← Back to home

HIPAA Compliance

Last updated: March 25, 2026

1. Our commitment

At receptionists, we understand that healthcare providers and related businesses handle sensitive patient information. We are committed to building and operating our platform in a way that supports your compliance obligations under the Health Insurance Portability and Accountability Act (HIPAA). This page describes the measures we take and the responsibilities we share with you.

2. What HIPAA means for our service

When our AI receptionist handles calls for a healthcare provider, it may process Protected Health Information (PHI) such as patient names, appointment details, and reason-for-visit information. Under HIPAA, we act as a Business Associate when processing PHI on your behalf.

This means we are required to implement appropriate safeguards, limit how we use and disclose PHI, and support your compliance efforts as a Covered Entity.

3. Safeguards we implement

3.1 Technical safeguards

  • Encryption in transit: all data transmitted between your callers, our platform, and your systems is encrypted using TLS 1.2 or higher.
  • Encryption at rest: call recordings, transcripts, and any stored PHI are encrypted at rest using AES-256 encryption.
  • Access controls: access to systems that process PHI is restricted through role-based access controls, unique user IDs, and multi-factor authentication for our team.
  • Audit logging: we maintain logs of access to PHI, including who accessed it, when, and what actions were taken. These logs are retained and available for review.
  • Automatic session management: idle sessions are terminated automatically to reduce unauthorized access risk.

3.2 Administrative safeguards

  • Workforce training: team members with access to systems that handle PHI receive HIPAA awareness training.
  • Risk assessments: we conduct regular risk assessments to identify and address potential vulnerabilities.
  • Policies and procedures: we maintain written policies governing the use, disclosure, and protection of PHI.
  • Vendor management: third-party vendors that may access PHI are evaluated for HIPAA compliance and are required to sign Business Associate Agreements.

3.3 Physical safeguards

Our infrastructure is hosted on cloud providers that maintain SOC 2 Type II and HIPAA-compliant data centers with physical access controls, environmental protections, and 24/7 monitoring.

4. Business Associate Agreement (BAA)

If your organization is a HIPAA Covered Entity or Business Associate, we will execute a Business Associate Agreement (BAA) with you before processing any PHI through our platform. The BAA outlines our obligations, permitted uses and disclosures of PHI, breach notification procedures, and termination requirements. To request a BAA, contact us at the address listed in Section 9.

5. Shared responsibility

HIPAA compliance is a shared responsibility. While we provide the technical and administrative safeguards described above, you are responsible for:

  • Determining whether your use of our platform involves PHI and whether a BAA is required.
  • Configuring your account settings appropriately (for example, data retention periods and access permissions for your team).
  • Ensuring that the information your AI receptionist is instructed to collect and share complies with your own HIPAA policies.
  • Providing required notices to patients about how their information is handled.
  • Training your own workforce on HIPAA requirements related to using our platform.

6. Call data handling

  • Call recordings: stored encrypted and accessible only to authorized users on your account. You control retention periods and can delete recordings at any time.
  • Transcripts: generated to provide the service (for example, appointment booking confirmation). Stored with the same encryption and access controls as recordings.
  • AI model training: we do not use your call recordings or transcripts to train AI models unless you explicitly opt in. PHI is never used for model training.
  • Data deletion: when you delete a recording or close your account, data is permanently removed from our systems within 30 days, including backups.

7. Breach notification

In the event of a security incident involving unauthorized access to, use of, or disclosure of PHI, we will notify you without unreasonable delay and no later than 60 days after discovery, as required by HIPAA. Our notification will include a description of the incident, the types of information involved, the steps we are taking to investigate and mitigate the breach, and recommendations for actions you can take to protect affected individuals.

8. Ongoing compliance

HIPAA compliance is not a one-time effort. We continuously review and update our security practices, conduct regular risk assessments, and stay informed about regulatory changes. We are committed to maintaining the trust you place in us when you choose receptionists to handle calls for your practice.

9. Contact us

If you have questions about our HIPAA compliance practices, need to request a BAA, or want to report a security concern, contact us at:

receptionists
Email: hello@receptionists.io

© 2026 receptionists. All rights reserved.Back to home