The bottom line
Most AI answering services are not HIPAA compliant. They store call recordings and transcripts for 30 days or less, lack immutable audit logs, and cannot meet the 6-year data retention mandate under 45 CFR 164.530(j). If your practice routes patient calls through a voice AI platform, you need a compliance layer between that platform and your practice, or you are accepting regulatory exposure with every call.
This guide covers what to verify, where the major voice AI platforms fall short, and how Hello Mercury fills the gap between your voice agent and HIPAA compliance.
A HIPAA-compliant AI answering service is a voice AI system that satisfies HIPAA Security Rule and Privacy Rule requirements for handling Protected Health Information (PHI), including encryption in transit and at rest, access controls, immutable audit logging, 6-year minimum data retention, and a signed Business Associate Agreement (BAA).
This guide is for healthcare practices that use or are evaluating AI voice agents for patient scheduling, intake, or after-hours coverage, and need to verify that their provider meets actual HIPAA requirements. It does not cover traditional human answering services. For that comparison, see AI answering service vs. traditional medical answering service.
Why most voice AI platforms fall short on HIPAA compliance
Voice AI platforms like Vapi, Synthflow, Bland AI, and Retell AI were built for speed-to-market. They optimize for low-latency conversation, fast deployment, and developer flexibility. These are genuine strengths for general-purpose voice agents.
They are not the same as HIPAA compliance.
HIPAA requires specific technical safeguards under 45 CFR 164.312 that most voice platforms either partially implement or skip entirely:
- Encryption: TLS 1.2+ for data in transit, strong encryption at rest with post-quantum-ready key management
- Access controls: Role-based access, unique user identification, automatic logoff
- Audit controls: Hardware, software, and procedural mechanisms to record and examine access to PHI
- Integrity controls: Mechanisms to authenticate PHI and prevent improper alteration
- Transmission security: Protection against unauthorized access during electronic transmission
The gap is widest in two areas: data retention and audit logging. For a detailed look at what separates real compliance infrastructure from paper compliance in AI voice systems, see how secure is an AI receptionist for sensitive business calls.
The 6-year retention problem
This is the compliance gap most practices miss entirely.
Under 45 CFR 164.530(j), covered entities must retain HIPAA-related documentation for six years from the date of creation or the date it was last in effect. This includes policies, procedures, actions, activities, and assessments. Call recordings and transcripts from patient interactions qualify as documentation of actions tied to patient care administration.
Most voice AI platforms do not come close:
| Provider | HIPAA Mode Behavior | Default Retention | 6-Year Retention? |
|---|---|---|---|
| Vapi | Disables all storage (0 days) | 7-30 days (planned) | No |
| Synthflow | Optional 30-day auto-delete | Configurable, no long-term | No |
| Retell AI | Configurable auto-delete | User-set (measured in days) | No |
| Bland AI | Self-hosted infrastructure | Not specified | User responsibility |
| Hello Mercury | encrypted with industry-standard algorithms storage | 6+ years with automated archival | Yes |
Vapi's approach illustrates the problem clearly: when you enable HIPAA mode, the platform stops storing call logs, recordings, and transcripts entirely. End-of-call reports are generated on your server. The platform retains nothing. This shields Vapi from HIPAA liability, but it also means your practice has zero compliance documentation from the platform. You get a clean call and no record of it.
Synthflow offers a 30-day retention toggle built for GDPR data minimization. Useful for European privacy compliance. It is the opposite of what HIPAA requires. HIPAA mandates that you keep the records, not delete them.
Retell AI lets you configure auto-delete measured in days. There is no built-in pathway to 6-year retention, and the platform's privacy controls focus on PII scrubbing, not long-term archival.
Bland AI takes a self-hosted approach where the infrastructure runs in your environment. This gives you data sovereignty, but retention is entirely your responsibility. If your team does not configure long-term storage with encryption and access controls, you have compliance exposure.
