compliance
HIPAA and AI receptionists: what dental, veterinary, and healthcare-adjacent practices need to know
Before deploying an AI receptionist in your practice, you need to know what HIPAA actually requires of your vendor, what VantaWeb can honestly offer today, and whether your specific situation requires waiting for our HIPAA tier.
⚠ Status — please read
VantaWeb is not currently offered for PHI or HIPAA-regulated workflows.
VantaWeb does not currently sign Business Associate Agreements. Our full sub-processor BAA chain — covering telephony, AI inference, speech processing, real-time media, edge networking, and related services — is not yet in place. We do not recommend deploying VantaWeb for HIPAA-regulated workloads at this time.
If a proposed workflow may include PHI, do not deploy it on VantaWeb. Contact privacy@vantaweb.io for current status; no launch date or future eligibility is promised.
TL;DR
What HIPAA requires: Any vendor that processes Protected Health Information (PHI) on your behalf must sign a Business Associate Agreement (BAA) and implement safeguards covering encryption, audit logging, access controls, and data retention. The AI receptionist hears patient calls — that is PHI exposure.
VantaWeb's posture today: VantaWeb is not currently offered for PHI or HIPAA-regulated workflows and does not currently execute BAAs. Do not infer eligibility from a plan, DPA, hosting location, encryption statement, or integration page.
Who this matters for: Any organization whose proposed call, chat, intake, booking, or integration workflow may create, receive, maintain, or transmit PHI. Determine applicability with qualified counsel; a business category alone is not a safe shortcut.
What HIPAA actually requires of an AI receptionist
HIPAA's Privacy and Security Rules apply when your business is a covered entity (a healthcare provider, health plan, or healthcare clearinghouse) and you engage a vendor that creates, receives, maintains, or transmits PHI on your behalf. That vendor becomes a Business Associate, and the relationship must be formalized with a signed Business Associate Agreement.
When a patient calls your dental office and your AI receptionist answers, that call may contain PHI: the patient's name, date of birth, appointment details, medical history references, insurance information, or the nature of their condition. The AI must transcribe and process that audio. Every system that touches that data — the telephony provider, the speech-to-text engine, the language model, the database — is in scope.
Specific technical requirements
- Business Associate Agreement: A signed written contract specifying how the vendor may use PHI, what safeguards are in place, breach notification timelines, and data destruction obligations.
- Encryption in transit and at rest: Call audio and transcripts must be encrypted during transmission (TLS 1.2 or higher) and while stored (AES-256 or equivalent). Unencrypted voicemail storage is a recurring violation finding in HHS OCR audits.
- Audit logs: The Security Rule requires audit controls that record system activity involving PHI — who accessed it, when, and what they did. Logs must be retained and reviewable.
- Access controls: Minimum necessary access. Staff and systems should only see PHI relevant to their function. Role-based access with authentication required.
- Workforce training and HIPAA policies: The vendor agreement does not relieve your practice of training obligations. Your workforce must be trained; your policies must exist.
- Breach notification: If PHI is exposed, the Business Associate must notify the covered entity within 60 days of discovery. The covered entity then notifies patients and HHS OCR as required.
HIPAA does not define a specific software certification or compliance label. There is no "HIPAA certified" badge issued by HHS. Compliance is about whether your actual configuration meets the above requirements — not whether a vendor uses the word "compliant" in its marketing.
VantaWeb's HIPAA posture today (honest version)
We will be direct: VantaWeb is not HIPAA-compatible today. We do not currently sign Business Associate Agreements with our customers, and we do not currently have signed BAAs in place with our own sub-processors — the AI inference layer, speech processing services, telephony carrier, real-time media infrastructure, edge networking, and related third-party services that touch call data. Without that full chain, no Apex-plan configuration would actually meet HIPAA's Security Rule requirements — claiming otherwise would be misleading.
The approved public boundary
VantaWeb publishes a Privacy Policy, an interim retention notice, a DPA, a sub-processor list, and a security overview. Those documents describe qualified general controls and processing relationships; they are not certifications and do not establish HIPAA eligibility. Control-specific claims about encryption at rest, data residency, retention, deletion, audit coverage, and access logging require current evidence and an executed agreement before they should be relied on.
What is not available today
- A VantaWeb BAA on any current plan
- An approved product boundary for PHI
- Public evidence establishing a complete HIPAA-eligible sub-processor and control chain
- A representation that a standard plan, add-on, or integration makes a workflow HIPAA eligible
Why this page exists, then
People researching this question deserve a current boundary, not a marketing page that turns planned work into a promise. Any future change should be accompanied by approved contracts, a verified sub-processor chain, a control matrix, a named owner, and an effective date.
If your proposed workflow may include PHI, do not use VantaWeb for that workflow today. Evaluate an eligible alternative with qualified counsel.
