The bottom line
A HIPAA compliant chatbot is not a feature. It is a verifiable legal and technical posture. A vendor can apply the label to any software that sends patient information over the internet. The label means nothing without a signed Business Associate Agreement, documented encryption of PHI at rest and in transit, role-based access controls, immutable audit logs, and sub-processor coverage that extends to every third party that touches your patient data.
If a vendor cannot produce a BAA on request, describe their encryption architecture, name their sub-processors, and provide a data retention schedule aligned to HIPAA's 6-year documentation requirement, they are not HIPAA compliant. They are using the phrase as a marketing claim.
This post explains what HIPAA actually requires for patient-facing communication tools, why both chatbots and voice AI face identical compliance obligations the moment they collect identifiable patient information, and what questions practices should ask any vendor before a single call or message routes through their system.
What HIPAA actually requires for patient communication tools
HIPAA's Security Rule establishes three categories of safeguards for covered entities and their business associates: administrative, physical, and technical. Patient-facing communication tools sit at the intersection of all three, but the technical safeguards are where most chatbot and voice AI vendors fall short.
Technical safeguards: the non-negotiable floor
The HIPAA Security Rule (45 CFR Part 164, Subpart C) requires covered entities and their business associates to implement the following technical safeguards for any system that creates, receives, maintains, or transmits electronic PHI:
- Access controls: Unique user identification, automatic logoff, and encryption/decryption mechanisms. Role-based access ensures staff see only the PHI their role requires.
- Audit controls: Hardware, software, and procedural mechanisms to record and examine activity in systems containing PHI. Logs must be tamper-evident and retained per the practice's policies.
- Integrity controls: Mechanisms to corroborate that PHI has not been altered or destroyed in an unauthorized manner. This includes checksums and version control for stored records.
- Transmission security: Technical security measures to guard against unauthorized access to PHI transmitted over an electronic communications network. TLS 1.2 or higher is the current minimum; TLS 1.3 is preferred.
Encryption of PHI at rest is an addressable specification under the Security Rule, meaning covered entities must implement it or document why an equivalent alternative suffices. In practice, any reputable vendor will encrypt stored PHI using AES-256 or equivalent. If a vendor's security documentation does not state the encryption standard for data at rest, that is a gap to resolve before signing.
Administrative requirements: the BAA chain
Under HIPAA's Privacy Rule, any vendor that handles PHI on behalf of a covered entity is a business associate. Business associates must sign a Business Associate Agreement before any PHI flows through their system. This is not optional and it is not a formality. A BAA defines:
- What the business associate is permitted to do with PHI
- That the business associate will implement appropriate safeguards
- That the business associate will report breaches to the covered entity
- That the business associate will return or destroy PHI at termination of the agreement
- That sub-processors (sub-business associates) are bound by the same terms
Hello signs a Business Associate Agreement with your practice before PHI processing. A vendor that resists signing a BAA, delays signing until after deployment, or offers a "HIPAA addendum" in lieu of a proper BAA is not a viable option for patient communication infrastructure.
When your chatbot vendor uses a large language model provider, a cloud infrastructure provider, and a call recording storage service, each of those vendors is a sub-processor that handles your PHI. Your vendor must have signed BAAs with each sub-processor, and those sub-processors must be disclosed to you.
Asking a vendor "who are your sub-processors and do you have BAAs with each of them?" is not an unusual request. If the vendor cannot answer it, that is the answer.
Chatbot vs. voice AI: the compliance requirements are identical
Practices sometimes assume that a phone-based voice AI carries heavier compliance obligations than a text chatbot because calls feel more sensitive. The legal framework does not distinguish by modality. Both systems trigger identical HIPAA obligations the moment they collect information that qualifies as protected health information.
PHI is any individually identifiable health information held or transmitted by a covered entity or business associate. That threshold is crossed when a patient tells a chatbot or voice AI their name, date of birth, or appointment reason alongside any health-related information. It does not require a diagnosis or treatment detail.
There is one practical difference: voice AI typically handles higher PHI density per interaction. Patients share more in a live conversation than they type into a text widget. A single two-minute phone call may include a patient's name, date of birth, reason for calling, insurance carrier, referring provider, and medication name. Each data point that can be linked to an identifiable individual and a health context is PHI under the HIPAA definition.
For a broader look at what security actually means for phone-based AI, see how secure an AI receptionist is for sensitive business calls. The security architecture that post describes applies equally to text-based chatbots.
Sub-processor coverage: the compliance gap most practices miss
A chatbot or voice AI is not a single system. It is a stack of services, and PHI flows through each layer. A typical patient-facing AI communication stack includes:
| Layer | Example function | PHI exposure | BAA required |
|---|---|---|---|
| Voice or chat infrastructure | Call routing, real-time transcription | Full conversation content | Yes |
| Large language model provider | Intent classification, response generation | Patient statements, context passed in prompt | Yes |
| Cloud infrastructure | Compute, storage, database | Stored PHI, logs, transcripts | Yes |
| Call recording storage | Audio archive for audit and QA | Full audio PHI | Yes |
| PMS or EHR integration layer | Scheduling, chart lookup, eligibility | Appointment data, demographics, history | Yes |
When evaluating any vendor, ask for a complete sub-processor list and confirm that the vendor holds signed BAAs with each. Also confirm that the vendor's BAA with you extends sub-processor obligations downstream, meaning if a sub-processor is breached, the vendor is accountable to you under the same BAA terms.
For a detailed evaluation of what to look for in a HIPAA compliant AI answering service, including sub-processor questions and contract language review, see what to look for in a HIPAA compliant AI answering service.