The audit trail gap
HIPAA's audit controls (45 CFR 164.312(b)) require mechanisms to record and examine access to PHI. This means immutable logs that capture who accessed what data, when, and what they did with it.
Most voice AI platforms provide execution logs that tell you a call happened. They do not provide the kind of audit trail a compliance officer or OCR (Office for Civil Rights) auditor would accept: correlation IDs linking every data access event across systems, SHA-256 hashed identifiers instead of plaintext PHI, and retention policies measured in years, not days.
If your practice uses any of these platforms to handle patient calls, you are generating PHI with every interaction and storing it in infrastructure that was not designed for regulated data. Practices handling substance use disorder patients face an additional layer of complexity under the 2026 changes to 42 CFR Part 2, which now align SUD data protections with HIPAA enforcement.
The HIPAA compliance checklist for AI answering services
Before selecting or continuing with a voice AI provider for patient communications, verify each of these requirements:
| Requirement | What to verify | Why it matters |
|---|---|---|
| Business Associate Agreement | Signed BAA before any PHI is transmitted | Without a BAA, the vendor is not legally bound to protect PHI |
| Encryption in transit | TLS 1.2+ (preferably TLS 1.3) on all endpoints | Prevents interception of patient data during transmission |
| Encryption at rest | Strong encryption at rest for stored transcripts, recordings, metadata | Protects data if storage systems are compromised |
| Data retention | 6+ year minimum with automated archival | Required under 45 CFR 164.530(j) |
| Immutable audit logs | Append-only logs with correlation IDs, no plaintext PHI | Required under 45 CFR 164.312(b), essential for audits |
| PHI redaction | Automatic detection and masking in transcripts and logs | Reduces exposure surface in stored data |
| SOC 2 Type II | Annual third-party audit of security controls | Validates controls are operational, not just documented |
| Data residency | US-based storage in known AWS, GCP, or Azure regions | Ensures data stays within jurisdictions your BAA covers |
| 42 CFR Part 2 readiness | SUD keyword detection, segregated audit trails | Required for practices treating substance use disorder patients |
| Access controls | Role-based access, unique user IDs, MFA | Limits PHI exposure to authorized personnel |
A practice that checks every item on this list is not over-preparing. It is meeting the baseline that 45 CFR 164 requires. The problem is that most voice AI platforms were not built to pass this checklist. They were built to make phone calls.
How Hello Mercury fills the compliance gap
The problem is not that Vapi, Synthflow, Bland AI, and Retell AI are bad products. They are fast, capable, and improving. The problem is that they were not built to be compliance infrastructure for regulated industries.
Hello Mercury is.
Mercury is the compliance and infrastructure layer that sits between any voice AI platform and your practice. It receives post-call data from whatever voice agent platform you use (Synthflow, Vapi, Bland AI, Retell AI, or any platform that fires webhooks after calls), stores it with HIPAA-mandated encryption and 6+ year retention, runs automated compliance scanning, and provides audit-ready reporting.
How Mercury works
- Your voice AI platform handles the patient call (scheduling, intake, triage, after-hours coverage)
- After the call completes, the platform sends call data to Mercury via a secure webhook (HTTPS with signature verification)
- Mercury stores the encrypted transcript in encrypted with industry-standard algorithms PostgreSQL with per-tenant encryption keys managed by AWS KMS
- Mercury's policy engine scans the interaction for compliance violations: PHI exposure in unprotected fields, FTC AI disclosure requirements, 42 CFR Part 2 SUD data, and FDA claims
- If a violation is detected, Mercury generates a real-time alert to the compliance team
- All events are logged to an immutable audit trail with correlation IDs, SHA-256 hashed identifiers, and no plaintext PHI
- Your compliance team accesses the Mercury dashboard for call logs, compliance reports, and audit evidence packaging
Mercury does not replace your voice AI platform. It makes your voice AI platform compliant. Your front desk staff continues working with the voice agent they already use. Mercury operates in the background, storing, scanning, and logging every interaction so the compliance documentation exists when your practice needs it. If your current answering service is not handling this layer, it may already be losing you patients through operational gaps.
