An AI receptionist handling PHI (patient names, appointment details, insurance info, complaint info) is a Business Associate under HIPAA. Required: signed BAA between the practice and vendor, encryption in transit (TLS 1.2 minimum, ideally 1.3) and at rest (AES-256), audit-logged access to PHI, breach notification within 60 days, ability to produce records on request, ability to delete PHI on patient request.
Ask any vendor: 'Send me your standard BAA.' Reputable vendors send it within 24 hours — they have it on file. Vendors who hedge ('we're working on it,' 'we'll get back to you,' 'we don't really need one for what we do') are NOT HIPAA-compliant. Never sign a contract with a vendor handling PHI who can't produce a BAA. If a breach occurs and you didn't have a BAA in place, you're personally exposed.
Production-ready HIPAA AI vendors use: TLS 1.2+ for transport (call audio + transcripts in transit), AES-256 for storage (recordings and transcripts at rest), short PHI retention periods (most default 30-90 days), encrypted backups with same standards. Storage location: US-based servers preferred (some BAAs require), data residency clauses spell this out.
Patient calls AI receptionist → audio encrypted in transit → AI captures appointment request → transcript stored encrypted with limited retention → appointment booked into practice's HIPAA-covered PMS → audit log records who accessed transcript when. Patient requests record deletion → vendor's portal lets practice delete that patient's transcripts within 30 days. Breach incident → vendor notifies practice within agreed window.
Dental, medical, mental health, addiction treatment, veterinary (in some interpretations), home health, chiropractic, physical therapy, pharmacy, hospice, optometry. Any practice handling PHI. For non-PHI verticals (HVAC, real estate, retail) HIPAA doesn't apply — but data security best practices still do. Free 5-min audit includes HIPAA configuration review for your specific practice.