Data retention: the 6-year requirement practices overlook
HIPAA requires covered entities to retain documentation of their HIPAA policies and procedures for 6 years from the date of creation or the date when the documentation was last in effect, whichever is later. This includes policies governing your patient communication tools, the BAA you signed with your vendor, and records of any training related to those systems.
The 6-year retention requirement applies to compliance documentation, not necessarily to call recordings or chat transcripts themselves (those retention periods are governed by state law and may vary). But the policies under which those recordings are kept, accessed, and deleted must be documented and retained for 6 years.
When evaluating a chatbot or voice AI vendor, ask:
- How long are call recordings and chat transcripts stored?
- Can we configure retention periods to align with our state requirements?
- How are recordings and transcripts deleted at end of retention period?
- Can we export our data if we terminate the agreement?
- What format is data returned in, and is it PHI-complete?
Practices that switch vendors mid-contract and cannot export their call data or compliance documentation are in a worse position than those who never had the system. Data portability is a compliance requirement, not a feature request.
SOC 2 Type II: a strong assurance signal, not a HIPAA substitute
SOC 2 Type II certification means an independent assessor reviewed the vendor's controls for security, availability, processing integrity, confidentiality, and privacy over an audit period (typically 6 to 12 months) and confirmed they operated effectively. It is a meaningful signal that the vendor takes security seriously and has the operational discipline to sustain controls under examination.
It is not a HIPAA compliance certification. HIPAA has no formal certification process. A vendor can hold SOC 2 Type II and still be non-compliant with HIPAA if they lack a signed BAA, have inadequate PHI encryption, or cannot produce audit logs that meet the Security Rule's requirements.
The most reliable vendors hold both: a clean SOC 2 Type II report and the ability to sign a full BAA with documented technical safeguards. The SOC 2 report tells you how the vendor operates internally. The BAA and technical safeguards documentation tells you how PHI is protected in your specific deployment. Require both.
You can review Hello's security posture, including our approach to BAA execution, encryption architecture, and audit logging, at our security page.
Before accepting any vendor's HIPAA compliance claim, ask four questions:
1. Will you sign a BAA today, before any PHI flows through your system? If the answer is anything other than yes, stop the evaluation.
2. Who are your sub-processors and do you have signed BAAs with each? Require a written list. Verbal assurances are not sufficient.
3. What is your encryption standard for PHI at rest and in transit? AES-256 at rest and TLS 1.3 in transit is the current standard. Anything weaker requires justification.
4. Can you provide your most recent SOC 2 Type II report or a security attestation document? A vendor that cannot provide written evidence of their security controls is asking you to trust a marketing claim.
Vendor evaluation checklist
Use this checklist when evaluating any chatbot or voice AI vendor for healthcare patient communication. Each item should be verifiable in writing before you sign a contract or allow PHI to flow through the system.
- Vendor will sign a full BAA before any PHI flows through their system
- Vendor has identified all sub-processors in writing and holds signed BAAs with each
- PHI is encrypted at rest using AES-256 or equivalent
- PHI is encrypted in transit using TLS 1.2 minimum (TLS 1.3 preferred)
- Role-based access controls are implemented with unique user identification
- Audit logs are immutable, tamper-evident, and retained per your documented policy
- Vendor can describe their breach notification procedure and timeline
- Data retention periods are configurable and aligned to state requirements
- PHI can be exported in a usable format at contract termination
- Vendor holds SOC 2 Type II certification or equivalent third-party security attestation
- Vendor's BAA covers sub-processor obligations downstream
- Vendor can describe how PHI is destroyed at end of retention period
This checklist mirrors the framework we use when onboarding practices at Hello. Implementation takes about 10 business days for a standard single-location practice, and the BAA is signed at the start of that process, not at the end.
FAQ
Does a HIPAA compliant chatbot need a Business Associate Agreement?
Yes. Any chatbot or voice AI that handles protected health information on behalf of a covered entity is a business associate under HIPAA. The vendor must sign a BAA with your practice before any PHI flows through their system. A vendor that declines to sign a BAA is not a viable option for healthcare patient communication, regardless of any other marketing claims they make about compliance. Hello signs a Business Associate Agreement with your practice before PHI processing.
What is the difference between a HIPAA compliant chatbot and a HIPAA compliant voice AI?
From a compliance standpoint, the requirements are identical: signed BAA, PHI encryption at rest and in transit, role-based access controls, audit logging, and sub-processor coverage. The difference is in modality. A chatbot handles text interactions, while a voice AI handles phone calls. Both collect patient information that qualifies as PHI the moment it includes identifiable data alongside health information. Voice AI typically handles higher PHI density per interaction because patients share more in a live conversation than they type into a chat widget.
Is SOC 2 Type II certification the same as HIPAA compliance?
No. SOC 2 Type II is a security framework audited by an independent assessor, confirming that a vendor's controls for security, availability, processing integrity, confidentiality, and privacy meet defined criteria over an audit period. It is a strong assurance signal and many HIPAA-compliant vendors pursue both, but SOC 2 Type II does not certify HIPAA compliance. HIPAA has no formal certification process: compliance is a legal obligation enforced by HHS. A vendor can hold SOC 2 Type II and still lack a signed BAA or adequate PHI encryption. Require both: a BAA plus evidence of the technical safeguards HIPAA mandates.
HIPAA compliance for patient-facing communication tools is verifiable. It is not a vendor's word, a checkbox on a features page, or a claim in a sales deck. It is a BAA, a sub-processor list, an encryption architecture, audit logs, and a data retention policy. If you cannot see those four things in writing from a vendor, you cannot verify the claim.
Every practice that deploys a chatbot or voice AI without confirming these safeguards is accepting regulatory and reputational risk on behalf of a vendor's marketing language. That is not a compliance posture. It is a gap waiting to become a breach notification.