NOTES FROM THE TEAM
HIPAA compliant medical answering service buyer’s guide
We had a sales call last month with a dermatology group in Texas. The practice manager started by saying ‘we already have a HIPAA-compliant answering service.’ I asked her if she had a copy of the BAA. There was a long pause. ‘I’ll have to check,’ she said. She never did get back to me.
A HIPAA compliant medical answering service starts with HIPAA copy that’s easy to write and hard to earn. Most vendors will check the box on their pricing page. Almost none will hand you a signed BAA before you sign theirs. That asymmetry is the single most important thing to understand before any patient call carrying PHI flows through any vendor’s system.
What follows is the actual checklist I run through when a practice asks me what to look for. I’ve watched too many practices skip these steps and find out the hard way during a breach review.
Related: DeskMD HIPAA-compliant answering service and Security and compliance details.
Step 1: Get the BAA in writing before the demo
A Business Associate Agreement is required by HIPAA for any service that touches PHI on a covered entity’s behalf. An answering service handling patient calls is unambiguously a business associate. There’s no version of this where you skip it.
Ask the vendor to send a draft BAA before the sales demo. If they tell you it’s ‘available on enterprise tiers’ or ‘after signature’, that’s a signal. A real HIPAA-built service hands you the BAA early, sometimes before you ask.
Read the BAA. Don’t skim. Confirm it covers all the PHI the service will touch — transcripts, recordings, audit logs, exports. Confirm breach-notification timelines are concrete (24-72 hours, not ‘promptly’). Confirm the vendor’s subprocessor list is appended.
Step 2: Demand the subprocessor list
A modern answering service touches multiple subprocessors. The LLM provider, the speech-to-text engine, the cloud host, the SMS provider, the email provider, the storage layer. Each one needs its own BAA with the answering service vendor.
Ask for the subprocessor list in writing. Verify each subprocessor will sign a BAA. If the LLM provider hasn’t, the service legally can’t process PHI through that provider until they do — regardless of what the marketing page says.
DeskMD’s public position is precise: subprocessor BAAs must complete before production PHI use. Vendors that gloss over this aren’t the right partner for healthcare. We’d rather lose the deal than misrepresent the state of those agreements.
Step 3: Verify encryption in transit and at rest
TLS in transit and AES-256 at rest are table stakes. Every modern vendor should meet both. The differentiator is whether they encrypt at field level for the most sensitive data, who holds the keys, and whether keys rotate automatically.
Ask whether key management uses a dedicated service (a key-management service or hardware security module), whether keys rotate, and whether there’s an option for customer-managed keys at higher tiers.
Encryption alone doesn’t equal HIPAA compliance. Without the BAA, audit log, and access controls behind it, encryption is just a checkbox.
Step 4: Audit log retention and tamper-evidence
HIPAA requires retaining required documentation for six years from creation or last effective date — 45 CFR §164.316(b)(2)(i). Audit logs of PHI access fall under this rule.
Ask the vendor: how long are audit logs retained? Are they tamper-evident (write-once or hash-chained)? Who has access to them? Can they be exported for an investigation?
A ’30-day retention’ answer is a hard fail. A ‘6-year retention with append-only storage and on-demand export’ is the bar. Don’t accept anything in between.
Step 5: PHI redaction and deletion workflow
Patients sometimes share more PHI on the phone than the call required. Lab results, family history, insurance numbers, prior medical events. A HIPAA compliant medical answering service needs a documented workflow to redact unnecessary PHI from transcripts and recordings.
Ask for the redaction process. Is it automated, manual, or hybrid? What gets redacted by default? Can the practice configure additional redaction rules?
Deletion matters more than people realize. When a patient asks to be deleted, the service must remove their data from every subsystem — transcripts, recordings, audit-log references, backups, exports. Ask for the deletion workflow in writing. The right answer takes ten minutes to explain. The wrong answer takes two sentences.
Step 6: Tenant isolation, access control, and least privilege
Multi-tenant SaaS makes economic sense — but it requires strict isolation. Ask whether tenant data is isolated at the row level, the schema level, or the cluster level. Verify that compute, storage, and search indices are segregated.
Access control should follow least privilege. Engineering staff shouldn’t have routine access to PHI. Where access is required for support, it should be logged, time-bounded, and limited to specific tenants under explicit consent.
The audit log should record every PHI access, by user, with reason. Practices should be able to review their own access log on demand.
Step 7: Pricing and HIPAA-add-on traps
Some vendors quote a base price that turns out to be non-HIPAA, with HIPAA as a $25 to $100/month add-on. Ruby Receptionist now includes HIPAA at no extra charge. AnswerConnect offers HIPAA as an add-on. Some smaller services don’t offer HIPAA at all.
DeskMD includes BAA support at every plan: $299/provider/month Standard, $449 Pro. There’s no HIPAA add-on tier. Same on every plan.
Ask the vendor what’s included and what’s extra. Setup fees, dispatch fees, after-hours surcharges, HIPAA add-ons can double the apparent rate. Read the rate card line by line.
Step 8: Run a pre-PHI pilot
Before any production PHI flows through the service, run a two-week pilot with synthetic calls or low-sensitivity calls. Verify intake fields are captured correctly. Verify dispatch reaches the right people. Verify the audit log shows the expected entries. Verify redaction works.
Have someone at your practice — designated security lead, compliance officer, whoever — review the BAA, subprocessor list, and audit log structure during the pilot. If anything looks off, surface it before signing.
Document the pilot. Most regulators prefer to see a written record of the diligence performed, especially if a breach later happens. A two-page memo saved in the compliance folder is worth more than nothing.
Common questions
Questions to ask first
Is every answering service HIPAA compliant by default?
No. Most general business answering services aren’t HIPAA compliant by default and offer HIPAA as an opt-in workflow with a separate BAA. Don’t assume the marketing page is the contract.
How long should audit logs be retained?
Six years per 45 CFR §164.316(b)(2)(i), counted from creation or last effective date. Audit logs should be append-only or tamper-evident.
Can a HIPAA-built service still leak PHI?
Yes. HIPAA compliance is about controls and process, not absolute prevention. The right service catches the leak, redacts the PHI, logs the event, and notifies you within the breach-notification window. We’ve watched perfectly compliant services have small leaks; the question is what they do next.
Does HIPAA apply to recordings of phone calls?
Yes. Recordings that contain PHI fall under HIPAA. Both the recording and any derived transcript or analysis are covered.
What if a vendor refuses to sign a BAA?
Walk away. A HIPAA-built service signs a BAA. A vendor that refuses isn’t equipped to handle PHI, regardless of marketing claims.
What to do next
Run the buyer’s checklist on your shortlist
Stop missing calls. Start sleeping at night.
Give patients a real answer after hours and give your team a clean record in the morning.