PHI. Security safeguards the vendor implements. Breach notification procedures and timelines (HIPAA requires notification within 60 days of discovery). What happens to PHI when the contract ends. The vendor's obligation to make their practices available for audit.

Red flag: If an AI vendor can't produce a BAA, or says you don't need one, do not proceed. This is the single most common HIPAA compliance failure with AI tools. Some vendors offer HIPAA compliance only on higher-tier plans. Make sure your specific plan includes the BAA.

---

HIPAA Security Rule Requirements for AI Systems

The Security Rule requires administrative, physical, and technical safeguards for electronic PHI (ePHI). For AI receptionists, the most relevant technical requirements are:

Encryption

All PHI must be encrypted in transit (during the phone call and data transmission) and at rest (when stored on servers). The Security Rule doesn't mandate specific encryption standards, but industry practice is AES-256 for data at rest and TLS 1.2+ for data in transit. Ask your vendor to confirm their encryption standards in writing.

Access Controls

Only authorised personnel at the vendor should be able to access PHI. The vendor should implement role-based access, unique user identification, and automatic session termination. Ask: who at the vendor can access your patients' call data? How are access permissions managed and audited?

Audit Logging

The Security Rule requires mechanisms to record and examine access to ePHI. Your AI vendor should maintain audit logs showing who accessed what data, when, and what actions were taken. These logs should be available to your clinic on request.

Data Integrity

Safeguards must protect ePHI from improper alteration or destruction. Call transcripts and appointment records should be tamper-evident once created.

Transmission Security

PHI transmitted over networks must be protected against interception. For AI voice receptionists, this means the voice data stream between the patient's call and the AI processing system must be encrypted end-to-end.

---

Data Residency and Retention

HIPAA doesn't require US-based data storage, but it does require that wherever data is stored, the full Security Rule protections apply. For practical purposes, US-based hosting simplifies compliance because you're not navigating foreign data protection laws on top of HIPAA.

Data retention is where many AI vendors introduce risk. Some AI platforms retain voice recordings, call transcripts, and patient data to train their models. Under HIPAA, any use of PHI beyond the purposes specified in the BAA requires patient authorisation. If the vendor uses your patients' call data to improve their AI, and patients haven't authorised that use, it's a HIPAA violation.

Ask every vendor: how long is call data retained? Are voice recordings stored, and if so, for how long? Is any PHI used for model training, product improvement, or shared with third parties?

The safest approach: choose vendors that offer zero data retention on voice processing, meaning the audio is processed in real time and not stored after the call ends. At JustReva, our arrangement with OpenAI includes a BAA with zero data retention, meaning patient voice data is processed but never stored or used for model training. See our security page for full details.

---

Breach Notification: What Happens If Something Goes Wrong

Under the HIPAA Breach Notification Rule, if PHI is compromised, you must notify affected patients within 60 days, notify the Department of Health and Human Services (HHS), and for breaches affecting 500+ individuals, notify prominent media outlets.

Your BAA should specify that the vendor will notify you of any breach promptly (the faster the better, regardless of the 60-day outer limit) and cooperate with your incident response.

HIPAA violations can result in penalties ranging from $100 to $50,000 per violation, with an annual maximum of $2,067,813 per violation category as of 2024. Criminal penalties can apply for knowing violations.

---

A Compliance Checklist for AI Receptionist Deployment

Before signing with any AI receptionist vendor, verify:

BAA: Signed BAA covering your specific plan. Specifies permitted uses, security obligations, breach notification, and data handling at contract termination.

Encryption: AES-256 at rest, TLS 1.2+ in transit. Written confirmation from vendor.

Access controls: Role-based access. Unique user IDs. Vendor can describe who has access to PHI and how access is managed.

Audit logging: Logs available showing access to PHI. Available to your clinic on request.

Data retention: Clear retention policy. Ideally zero retention on voice processing. No PHI used for model training without patient authorisation.

Data storage location: Know where servers are located. US-based hosting simplifies compliance.

Breach notification: Vendor commits to prompt notification. Cooperates with your incident response.

Staff training: Your team understands what PHI the AI processes and knows escalation procedures for privacy concerns.

For a broader framework on evaluating AI vendors, see our guide on how to evaluate AI vendors for healthcare. For Ontario clinics, the equivalent provincial framework is in our PHIPA compliance guide, and dental practices in Ontario also need to follow the RCDSO AI guidelines.

---

The 2025 HIPAA Security Rule Update

HHS published a Notice of Proposed Rulemaking in January 2025 to update the HIPAA Security Rule. Key proposed changes include mandatory encryption of all ePHI (currently "addressable"), required multi-factor authentication, annual compliance audits, technology asset inventories, and vulnerability scanning. While these changes are not yet finalised, they signal the direction of HIPAA enforcement. Clinics deploying AI tools now should plan for these stricter requirements. Our existing article on the HIPAA 2025 Security Rule update covers this in detail.

---

HIPAA Compliance Built In

JustReva offers HIPAA compliance on every plan: signed BAA, zero data retention on voice processing, US-region data storage for US clinics, and end-to-end encryption. Start a free 30-day pilot to see REVA handle calls within your compliance framework.