Which industries this matters for
HIPAA applies specifically to covered entities and their business associates. Not every healthcare-adjacent business is a covered entity. Here is a plain-language breakdown by vertical:
- Dental practices: Covered entities. Patient calls contain PHI (appointment details, conditions, insurance). BAA required for AI receptionist deployment. Wait for VantaWeb HIPAA tier.
- Veterinary clinics: Animal records are generally outside HIPAA, but a clinic may have other regulated workflows. Verify the proposed data flow and applicable law before deploying.
- Chiropractic offices: Covered entities when billing through health insurance. Patient calls contain PHI. BAA required. Wait for HIPAA tier.
- Physical therapy practices: Covered entities. PHI exposure on intake calls. BAA required. Wait for HIPAA tier.
- Optometry clinics: Covered entities when billing through health insurance. BAA required for AI call handling. Wait for HIPAA tier.
- Home health agencies: Covered entities. High PHI sensitivity. BAA required. Wait for HIPAA tier.
- Medical spas (med spas): Applicability depends on services and the proposed data flow. Verify with counsel before contracting; do not route PHI through VantaWeb today.
Businesses outside these examples still need to evaluate the actual data flow and other applicable privacy or recording laws. No category label by itself makes a deployment appropriate.
The PHI risk in voicemail and AI systems: three data points
Large healthcare data breaches reported to HHS OCR annually in recent years, with hacking and IT incidents now the leading breach category — surpassing physical record losses.
[Source: HHS OCR Breach Portal, 2023-2024 annual data]
Average cost of a healthcare data breach for organizations in the small-to-mid-size category, per industry research — driven primarily by notification, legal, and remediation costs.
[Source: Ponemon Institute, Cost of a Data Breach Report 2024]
Voicemail messages containing PHI — patient names, callback numbers, and symptoms — represent a documented and recurring HIPAA violation category in OCR enforcement cases.
[Source: HHS OCR Resolution Agreements, 2022-2024; Healthcare IT News coverage]
An AI receptionist that captures patient calls without a BAA does not eliminate the voicemail PHI risk — it moves it to a different system without the legal framework to handle it. This is precisely why VantaWeb chose to hold the HIPAA tier rather than ship it half-built.
What VantaWeb does not do (today, even on Apex)
VantaWeb does not currently provide:
- A signed Business Associate Agreement on any plan
- HIPAA Security Rule-grade audit logging
- Encryption at rest on the call database
- BAAs with the sub-processors in Anna's underlying AI infrastructure (telephony, AI inference, speech processing, real-time media, edge network, and related services)
- A HIPAA risk assessment or compliance program documentation
- SOC 2 Type 2 attestation
If you need any of the above, VantaWeb is not the right vendor for you today. We are working toward the HIPAA tier. When it launches, we will publish the full configuration, the BAA chain, and the third-party attestation.
FAQ
Is VantaWeb HIPAA compliant?
No. VantaWeb is not currently offered for PHI or HIPAA-regulated workflows and does not currently execute Business Associate Agreements. Do not transmit PHI through any current VantaWeb plan. Any future change requires an approved product boundary, contracts, sub-processor chain, controls, and an effective date; no launch date is promised.
Do you sign a Business Associate Agreement?
No. VantaWeb does not currently execute BAAs on any plan. There is no approved interim PHI path. If a proposed workflow may include PHI, do not deploy it on VantaWeb. Contact privacy@vantaweb.io only for current status; no launch date or future eligibility is promised.
Where are call transcripts stored?
VantaWeb uses multiple service providers and production stores to deliver call workflows. Retention, backup expiry, encryption termination, and processor location vary by data category and provider. Earlier fixed 90-day or US-only statements are not a universal promise. Review the Privacy Policy, Interim Data Retention Notice, sub-processor list, and executed customer agreement. None of those documents makes VantaWeb eligible for PHI today.
Can the AI hear PHI during a call?
Potentially, yes. When a patient calls a practice and says their name, date of birth, the nature of their condition, or their insurance details, that constitutes PHI under HIPAA. The AI receptionist processes that audio via speech-to-text and language model inference. This is precisely why VantaWeb does not currently recommend its platform for HIPAA-regulated workloads — the sub-processor BAA chain is not yet in place. If your practice processes PHI on inbound calls, please wait for our HIPAA tier launch or use an alternative until BAAs are formally signed.
Who should not deploy VantaWeb today?
Any organization whose proposed workflow may create, receive, maintain, or transmit PHI should not deploy VantaWeb for that workflow today. VantaWeb is not currently offered for PHI or HIPAA-regulated workflows and does not currently execute BAAs. Determine HIPAA status with qualified counsel; a business category alone does not settle the question.
Check the current boundary before planning a healthcare workflow.
If your proposed workflow may include PHI, do not deploy it on VantaWeb today. Contact us only for current status; no launch date or future eligibility is promised.