HIPAA-compliant business communications
DialPhone is a HIPAA-compliant business communications platform. Healthcare practices, payers, and life-sciences organizations use DialPhone for patient calls, SMS reminders, telehealth meetings, and AI receptionists under a signed Business Associate Agreement (BAA) at no additional cost.
Last updated: April 20, 2026 · Reviewed by the DialPhone Compliance Office
The short version
- ✓ BAA included on Advanced ($34), Ultra ($54), and all Contact Center plans — no surcharge.
- ✓ Covered: calls, recordings, SMS, fax, video, team chat, AI transcripts, AI Receptionist, contact center.
- ✓ Technical controls: end-to-end encryption, audit logs, PHI redaction, minimum-necessary access.
- ✓ 72-hour breach notification SLA with written root-cause and remediation.
- ✓ Pre-built EHR integrations (Epic, Cerner, athenahealth) + FHIR API for custom workflows.
How to get a BAA signed
The BAA is a short, standard agreement. Most customers e-sign in the portal in under 3 minutes. If your legal team requires red-lines, our compliance team responds within one business day.
- 1 Upgrade to Advanced, Ultra, or any Contact Center tier (BAA requires an eligible plan).
- 2 Sign in to the customer portal → Settings → Compliance.
- 3 Review the Business Associate Agreement — standard, no red-lines required for most customers. Legal review welcome.
- 4 E-sign with an authorized signatory. BAA activates immediately; confirmation email sent to the account admin.
- 5 Enable PHI redaction, audit log export, and minimum-necessary access policies inside Admin → Security.
HIPAA safeguards
Every HIPAA Security Rule safeguard category — technical, administrative, and physical — is mapped to an implemented control, audited annually against SOC 2 Type II and HIPAA Security Rule requirements.
Technical safeguards
- Access control
- Unique user IDs, role-based permissions, automatic logoff, SSO/SAML, MFA enforcement.
- Encryption in transit
- TLS 1.3 for signaling, SRTP with AES-256 for voice media, DTLS for WebRTC meetings.
- Encryption at rest
- AES-256-GCM for recordings, transcripts, voicemails, SMS, and fax images. Hardware-backed KMS.
- Audit controls
- Immutable audit logs for every read/write of PHI, retained 6 years, exportable to customer SIEM.
- Integrity controls
- Signed recordings with SHA-256 hashes. Tamper-evident storage.
- Transmission security
- Geo-diverse carrier routes, STIR/SHAKEN A-level attestation, DDoS protection.
Administrative safeguards
- Security Officer
- Named CISO, quarterly risk analysis, documented incident response.
- Workforce training
- Annual HIPAA training required for all staff with PHI access. Policies re-certified every 12 months.
- Minimum-necessary access
- Customer support cannot read PHI unless explicit break-glass approval is granted and logged.
- Incident response
- 24-hour detection SLA, 72-hour written breach notification, post-mortem shared with customer.
- Business Associate Agreements
- Every subprocessor handling PHI has a signed BAA. Subprocessor list public.
- Annual risk assessment
- Third-party HIPAA security risk assessment, findings remediated against published timeline.
Physical safeguards
- Data center security
- SOC 2 + ISO 27001 certified facilities. 24/7 guarded, biometric access, CCTV, redundant power.
- Workstation security
- Managed-device enforcement (MDM), full-disk encryption, remote wipe for all staff laptops.
- Media disposal
- NIST 800-88 sanitization for retired drives. Certificates of destruction on request.
What’s covered under the BAA
| Feature | BAA status |
|---|---|
| Business phone (calls, voicemail, recording) | Covered |
| Video meetings and webinars | Covered |
| Team messaging and file sharing | Covered |
| Business SMS and MMS | Covered (with PHI-redaction option) |
| Online fax (cloud fax) | Covered |
| Contact center (omnichannel) | Covered on all CCaaS tiers |
| AI meeting summaries, transcripts, SMS drafting | Covered — PHI tokens redacted before model processing |
| AI Receptionist (Smart Virtual Concierge) | Covered — HIPAA-compliant intent handling |
| Analytics and reporting | Covered — PHI-scrubbed reports available |
Not covered (and why)
- Free trial accounts (BAA not active until paid plan is signed)
- Core plan without BAA upgrade (BAA requires Advanced or higher)
- Customer-installed third-party integrations outside the DialPhone subprocessor list
- Public social-media channel connectors (LinkedIn, public Twitter) — excluded per HIPAA minimum-necessary standard
- International numbers in countries where DialPhone does not hold a BAA-eligible license
Healthcare use cases DialPhone supports
- Patient intake & appointment reminders — AI Receptionist + SMS with PHI redaction.
