compliance

HIPAA-compliant AI receptionist: what dental, veterinary, and healthcare-adjacent practices need to know

Q: Do you sign a Business Associate Agreement?

Yes. VantaWeb provides a signed BAA on the Apex plan ($599/mo). Under that plan we configure HIPAA-eligible vendor paths and limit data retention per the BAA terms. The BAA is not available on Pulse ($149/mo) or Surge ($299/mo) plans, which use standard configurations appropriate for businesses without PHI handling requirements.

Q: Where are call transcripts stored?

Call audio and transcripts are processed in real time by our voice pipeline and then stored in VantaWeb's own infrastructure — a self-hosted Postgres database on our dedicated VPS. Under the Apex plan with a signed BAA, we configure restricted data retention schedules and access controls consistent with the BAA terms. No call data is stored in third-party analytics platforms or ad-tech infrastructure.

Q: Can the AI hear PHI during a call?

Potentially, yes. When a patient calls a dental practice and says their name, date of birth, or the nature of their condition, that constitutes PHI under HIPAA. The AI processes this via speech-to-text and LLM. That is precisely why a BAA is required for healthcare-covered entities — the vendor handling that data becomes a Business Associate under HIPAA. Under the Apex plan, VantaWeb configures HIPAA-eligible paths for all three components (STT, LLM, storage) and signs the BAA accordingly.

Before deploying an AI receptionist in your practice, you need to know what HIPAA actually requires of your vendor, what VantaWeb can and cannot promise, and whether your specific situation requires a Business Associate Agreement. This page answers those questions directly.

TL;DR

What HIPAA requires: Any vendor that processes Protected Health Information (PHI) on your behalf must sign a Business Associate Agreement (BAA) and implement safeguards covering encryption, audit logging, access controls, and data retention. The AI receptionist hears patient calls — that is PHI exposure.

VantaWeb's posture: VantaWeb is not a HIPAA-certified product. Under the Apex plan ($599/mo), we provide a signed BAA, configure HIPAA-eligible vendor paths for voice processing and LLM inference, and restrict data retention per the BAA terms. We do not offer a BAA on Pulse or Surge plans.

Who this matters for: Dental practices, veterinary clinics, chiropractic offices, physical therapy practices, optometry clinics, home health agencies, and medical spas operating as covered entities or business associates under HIPAA. B2B service businesses with healthcare clients — but no direct patient data — typically do not need a BAA.

What HIPAA actually requires of an AI receptionist

HIPAA's Privacy and Security Rules apply when your business is a covered entity (a healthcare provider, health plan, or healthcare clearinghouse) and you engage a vendor that creates, receives, maintains, or transmits PHI on your behalf. That vendor becomes a Business Associate, and the relationship must be formalized with a signed Business Associate Agreement.

When a patient calls your dental office and your AI receptionist answers, that call may contain PHI: the patient's name, date of birth, appointment details, medical history references, insurance information, or the nature of their condition. The AI must transcribe and process that audio. Every system that touches that data — the telephony provider, the speech-to-text engine, the language model, the database — is in scope.

Specific technical requirements

Business Associate Agreement: A signed written contract specifying how the vendor may use PHI, what safeguards are in place, breach notification timelines, and data destruction obligations.
Encryption in transit and at rest: Call audio and transcripts must be encrypted during transmission (TLS 1.2 or higher) and while stored (AES-256 or equivalent). Unencrypted voicemail storage is a recurring violation finding in HHS OCR audits.
Audit logs: The Security Rule requires audit controls that record system activity involving PHI — who accessed it, when, and what they did. Logs must be retained and reviewable.
Access controls: Minimum necessary access. Staff and systems should only see PHI relevant to their function. Role-based access with authentication required.
Workforce training and HIPAA policies: The vendor agreement does not relieve your practice of training obligations. Your workforce must be trained; your policies must exist.
Breach notification: If PHI is exposed, the Business Associate must notify the covered entity within 60 days of discovery. The covered entity then notifies patients and HHS OCR as required.

