compliance

HIPAA and AI receptionists: what dental, veterinary, and healthcare-adjacent practices need to know

Before deploying an AI receptionist in your practice, you need to know what HIPAA actually requires of your vendor, what VantaWeb can honestly offer today, and whether your specific situation requires waiting for our HIPAA tier.

⚠ Status — please read

VantaWeb's HIPAA tier is in active development. Not available today.

VantaWeb does not currently sign Business Associate Agreements. Our full sub-processor BAA chain — covering telephony, AI inference, speech processing, real-time media, edge networking, and related services — is not yet in place. We do not recommend deploying VantaWeb for HIPAA-regulated workloads at this time.

If your practice is a HIPAA covered entity (dental, veterinary with medical billing, chiropractic, medical spa with covered services, optometry, physical therapy, home health), please contact us to be notified when our HIPAA tier launches.

TL;DR

What HIPAA requires: Any vendor that processes Protected Health Information (PHI) on your behalf must sign a Business Associate Agreement (BAA) and implement safeguards covering encryption, audit logging, access controls, and data retention. The AI receptionist hears patient calls — that is PHI exposure.

VantaWeb's posture today: Our HIPAA-compatible tier is under active development. We do not yet sign BAAs and we do not currently have the required sub-processor BAA chain in place. We will not deploy VantaWeb for HIPAA-regulated workloads until the chain is signed and the configuration is independently reviewed.

Who this matters for: Dental practices, veterinary clinics with medical billing, chiropractic offices, physical therapy practices, optometry clinics, home health agencies, and medical spas operating as covered entities. B2B service businesses (HVAC, plumbing, roofing, contractors) with healthcare clients — but no direct patient data — are not HIPAA covered entities and can use VantaWeb today.

What HIPAA actually requires of an AI receptionist

HIPAA's Privacy and Security Rules apply when your business is a covered entity (a healthcare provider, health plan, or healthcare clearinghouse) and you engage a vendor that creates, receives, maintains, or transmits PHI on your behalf. That vendor becomes a Business Associate, and the relationship must be formalized with a signed Business Associate Agreement.

When a patient calls your dental office and your AI receptionist answers, that call may contain PHI: the patient's name, date of birth, appointment details, medical history references, insurance information, or the nature of their condition. The AI must transcribe and process that audio. Every system that touches that data — the telephony provider, the speech-to-text engine, the language model, the database — is in scope.

Specific technical requirements

  • Business Associate Agreement: A signed written contract specifying how the vendor may use PHI, what safeguards are in place, breach notification timelines, and data destruction obligations.
  • Encryption in transit and at rest: Call audio and transcripts must be encrypted during transmission (TLS 1.2 or higher) and while stored (AES-256 or equivalent). Unencrypted voicemail storage is a recurring violation finding in HHS OCR audits.
  • Audit logs: The Security Rule requires audit controls that record system activity involving PHI — who accessed it, when, and what they did. Logs must be retained and reviewable.
  • Access controls: Minimum necessary access. Staff and systems should only see PHI relevant to their function. Role-based access with authentication required.
  • Workforce training and HIPAA policies: The vendor agreement does not relieve your practice of training obligations. Your workforce must be trained; your policies must exist.
  • Breach notification: If PHI is exposed, the Business Associate must notify the covered entity within 60 days of discovery. The covered entity then notifies patients and HHS OCR as required.

HIPAA does not define a specific software certification or compliance label. There is no "HIPAA certified" badge issued by HHS. Compliance is about whether your actual configuration meets the above requirements — not whether a vendor uses the word "compliant" in its marketing.

VantaWeb's HIPAA posture today (honest version)

We will be direct: VantaWeb is not HIPAA-compatible today. We do not currently sign Business Associate Agreements with our customers, and we do not currently have signed BAAs in place with our own sub-processors — the AI inference layer, speech processing services, telephony carrier, real-time media infrastructure, edge networking, and related third-party services that touch call data. Without that full chain, no Apex-plan configuration would actually meet HIPAA's Security Rule requirements — claiming otherwise would be misleading.

What we DO have today (Apex plan)

Under the Apex plan ($599/mo), VantaWeb provides:

  • Encryption in transit (TLS 1.2 minimum, enforced at the Cloudflare edge as of May 2026)
  • Self-hosted Postgres for call data — no third-party analytics or ad-tech routing
  • 90-day default transcript retention (configurable on Apex)
  • Per-tenant data isolation via Row-Level Security in the database
  • Per-tenant API key scoping
  • Audit logging of API access (limited; not yet HIPAA Security Rule-grade)

These are reasonable safeguards for a non-HIPAA-regulated business. They are not a full HIPAA Security Rule program and they do not substitute for a signed BAA chain.

What we DO NOT have today

  • Signed BAA with VantaWeb's customers (any plan)
  • Signed BAAs with our sub-processors
  • Encryption at rest on the database disk (planned, not yet in place)
  • Formal HIPAA Security Rule policies and procedures (~25 written documents required)
  • Annual HIPAA risk assessment (not yet performed)
  • SOC 2 Type 2 attestation (planned for 2026/2027)
  • HHS OCR breach notification playbook (drafted, not yet operationalized)

Why this page exists, then

We rank for "HIPAA compliant AI receptionist" in search. Practices researching this question deserve an honest answer, not a marketing page that promises capability we don't have. The HIPAA tier is something we are actively building toward. When it launches we will publicly document the full sub-processor BAA chain, the technical safeguards, and the third-party attestation. Until then, this page is the honest answer.

If your practice is a HIPAA covered entity and you need an AI receptionist now, do not use VantaWeb. Consider Smith.ai's HIPAA-compliant tier, or wait for our HIPAA tier launch. Contact us to be notified.

