HIPAA Compliant Answering Service: What to Actually Check
No answering service is officially "HIPAA certified." Here is what HIPAA really requires of a medical answering service, and the questions to ask before you sign.
By the PhoneAgent.ai team
July 2026 · 9 min read
Hear it answer to watch the AI disclose, qualify the caller, check the calendar and book the appointment.
Appointment card
Live.
What PhoneAgent did
Live, interactive · AI disclosed · no card needed
Your agent answers like this, tuned to your hours, services, and calendar.
There is no such thing as an officially HIPAA certified answering service. HIPAA does not certify, approve or license vendors, and the government issues no seal. What HIPAA actually requires is narrower and much easier to check: if a vendor handles protected health information on your behalf, they are a business associate, and you must have a signed Business Associate Agreement (BAA) in place before that information reaches them. Everything else on a vendor's compliance page is marketing until you have the BAA in writing.
This matters because the phone is where most small practices leak patient information without thinking about it. A caller leaves a message describing a symptom. An operator writes it into a shared inbox. A recording sits on a server for two years because nobody set a retention policy. None of that is exotic, and all of it is PHI moving through a third party.
Here is what to check, in the order that matters, before you hand your patient calls to anyone.
What HIPAA actually requires of an answering service
Under the HIPAA Privacy and Security Rules, a business associate is any person or entity that creates, receives, maintains or transmits PHI on behalf of a covered entity. An answering service that takes patient messages is doing exactly that, which puts it squarely in scope. Three obligations follow.
A signed BAA. This is the contract that makes the vendor legally responsible for protecting the PHI it touches. Without it, you have a compliance gap regardless of how good the vendor's security is. The BAA is not paperwork you chase afterwards, it belongs in place before the first call is answered.
Safeguards on the data itself. Encryption in transit and at rest, access controls so not every employee can pull up a recording, audit logs showing who accessed what, and a documented breach notification process.
Minimum necessary. The service should collect only the information it genuinely needs to do its job. An answering service that exists to book appointments does not need a caller's full symptom history, and a system that asks for less is a system that can leak less.
The questions to ask every vendor
Sales pages are written to avoid these. Ask them directly, in an email, so the answers are in writing.
- Will you sign a BAA? If the answer is anything other than a clear yes with a document attached, stop there. A vendor that will not sign has told you something important.
- Are call recordings and transcripts encrypted, in transit and at rest?
- How long are recordings retained, and can I set that retention period myself? Indefinite retention is a liability you are inheriting.
- Who on your side can access my patients' calls, and is that access logged?
- What happens to my data if I cancel? Get the deletion timeline in writing.
- If you use subcontractors or offshore operators, are they covered by the BAA?
- What is your breach notification process and timeline?
Notice that none of these ask "are you HIPAA compliant?" That question invites a yes from everybody and tells you nothing.
Why "HIPAA certified" is a red flag, not a credential
When a vendor advertises itself as HIPAA certified, what they mean is that they ran an internal audit, or paid a consultancy to run one. That can be genuinely useful work. It is not a government approval, because no such approval exists, and a vendor that presents it as one is either confused about the rule or hoping you are.
The honest version sounds different. It sounds like: here is our BAA, here is how we encrypt data, here is our retention policy, here is who can access what. A vendor that leads with documents rather than badges is usually the one that has done the work.
Where AI answering services change the picture
An AI answering service shifts some of the risk in your favor and introduces one new question.
In your favor: consistency. Human operators are the most common source of small HIPAA slips, not through malice but through ordinary human variability. Someone reads a message aloud in a room with other people in it, or emails details to the wrong doctor, or writes down more than they needed to. Software does the same thing the same way on every call, and it collects only the fields you configured it to collect.
The new question is about the AI model itself: is your call data used to train it? Ask this explicitly. The answer you want is no.
The design principle that helps most is scope. A system built to schedule appointments, answer non-clinical questions and escalate anything clinical to your staff simply handles less PHI than one that tries to take detailed symptom messages. That is how our medical answering service is built: it books visits, handles reschedules, answers questions about hours, location, insurance and visit prep, and escalates anything clinical or urgent to your on-call staff by rules you set. It never gives medical advice, and it discloses that it is an AI on every call, with recording handled consent-aware by state.
If PHI will be discussed on your calls, require a signed BAA from every vendor on your shortlist before you go live. That includes us. Ask, get it in writing, and keep the copy.
What good looks like in practice
A practice that has this right can answer four questions in under a minute: where is our BAA, how long are recordings kept, who can see them, and what does the service do when a patient starts describing symptoms in detail.
That last one is the tell. The right answer is that the call is escalated to clinical staff, not transcribed into a message queue where the details sit in plaintext waiting for someone to read them at 7am.
The compliance question nobody asks: consent to record
HIPAA is not the only rule touching your phone line. Call recording consent is governed by state law, and roughly a dozen states require all parties to consent before a call is recorded. A medical practice in California, Florida, Washington, Pennsylvania or Illinois that records patient calls without the right prompt has a problem that has nothing to do with HIPAA and everything to do with state wiretapping statutes.
Most practices never think about this, because the legacy answering service handled it (or did not) somewhere out of sight. We wrote up how the state rules split in the guide to call recording consent laws. The short version: if in doubt, disclose, and use a system that plays the right prompt automatically rather than relying on anyone to remember.
Cost is a compliance question too
This sounds like a stretch until you have watched it happen. Traditional medical answering services bill by the minute, commonly $1.75 to $2.25, which means a long, careful call costs more than a short, sloppy one. Practices under cost pressure start looking for ways to shorten calls, and that is exactly the pressure you do not want in a workflow that touches patient information.
Flat pricing removes the incentive. We break down what practices actually pay, per minute versus flat, on the medical answering service page, and there is a fuller cost comparison in how much an answering service costs.
The same logic applies to the compliance work itself. Most small practices track their obligations in a spreadsheet that nobody has opened since the last audit, which is how a BAA quietly expires or a retention policy goes unreviewed for three years. Practices that take it seriously tend to map the obligations and controls in one place rather than rediscovering them under pressure. Same principle as the phone: the routine, repeatable work is exactly the work that should not depend on somebody remembering.
A short checklist to take to a vendor
- Signed BAA in hand, before go-live, not after
- Encryption in transit and at rest, stated plainly
- A retention period you control, with deletion on cancellation
- Access controls and audit logs on recordings
- Written confirmation that your call data is not used to train AI models
- The service escalates clinical calls instead of transcribing them
- Recording consent handled correctly for two-party-consent states
- AI disclosed to callers, if the service uses AI
Run that list against any vendor, including this one, and you will learn more in ten minutes than a compliance page will tell you in an hour.
This is general information, not legal advice. HIPAA obligations depend on your specific situation, so confirm the details with a qualified professional.
Hear PhoneAgent.ai answer and book
The AI receptionist answers every call 24/7, greets callers in your business name, books appointments into your calendar and texts missed callers back. Flat fee, no per-minute meter, AI disclosed on every call.