Security at Hello
Enterprise-grade security with HIPAA coverage is the foundation of every AI voice agent we deploy. Your patients' data is protected at every layer. Hello is a HIPAA-covered AI phone system built from the ground up with healthcare-grade encryption, tenant isolation, and audit controls.
Compliance evidence layer: For Agent Work Receipt, the compliance and audit layer that governs AI agent interactions alongside Hello Voice, see Agent Work Receipt.
- Our Security Commitment
- Hello Voice, Agent Work Receipt, and compliance scope
- HIPAA Compliance
- Data Encryption
- Access Controls
- Infrastructure Security
- Network Security
- Tenant Isolation
- Application Security
- AI Safety and Guardrails
- Incident Response
- Vendor and Third-Party Security
- Employee Security
- Data Retention and Disposal
- Business Continuity
- Responsible Disclosure
- Contact and Documentation Requests
1. Our Security Commitment
Hello handles sensitive healthcare communications every day. Our AI voice agents answer patient calls, book appointments, collect deposits, and interact with EHR/PMS systems on behalf of healthcare practices. This responsibility demands the highest standard of security.
Security is not a feature we add after the fact. It is built into every layer of our platform, from the way we architect infrastructure to the way we train our team. We operate under the principle that protecting patient data is non-negotiable.
Security overview: HIPAA infrastructure with Business Associate Agreements for all Clients. encryption at rest with post-quantum-ready key management. TLS 1.2+ in transit. Role-based access controls. Complete audit trails. Multi-provider redundancy. Strict tenant isolation between practices.
2. Hello Voice, Agent Work Receipt, and compliance scope
Hello ships as two products that share one security program: Hello Voice (patient-facing voice workflows) and Agent Work Receipt (compliance evidence layer for AI agent interactions). This section explains how security and HIPAA controls apply to each, and what that means operationally for your practice.
2.1 Operational meaning of HIPAA
When Hello describes its offering as HIPAA, we mean that administrative, physical, and technical safeguards are designed and operated so that protected health information (PHI) can be handled under a Business Associate Agreement (BAA) in line with the HIPAA Security Rule. HIPAA is not a generic marketing label. It implies documented safeguards, workforce training, access control, encryption, auditability, vendor management, and incident response appropriate to the risk posed by voice-mediated PHI in production healthcare workflows.
2.2 What Hello Voice covers
Hello Voice is the layer patients experience: inbound and outbound calls, scheduling, deposits, routing, and integration-driven actions against your EHR or practice management system. Security controls for Voice include encrypted transport and storage for audio and transcripts; tenant isolation; role-based access for your staff; configurable retention for recordings; AI guardrails and escalation; and integration connections that are scoped and authenticated.
2.3 What Agent Work Receipt covers
Agent Work Receipt is the compliance evidence layer that enforces policy on AI agent interactions in regulated contexts: compliance-oriented logging, encrypted retention for audit and evidence packaging, policy checks aligned to your rules, and webhook or API ingestion from Hello Voice or compatible external agent platforms. Agent Work Receipt extends the same architectural discipline (isolation, encryption, least privilege) to metadata and payloads that flow through compliance workflows.
| Topic | Hello Voice | Agent Work Receipt |
|---|---|---|
| Primary role | Execute patient-facing voice workflows with your practice configuration | Apply retention, audit, and policy controls across agent interactions |
| Typical PHI-bearing artifacts | Call audio, real-time transcripts, scheduling and intake payloads synced to integrated systems | Structured logs, compliance scan results, encrypted archival copies where configured |
| Contractual posture | Covered under Hello’s BAA framework as part of deployment; Agent Work Receipt may be embedded with Voice or addressed per deployment. Request current agreements through Contact and Documentation Requests. | |
| Where to read more | Implementation tiers, product overview | Agent Work Receipt overview |
Plain-language boundary: Hello Voice executes the conversation and operational tasks. Agent Work Receipt is where durable compliance evidence is enforced and recorded for those executions (and, where applicable, for other AI agents you connect). Both run on the same security and infrastructure standards described in the rest of this page.