- Telehealth visits — HIPAA-eligible video meetings with transcript on request.
- Clinical call centers — omnichannel contact center with minimum-necessary routing.
- Pharmacy refill lines — IVR and SMS workflows with EHR sync.
- Medical device support — multi-site contact center with audit-grade recording.
- Health plan member services — AI coaching and PCI-DSS for co-pay capture.
Read the dedicated healthcare solutions page for implementation playbooks.
Related compliance & trust
- → Trust Center — SOC 2, GDPR, PCI-DSS, FINRA, ISO 27001
- → SOC 2 Type II — independent audit report (NDA)
- → GDPR compliance — DPA, residency, subprocessors
- → Subprocessor registry — public, updated in real time
- → Security overview — seven-layer defense
- → HIPAA-compliant AI Receptionist
HIPAA compliance FAQ
Is DialPhone HIPAA compliant?
Yes. DialPhone meets the HIPAA Privacy, Security, and Breach Notification rules and signs a Business Associate Agreement (BAA) with customers on Advanced, Ultra, and Contact Center plans. BAAs are signed at no additional cost.
How do I get a BAA signed?
Upgrade to Advanced or higher, then sign in to the portal → Settings → Compliance. The BAA is e-signed in under 3 minutes. No legal back-and-forth required for the standard agreement.
Which plans include a BAA?
Advanced ($34/user/mo), Ultra ($54/user/mo), all Contact Center tiers (Standard $65, Professional $95, Elite $145, Enterprise custom), and all AI add-ons purchased alongside a BAA-eligible plan. Core does not include a BAA — upgrade to Advanced to enable healthcare use.
Does the AI process PHI?
AI features operate on transcripts and message bodies only after PHI tokens are detected and redacted or tokenized. Raw PHI is never passed to shared foundation models. Customer workspaces using opt-in fine-tuning keep data isolated — it is never blended with other customers' data.
Where is PHI stored?
US-region data centers by default (Virginia, Oregon). EU customers can request EU-only residency. Data never crosses region boundaries unless the customer explicitly enables cross-region replication for disaster recovery.
Is call recording HIPAA compliant?
Yes. Recordings are encrypted at rest (AES-256), access-controlled, audit-logged, and integrity-hashed. Retention is configurable (30 days to 10 years). PHI redaction on transcripts is available as a one-click toggle.
Is the AI Receptionist HIPAA compliant?
Yes — the Smart Virtual Concierge handles patient intake, appointment scheduling, and PHI-aware routing under the BAA. Multilingual HIPAA-compliant voice prompts are included.
How long does DialPhone retain PHI?
Retention is customer-controlled (default 2 years, configurable 30 days to 10 years). Audit logs are retained 6 years per HIPAA §164.316(b)(2)(i). Upon account termination, data is deleted within 30 days from primary storage and 90 days from backups. Certificate of destruction on request.
What happens in the event of a breach?
Detected incidents are reported to the customer within 24 hours. If a reportable breach is confirmed, written notification is delivered within 72 hours with affected records, root cause, remediation steps, and post-mortem. DialPhone cooperates with HHS OCR investigations.
Are there HIPAA-specific features I need to turn on?
After the BAA is signed, enable these in Admin → Security: (1) PHI redaction on transcripts and SMS, (2) audit log SIEM export, (3) 30-day minimum-necessary access policy, (4) automatic off-hours logoff, (5) encryption-at-rest key rotation. Onboarding team walks through this on a 30-minute call.
Do you work with specific EHR systems?
Yes — bi-directional integrations with Epic, Cerner, athenahealth, and Salesforce Health Cloud. Custom FHIR integrations available through the API. See the healthcare integrations.
Can DialPhone staff access my PHI?
No — not by default. Customer support is trained not to request or view PHI. Break-glass access for critical troubleshooting requires dual approval, time-bounded access, and a logged audit event visible to the customer.