HIPAA does not define a specific software certification or compliance label. There is no "HIPAA certified" badge issued by HHS. Compliance is about whether your actual configuration meets the above requirements — not whether a vendor uses the word "compliant" in its marketing.

VantaWeb's HIPAA posture

We will be direct: VantaWeb is not marketed as a HIPAA-certified product, and we would not tell you that it is. Certification does not exist in HIPAA's framework, and claiming it would be misleading. What we can tell you is how our system is built, what protections are in place, and what the Apex plan specifically offers for practices with PHI obligations.

How the voice pipeline works

When a caller reaches VantaWeb's AI receptionist, the call routes through Telnyx (our telephony carrier), which offers HIPAA-eligible voice configuration and is capable of entering a BAA for covered-entity customers. Audio is processed in real time via a speech-to-text engine and a large language model — we use Anthropic's Claude and optionally OpenAI's GPT for inference. Both Anthropic and OpenAI offer BAAs for enterprise contracts. Call data and transcripts are stored in VantaWeb's own infrastructure: a self-hosted Postgres database on our dedicated server. No customer data routes through third-party analytics or ad-tech platforms.

What the Apex plan provides

Under the Apex plan ($599/mo), VantaWeb:

Signs a Business Associate Agreement with your practice before the system goes live.
Configures HIPAA-eligible voice paths through Telnyx under a Telnyx BAA arrangement.
Routes LLM inference through enterprise-contracted API paths that support HIPAA BAAs.
Restricts data retention to the terms specified in your BAA — no indefinite transcript storage.
Implements access controls limiting transcript access to authorized users on your account.

What Surge and Pulse plans do not include

The Surge ($299/mo) and Pulse ($149/mo) plans use standard configurations. They are appropriate for businesses with incidental PHI exposure, low-volume practices weighing their actual risk profile, or B2B service companies with healthcare clients but no direct patient data handling. No BAA is available on these plans. If your practice is a covered entity under HIPAA and your patients' calls will touch the system, Apex is the correct plan. Speak with your legal counsel if you are unsure of your covered-entity status.

What we cannot promise

VantaWeb supports HIPAA-required configurations under the Apex plan — we cannot guarantee that any specific deployment meets your practice's legal obligations. HIPAA compliance depends on your workflows, your workforce training, your internal policies, and how you actually use the system. A BAA with VantaWeb is one component of a compliant posture, not the whole thing.

Talk to us about your specific situation before contracting. If what you describe requires more than we can configure, we will tell you directly.

Which industries this matters for

HIPAA applies specifically to covered entities and their business associates. Not every healthcare-adjacent business is a covered entity. Here is a plain-language breakdown by vertical:

Dental practices: Covered entities. Patient calls contain PHI (appointment details, conditions, insurance). BAA required for AI receptionist deployment. Apex plan appropriate.
Veterinary clinics: Veterinary records are generally not covered under HIPAA — animals are not patients under the Act. Most vet practices do not require a BAA. However, practices that also handle human healthcare billing (rare) should verify with counsel.
Chiropractic offices: Covered entities when billing through health insurance. Patient calls contain PHI. BAA required.
Physical therapy practices: Covered entities. PHI exposure on intake calls. BAA required.
Optometry clinics: Covered entities when billing through health insurance. BAA required for AI call handling.
Home health agencies: Covered entities. High PHI sensitivity — patient conditions and addresses discussed on intake calls. BAA required; discuss data retention terms carefully.
Medical spas (med spas): Depends on services. Med spas performing medical procedures billed through insurance are covered entities. Cosmetic-only med spas typically are not. Verify with counsel before contracting.

For businesses outside this list — HVAC companies whose healthcare-worker clients call for service, pest control companies servicing medical buildings — HIPAA does not apply to your calls. Standard Surge configuration is appropriate.