3. HIPAA Compliance
3.1 Business Associate Agreements
Hello executes a Business Associate Agreement (BAA) with every healthcare practice Client before processing any Protected Health Information (PHI). The BAA formally establishes Hello's obligations under HIPAA and defines the permitted uses and disclosures of PHI.
3.2 HIPAA Safeguards
Hello implements all three categories of HIPAA safeguards:
| Safeguard Type | Measures |
|---|---|
| Administrative | Security management process, workforce training, access management policies, security incident procedures, contingency planning, regular risk assessments, designated Security Officer |
| Physical | Data center facility access controls, workstation security policies, device and media controls, visitor access management |
| Technical | Unique user identification, emergency access procedures, automatic log-off, encryption (at rest and in transit; TLS 1.2+ in transit; post-quantum-ready key management), audit controls, integrity controls, transmission security |
3.3 Minimum Necessary Standard
Hello limits access to PHI to the minimum amount necessary to accomplish the intended purpose. AI voice agents collect only the information required to fulfill the caller's request. Internal access to PHI is restricted to authorized personnel on a need-to-know basis.
3.4 Risk Assessments
Hello conducts comprehensive security risk assessments at least annually, and whenever significant changes are made to our infrastructure or processes. Risk assessments evaluate potential threats to the confidentiality, integrity, and availability of ePHI and identify appropriate mitigation measures.
4. Data Encryption
4.1 Encryption in Transit
All data transmitted between systems is encrypted using TLS 1.2 or higher. This includes:
- Website traffic (HTTPS enforced site-wide)
- API communications between Hello services and third-party integrations
- Voice data streams between telephony providers and the Hello platform
- Data synchronization with Client EHR/PMS systems
- Internal service-to-service communication within the Hello platform
4.2 Encryption at Rest
All stored data is encrypted at rest using industry-standard algorithms; key management is post-quantum-ready where deployed, including:
- Call recordings and audio files
- Call transcripts and conversation logs
- Patient and caller information
- Client practice data and configurations
- Database backups and snapshots
- Log files containing sensitive information
4.3 Key Management
Encryption keys are managed through cloud-native key management services with hardware security module (HSM) backing. Keys are rotated on a regular schedule, and access to key management systems is restricted to senior engineering personnel with multi-factor authentication.
5. Access Controls
5.1 Role-Based Access Control (RBAC)
The Hello platform implements granular role-based access controls. Every user, whether a Client staff member or a Hello employee, is assigned a specific role with the minimum permissions necessary to perform their function. Roles include:
- Practice Administrator: Full access to practice settings, agent configuration, and analytics
- Staff Member: Access to call logs, schedules, and patient-facing data relevant to their role
- Read-Only: View-only access to analytics and reports without modification privileges
- Hello Support: Scoped access for troubleshooting, granted per-request with Client authorization
5.2 Authentication
- Multi-factor authentication (MFA): Required for all administrative access to the Hello platform and internal systems
- Session management: Automatic session timeout after periods of inactivity
- Password policy: Minimum complexity requirements enforced, with regular rotation for privileged accounts
- Single sign-on (SSO): Available for Hello Enterprise Clients
5.3 Audit Trails
Every action within the Hello platform is logged with an immutable audit trail, including:
- User login and logout events
- Data access and modification events
- Configuration changes to AI voice agents
- Administrative actions (user creation, role changes, permission grants)
- API calls to and from integrated systems
Audit logs are retained for a minimum of 6 years in accordance with HIPAA requirements and are available to Clients upon request.
6. Infrastructure Security
6.1 Cloud Infrastructure
Hello operates on enterprise-grade cloud infrastructure from leading providers with SOC 2 Type II, ISO 27001, and HIPAA compliance certifications. Our infrastructure is hosted in geographically distributed data centers within the United States.
6.2 Multi-Provider Architecture
Hello maintains a multi-provider architecture to eliminate single points of failure. This includes redundancy across:
- Telephony providers: Multiple carrier-grade SIP providers ensure calls always connect
- AI/LLM providers: Primary and secondary AI stacks with automatic failover
- Cloud infrastructure: Multi-region deployment with automated disaster recovery
For detailed information about our redundancy and failover architecture, see our Business Continuity and SLA page.