What Mercury provides that voice AI platforms do not
| Capability | Typical Voice AI Platform | Hello Mercury |
|---|---|---|
| Transcript storage | 7-30 days (often deleted) | 6+ years, encrypted with industry-standard algorithms |
| Encryption at rest | Varies by provider | Industry-standard encryption at rest, per-tenant keys via AWS KMS |
| Immutable audit logs | Execution logs (30-90 days) | PostgreSQL immutable records, 6+ year retention, correlation IDs |
| PHI redaction | Some (optional toggle) | Automatic detection and redaction before storage |
| Compliance scanning | None | Automated policy engine (HIPAA, FTC, 42 CFR Part 2, FDA) |
| Violation alerting | None | Real-time alerts for compliance violations |
| BAA chain | Single BAA (platform only) | Full chain: Mercury, AWS EKS, RDS, ElastiCache, KMS |
| Data residency | Varies, often unspecified | AWS US regions, dedicated VPC |
| 42 CFR Part 2 | Not supported | SUD keyword detection, segregated audit trails |
Mercury works with any voice AI platform that fires webhooks after calls. One integration. Full HIPAA compliance documentation. 6+ year retention. Audit-ready from day one.
The callback trap costs practices revenue through missed calls. The compliance gap costs practices through regulatory exposure. Both are infrastructure problems with infrastructure solutions.
FAQ
Does my voice AI provider's BAA make them HIPAA compliant?
A BAA is necessary but not sufficient. A BAA is a legal contract that establishes the vendor as a Business Associate and obligates them to protect PHI. It does not mean the vendor's infrastructure actually meets HIPAA technical safeguards. If the vendor signs a BAA but stores transcripts for 30 days and deletes them, you lose your compliance documentation. If they sign a BAA but lack immutable audit logs, you cannot produce evidence during an OCR audit. The BAA creates legal obligation. The infrastructure fulfills it.
What data retention period does HIPAA require for call recordings?
HIPAA requires covered entities to retain documentation related to HIPAA compliance for a minimum of six years under 45 CFR 164.530(j). Call recordings, transcripts, and metadata from patient interactions are documentation of administrative actions tied to patient care. Most voice AI platforms store this data for 30 days or less. Hello Mercury stores it for 6+ years with strong encryption in transit and at rest, with post-quantum-ready key management and automated archival to long-term storage.
Can I use Synthflow, Vapi, Bland AI, or Retell AI in a HIPAA-regulated practice?
Yes, but not alone. These platforms handle the voice conversation. They do not handle the compliance documentation, long-term retention, audit logging, and policy enforcement that HIPAA requires. Mercury sits between the voice platform and your practice to provide these capabilities. Your voice agent handles the call. Mercury handles the compliance.
What happens during an OCR audit if my call recordings were auto-deleted after 30 days?
You cannot produce the documentation. Under 45 CFR 164.530(j), failure to retain required documentation is itself a violation. An OCR investigator may request call logs, transcripts, access records, and security incident reports going back years. If your voice AI platform deleted this data after 30 days, you have a documentation gap that may result in corrective action or civil monetary penalties. Mercury's 6-year retention with immutable audit trails ensures the evidence exists when you need it.
How does Mercury work with my existing voice AI platform?
Mercury integrates via webhooks. After each call, your voice AI platform (Synthflow, Vapi, Bland AI, Retell AI, or any platform that supports post-call webhooks) sends call data to Mercury's ingestion endpoint. Mercury validates the payload, identifies the tenant, stores the encrypted transcript, runs compliance scanning, and logs the event. The integration requires a webhook URL and signature secret on the voice platform side. Mercury handles everything else.
If your practice uses an AI answering service to handle patient calls, the voice platform handles the conversation. The compliance infrastructure handles everything else. That infrastructure is Hello Mercury.