HIPAA and AI Receptionists: What Dental and Medical Practices Need to Know

Healthcare practices searching for an AI phone answering service almost always hit the same question first: is this thing HIPAA compliant? The honest answer for Aira today is no, and the honest picture for the broader AI receptionist category is that compliance is more nuanced than a checkbox on a pricing page. This guide explains what HIPAA actually requires for phone communications, what a Business Associate Agreement is, where Aira stands today, and how dental and medical practices use Aira responsibly right now.

What HIPAA Requires of Phone Communications

The Health Insurance Portability and Accountability Act of 1996 establishes national standards for protecting patient health information. The Privacy Rule and the Security Rule together govern how covered entities, including dental and medical practices, may use and disclose Protected Health Information, or PHI. Phone calls that involve PHI fall squarely within HIPAA's scope.

For a phone based workflow, HIPAA generally requires:

• Administrative safeguards, including policies that govern who can access PHI and how that access is logged.
• Physical safeguards over any device or facility that stores or transmits PHI.
• Technical safeguards such as encryption in transit and at rest, access controls, and audit trails.
• A signed Business Associate Agreement with every vendor that processes PHI on the provider's behalf.
• Breach notification procedures consistent with the HITECH Act.

The U.S. Department of Health and Human Services publishes the authoritative guidance on the Privacy Rule and the Security Rule. See the HHS Privacy Rule summary and the HHS Security Rule guidance for the primary sources.

What a Business Associate Agreement Is

A Business Associate Agreement, commonly abbreviated BAA, is a written contract between a covered entity and a vendor that will create, receive, maintain, or transmit PHI on the entity's behalf. HIPAA requires a BAA before a vendor can lawfully process PHI for a healthcare provider.

A BAA typically covers:

• Permitted uses and disclosures of PHI.
• Required safeguards and minimum necessary standards.
• Breach notification timelines and responsibilities.
• Subcontractor flow down obligations.
• Return or destruction of PHI at contract termination.

For AI phone answering specifically, a compliant architecture requires BAAs across the full stack: the telephony carrier, the voice synthesis provider, the language model provider, and the data storage layer. Without all of these, a receptionist product cannot honestly market itself as HIPAA compliant, regardless of any encryption it ships with.

What AI Receptionists Handle That Counts as PHI

Not every call to a dental or medical practice involves PHI. Many calls are purely administrative: a patient asking about hours, a new prospect requesting a cleaning, a visitor asking for directions. Calls shift into PHI territory as soon as identifiable health information is spoken by the caller or collected by the business.

Examples of PHI that can appear on a phone call:

• A named patient describing symptoms, diagnoses, or a treatment plan.
• Prescription refill requests tied to a specific medication.
• Test result inquiries.
• Insurance verification conversations that reveal conditions.
• Mental health or behavioral health disclosures made by the caller.

Whether a given utterance qualifies as PHI is a fact specific question. When in doubt, treat it as PHI and route it through a HIPAA covered channel.

What Aira Does Well Without HIPAA

Aira is strong at the non clinical coverage that sits on top of every practice:

• Appointment coordination for cleanings, follow ups, and new patient intake.
• General practice inquiries, including hours, location, insurance accepted, and provider bios.
• Multilingual greeting across 31 languages for communities where English is not the primary language.
• Spam filtering and robocall blocking before a human team member is interrupted.
• After hours routing to an on call provider when a caller reports an urgent situation.

These are exactly the workflows where a traditional answering service charges $300 or more per month. Aira handles them starting at $24.95 per month, with plans scaling to Growth at $49.95 and Business at $159.95 as call volume grows.

What Aira Does Not Do Today

Aira is not HIPAA covered as of April 2026. That means:

• Aira does not sign Business Associate Agreements with healthcare providers.
• Aira should not be used to collect, store, or share diagnoses, prescriptions, test results, or other PHI.
• Aira should not be positioned inside a workflow where clinical information is the expected content of the call.

If a caller volunteers PHI during a scheduling or general inquiry call, Aira is configured to keep the call moving forward, route to an on call provider when appropriate, and not retain that content in a searchable clinical record. For any workflow where PHI must be stored or transmitted through the phone system, use a HIPAA covered channel today, not Aira.

Aira's HIPAA Roadmap

Aira is actively evaluating vendor Business Associate Agreements across the underlying stack. The goal is a HIPAA capable tier that healthcare customers can adopt with the same confidence they have today in legacy answering services and dedicated healthcare answering providers.

The work in progress:

• Voice synthesis and speech to text: enterprise BAAs with the vendors that power call handling.
• Telephony: security edition plans that include BAA coverage from the upstream carrier.
• Language model inference: zero data retention contracts from the model provider.
• Data storage: HIPAA tier storage that supports encryption, retention controls, and audit logs.

HIPAA compliance adds meaningful incremental cost across each of these contracts. Aira is timing the HIPAA tier for the point where customer demand supports that cost structure without compromising the accessible pricing of the core product. No launch date has been announced.

How Dental and Medical Practices Use Aira Today

Practices using Aira today scope the service to non clinical workflows. The common patterns:

• Appointment intake. New patient scheduling, recall appointments, and rescheduling requests flow through Aira, which sends a structured summary to the practice for confirmation.
• After hours triage. Callers reporting urgent situations are routed to the on call provider by phone. Aira does not retain clinical content from these calls.
• Front office relief. Multilingual greeting, spam filtering, and overflow coverage during lunch and peak hours free the in office team for chair side work.
• New patient acquisition. Inbound calls that reference an ad or referral are captured with source information and routed to the practice's CRM for follow up.

For more on how small practices operate around front office staffing, see the Aira guides on AI receptionists for dental offices and AI receptionists for medical offices.

Frequently Asked Questions