The PHI risk in voicemail and AI systems: three data points

500-700+

Large healthcare data breaches reported to HHS OCR annually in recent years, with hacking and IT incidents now the leading breach category — surpassing physical record losses.

[Source: HHS OCR Breach Portal, 2023-2024 annual data]

$1.24M

Average cost of a healthcare data breach for organizations in the small-to-mid-size category, per industry research — driven primarily by notification, legal, and remediation costs.

[Source: Ponemon Institute, Cost of a Data Breach Report 2024]

High risk

Voicemail messages containing PHI — patient names, callback numbers, and symptoms — represent a documented and recurring HIPAA violation category in OCR enforcement cases.

[Source: HHS OCR Resolution Agreements, 2022-2024; Healthcare IT News coverage]

An AI receptionist that captures patient calls without a BAA does not eliminate the voicemail PHI risk — it moves it to a different system without the legal framework to handle it. The right configuration solves the problem; the wrong configuration creates a new one.

What VantaWeb does not do

VantaWeb is not a replacement for your practice's own HIPAA training, internal policies, BAA review with your legal counsel, or ePHI workflow audit. We provide a HIPAA-compatible AI receptionist layer when configured under the Apex plan — that is a vendor safeguard, not a compliance program.

We do not perform HIPAA risk assessments for your practice. We do not advise on whether your practice is a covered entity. We do not guarantee that our configuration meets any specific regulatory standard. We do sign a BAA, configure the system appropriately, and take responsibility for our side of the agreement — the rest is your practice's obligation, as it should be.

If you need a compliance partner who provides full HIPAA program management, that is a different service category. We are an AI receptionist vendor that takes the BAA seriously.

FAQ

Is VantaWeb HIPAA compliant?

HIPAA compliance is a practice obligation, not a vendor label — HHS does not certify software as "HIPAA compliant." VantaWeb supports HIPAA-required configurations under the Apex plan, including a signed BAA, HIPAA-eligible voice paths through Telnyx, LLM processing through enterprise-contracted providers that offer HIPAA BAAs, and restricted data retention. Whether your specific deployment meets your practice's obligations depends on your workflows, your legal counsel's guidance, and how the system is used. We describe our posture as "HIPAA-compatible when configured under Apex" — not "fully HIPAA compliant" as a marketing shorthand.

Do you sign a Business Associate Agreement?

Yes, on the Apex plan ($599/mo). We provide a signed BAA before the system goes live. Under that plan we configure HIPAA-eligible vendor paths and restrict data retention per the BAA terms. The BAA is not available on Pulse ($149/mo) or Surge ($299/mo) plans. If your practice is a HIPAA covered entity, Apex is the correct plan for AI receptionist deployment.

Where are call transcripts stored?

Call audio is processed in real time and transcripts are stored in VantaWeb's own infrastructure — a self-hosted Postgres database on our dedicated server. No customer data is routed through third-party analytics, ad-tech, or public cloud data warehouses. Under the Apex plan with a signed BAA, we configure restricted data retention schedules and access controls consistent with the BAA terms.

Can the AI hear PHI during a call?

Potentially, yes. When a patient calls your practice and says their name, date of birth, the nature of their condition, or their insurance details, that constitutes PHI under HIPAA. The AI receptionist processes that audio via speech-to-text and language model inference. That is precisely why a BAA is required — the vendor processing that data becomes a Business Associate. Under Apex, we configure HIPAA-eligible paths for all three components and sign the agreement accordingly.

Which practices have used VantaWeb with PHI exposure?

We work with dental practices, veterinary clinics, chiropractic offices, and medical spas — all with varying degrees of PHI exposure. Practices with covered-entity status contract under the Apex plan with a signed BAA. We do not publish a customer list, but we are happy to connect prospective customers with existing customers in the same vertical during a sales conversation. Ask when you book a call.

Get a BAA-ready setup conversation.

If your practice handles patient calls and you need an AI receptionist configured under a signed BAA, book a call with us. We'll talk through your specific situation before you sign anything.

See Apex plan Book a free call