6.3 Monitoring
Our infrastructure is monitored continuously with automated alerting for:
- System health and performance metrics
- Security anomalies and suspicious activity
- Resource utilization and capacity thresholds
- Provider status and degradation detection
7. Network Security
- Firewall protection: Network-level and application-level firewalls restrict traffic to authorized sources and destinations
- DDoS mitigation: Enterprise-grade distributed denial-of-service protection is active on all public-facing endpoints
- Intrusion detection: Network and host-based intrusion detection systems monitor for unauthorized access attempts
- Network segmentation: Internal networks are segmented to isolate sensitive systems and limit lateral movement in the event of a breach
- VPN access: All remote administrative access to production systems requires encrypted VPN connections with MFA
8. Tenant Isolation
Hello operates a multi-tenant platform with strict data isolation between healthcare practice Clients:
- Logical isolation: Each Client's data is logically separated at the database level. Queries and API calls are scoped to the authenticated Client's data partition.
- No cross-tenant access: It is architecturally impossible for one Client to access another Client's data, call recordings, transcripts, or configurations.
- Isolated AI contexts: Each Client's AI voice agent operates with its own knowledge base, configuration, and conversation context. No data leaks between practices.
- Separate encryption keys: Client data is encrypted with tenant-specific keys where applicable.
9. Application Security
9.1 Secure Development Lifecycle
Hello follows a secure software development lifecycle (SDLC) that includes:
- Security-focused code reviews for all changes to production systems
- Static application security testing (SAST) integrated into the development pipeline
- Dynamic application security testing (DAST) performed on staging environments
- Dependency vulnerability scanning with automated alerting for known CVEs
- Separation of development, staging, and production environments
9.2 Penetration Testing
Hello engages independent third-party security firms to conduct penetration testing at least annually. Testing scope includes network, application, and API layers. Critical findings are remediated within 48 hours; high-severity findings within 7 days.
9.3 Vulnerability Management
We maintain a continuous vulnerability management program that includes automated scanning, risk-based prioritization, and defined SLAs for remediation:
| Severity | Remediation SLA |
|---|---|
| Critical (CVSS 9.0+) | 48 hours |
| High (CVSS 7.0-8.9) | 7 days |
| Medium (CVSS 4.0-6.9) | 30 days |
| Low (CVSS 0.1-3.9) | 90 days |
10. AI Safety and Guardrails
Hello AI voice agents operate within strict safety boundaries to protect patients and practices:
10.1 Conversation Guardrails
- Max call duration: Configurable limits prevent calls from running indefinitely
- Turn limits: Maximum conversation turns prevent endless loops
- Confusion detection: Low-confidence streaks trigger automatic escalation to human staff
- Topic boundaries: AI agents are restricted to configured topics and cannot provide medical advice, diagnoses, or treatment recommendations
10.2 Action Restrictions
Each deployment includes configurable action policies that define exactly what the AI can and cannot do:
- Permitted: Schedule appointments, collect deposits, answer FAQs, route calls, send confirmations
- Restricted: Modify billing records, access clinical notes, make medical recommendations, share PHI with unauthorized parties
10.3 Human Escalation
The platform includes automatic and manual escalation paths to human operators. Escalation triggers include caller request, confusion detection, out-of-scope topics, and emergency situations. Full conversation context is preserved during handoff.
10.4 AI Model Data Usage
Hello does not train AI models on individual patient data. Conversation data is used solely for the purpose of delivering the Service to the specific Client. Aggregated, de-identified data may be used for platform-wide quality improvements.
11. Incident Response
11.1 Incident Response Plan
Hello maintains a documented incident response plan that covers identification, containment, eradication, recovery, and post-incident review. The plan is tested and updated at least annually.