Which industries this matters for

HIPAA applies specifically to covered entities and their business associates. Not every healthcare-adjacent business is a covered entity. Here is a plain-language breakdown by vertical:

  • Dental practices: Covered entities. Patient calls contain PHI (appointment details, conditions, insurance). BAA required for AI receptionist deployment. Wait for VantaWeb HIPAA tier.
  • Veterinary clinics: Veterinary records are generally not covered under HIPAA — animals are not patients under the Act. Most vet practices do not require a BAA and can use VantaWeb today. However, practices that also handle human healthcare billing (rare) should verify with counsel.
  • Chiropractic offices: Covered entities when billing through health insurance. Patient calls contain PHI. BAA required. Wait for HIPAA tier.
  • Physical therapy practices: Covered entities. PHI exposure on intake calls. BAA required. Wait for HIPAA tier.
  • Optometry clinics: Covered entities when billing through health insurance. BAA required for AI call handling. Wait for HIPAA tier.
  • Home health agencies: Covered entities. High PHI sensitivity. BAA required. Wait for HIPAA tier.
  • Medical spas (med spas): Depends on services. Med spas performing medical procedures billed through insurance are covered entities. Cosmetic-only med spas typically are not — those can use VantaWeb today. Verify with counsel before contracting.

For businesses outside this list — HVAC companies whose healthcare-worker clients call for service, pest control companies servicing medical buildings — HIPAA does not apply to your calls. Standard Pulse, Surge, or Apex configuration is appropriate and you can deploy VantaWeb today.

The PHI risk in voicemail and AI systems: three data points

500-700+

Large healthcare data breaches reported to HHS OCR annually in recent years, with hacking and IT incidents now the leading breach category — surpassing physical record losses.

[Source: HHS OCR Breach Portal, 2023-2024 annual data]

$1.24M

Average cost of a healthcare data breach for organizations in the small-to-mid-size category, per industry research — driven primarily by notification, legal, and remediation costs.

[Source: Ponemon Institute, Cost of a Data Breach Report 2024]

High risk

Voicemail messages containing PHI — patient names, callback numbers, and symptoms — represent a documented and recurring HIPAA violation category in OCR enforcement cases.

[Source: HHS OCR Resolution Agreements, 2022-2024; Healthcare IT News coverage]

An AI receptionist that captures patient calls without a BAA does not eliminate the voicemail PHI risk — it moves it to a different system without the legal framework to handle it. This is precisely why VantaWeb chose to hold the HIPAA tier rather than ship it half-built.

What VantaWeb does not do (today, even on Apex)

VantaWeb does not currently provide:

  • A signed Business Associate Agreement on any plan
  • HIPAA Security Rule-grade audit logging
  • Encryption at rest on the call database
  • BAAs with the sub-processors in Anna's underlying AI infrastructure (telephony, AI inference, speech processing, real-time media, edge network, and related services)
  • A HIPAA risk assessment or compliance program documentation
  • SOC 2 Type 2 attestation

If you need any of the above, VantaWeb is not the right vendor for you today. We are working toward the HIPAA tier. When it launches, we will publish the full configuration, the BAA chain, and the third-party attestation.

FAQ

Is VantaWeb HIPAA compliant?

Not currently. We are honest about this: VantaWeb's HIPAA-compatible tier is in active development and is not available today. We do not currently sign Business Associate Agreements. HIPAA compliance is not a software certification (HHS does not issue one) — it is an operational state requiring signed BAAs with every sub-processor that touches PHI, documented Security Rule safeguards, and an ongoing program. We do not yet meet that bar. If your practice is a HIPAA covered entity, please contact us to be notified when the HIPAA tier launches.

Do you sign a Business Associate Agreement?

Not at this time. Our HIPAA-compatible tier is in active development and BAAs are not yet available on any current plan (Pulse $149/mo, Surge $299/mo, or Apex $599/mo). We do not recommend deploying VantaWeb for HIPAA-regulated workloads while BAA chains are not in place. Please contact us if your practice handles PHI — we will let you know when the HIPAA tier launches and discuss whether to wait or whether your specific use case has an interim path.

Where are call transcripts stored?

Call audio and transcripts are processed in real time and stored in VantaWeb's own infrastructure — a self-hosted Postgres database on our dedicated VPS. No call data is stored in third-party analytics or ad-tech platforms. Default transcript retention is 90 days. Encryption in transit (TLS 1.2 minimum) is enforced; encryption at rest on the database disk is on the HIPAA-tier roadmap but is not yet in place.

Can the AI hear PHI during a call?

Potentially, yes. When a patient calls a practice and says their name, date of birth, the nature of their condition, or their insurance details, that constitutes PHI under HIPAA. The AI receptionist processes that audio via speech-to-text and language model inference. This is precisely why VantaWeb does not currently recommend its platform for HIPAA-regulated workloads — the sub-processor BAA chain is not yet in place. If your practice processes PHI on inbound calls, please wait for our HIPAA tier launch or use an alternative until BAAs are formally signed.

Which practices currently use VantaWeb?

We currently work with non-HIPAA-regulated service businesses: HVAC, plumbing, roofing, electrical, contractors, automotive, salons, fitness studios, and similar verticals. We do not currently have HIPAA covered-entity practices on the platform because the BAA chain is not yet in place. Practices in dental, veterinary (with medical billing), chiropractic, medical spa (with covered services), optometry, and physical therapy verticals should contact us to be notified when our HIPAA tier launches.

Request early access to the HIPAA tier.

If your practice handles patient calls and you need an AI receptionist configured under a signed BAA, contact us to be notified when our HIPAA tier launches. We will not deploy you on the platform until the full BAA chain is signed and configuration is independently reviewed.