11.2 Response Timeline
| Phase | Timeline |
|---|---|
| Detection and Triage | Within 1 hour of detection |
| Initial Assessment | Within 4 hours |
| Client Notification (if PHI affected) | Without unreasonable delay, no later than 60 days per HIPAA |
| Containment | Immediately upon confirmed threat |
| Post-Incident Review | Within 14 days of resolution |
11.3 Breach Notification
In the event of a breach of unsecured PHI, Hello will notify the affected Client without unreasonable delay and no later than 60 calendar days after discovery, in accordance with HIPAA Breach Notification Rules (45 CFR Part 164, Subpart D). The notification will include the nature of the breach, the types of information involved, steps taken to mitigate harm, and recommended actions for the Client.
12. Vendor and Third-Party Security
Hello evaluates all third-party service providers for security and compliance before integration:
- Due diligence: Vendors handling PHI must demonstrate HIPAA compliance and execute Business Associate Agreements
- Security assessments: Vendors are evaluated for SOC 2, ISO 27001, or equivalent certifications
- Ongoing monitoring: Vendor security posture is reviewed annually and upon notification of any material change
- Data minimization: Only the minimum necessary data is shared with each vendor to fulfill its function
- Contractual controls: All vendor agreements include data protection obligations, breach notification requirements, and termination provisions
13. Employee Security
- Background checks: All employees and contractors undergo background screening prior to accessing production systems or Client data
- Security training: Mandatory security awareness training upon hire, with annual refresher training covering phishing, social engineering, data handling, and HIPAA requirements
- Least privilege: Employee access follows the principle of least privilege. Access is granted only to systems and data required for job function and is reviewed quarterly
- Offboarding: Access is revoked immediately upon employee separation. A formal offboarding checklist ensures complete deprovisioning of all system access, credentials, and devices
- Acceptable use: All employees sign an acceptable use policy and confidentiality agreement covering the handling of Client data and PHI
14. Data Retention and Disposal
Hello retains data only for as long as necessary to fulfill the purposes described in our Privacy Policy or as required by law:
- Call recordings: Configurable per Client (default 90 days). Clients may request longer or shorter retention.
- Transcripts and logs: Retained in accordance with Client configuration and HIPAA requirements (minimum 6 years)
- Account data: Retained for the duration of the service agreement plus 7 years for tax and legal compliance
- Audit logs: Retained for a minimum of 6 years per HIPAA
14.1 Secure Disposal
When data reaches the end of its retention period or upon Client request, it is securely destroyed using cryptographic erasure (rendering encrypted data permanently unrecoverable by destroying the encryption keys). Physical media, if applicable, is destroyed in accordance with NIST SP 800-88 guidelines.
15. Business Continuity
Hello maintains a comprehensive business continuity and disaster recovery program that ensures service availability and data protection. Key metrics:
- Availability target: 99.99% platform uptime
- Failover time: Less than 1 second for automatic provider failover
- Backup frequency: Continuous replication with point-in-time recovery capability
- Recovery testing: Disaster recovery procedures are tested at least annually
For complete details on our multi-provider architecture, automatic failover, support response times, service credits, and SLA terms, see our Business Continuity and SLA page.
16. Responsible Disclosure
Hello welcomes responsible security research. If you discover a potential security vulnerability in our platform or website, we ask that you:
- Report the vulnerability to security@usehello.ai with a detailed description and steps to reproduce
- Allow reasonable time for Hello to investigate and remediate before public disclosure
- Avoid accessing, modifying, or deleting data belonging to other users during your research
- Do not perform denial-of-service attacks, social engineering, or physical security testing
We commit to acknowledging receipt of vulnerability reports within 2 business days and providing an initial assessment within 5 business days. We will not pursue legal action against researchers who follow these guidelines in good faith.
17. Contact and Documentation Requests
For security inquiries, to request our security documentation, or to report a vulnerability:
- Security team: security@usehello.ai
- General inquiries: hello@usehello.ai
- Phone: (314) 972-3674
- Mail: Hello, Inc., Attn: Security, Denver, CO, United States
Enterprise clients may request the following security documentation from their account manager:
- Business Associate Agreement (BAA)
- Security risk assessment summary
- Penetration test executive summary
- Vendor security assessment summaries
- Incident response plan overview
Compliance Verified. Ready to Move Forward?
You've done your due diligence. Hello is built from the ground up for HIPAA healthcare AI with enterprise-grade security, BAA coverage, and 99.99% uptime SLA.