Is an AI answering service HIPAA compliant?
An AI answering service is HIPAA compliant only when the vendor signs a Business Associate Agreement (BAA) with your practice and has BAAs in place across its underlying voice, telephony, language model, and storage stack. HIPAA does not have a technology certification — compliance is a contract, not a feature. Many AI answering services advertise themselves as HIPAA-compliant or HIPAA-ready but cannot produce signed BAAs across all upstream vendors handling Protected Health Information; this gap creates real liability exposure for the covered practice. Aira is honest about its current posture: Aira is not currently a HIPAA-covered service and does not sign BAAs. Aira is appropriate for non-PHI workflows — appointment coordination, scheduling, generic intake, after-hours routing — and a HIPAA-capable tier is on the roadmap with no firm launch date. See Aira's full HIPAA posture for what to verify with any vendor in this category. See Aira's full HIPAA posture and BAA roadmap.
What to verify with any AI answering service vendor
Before signing with an AI answering service for a practice that handles PHI, verify each of the following in writing. "HIPAA-ready" or "HIPAA-compliant" marketing copy is not sufficient — request the BAA itself and confirm the upstream-vendor coverage.
- Signed BAA with the AI vendor
- Required before any PHI flows through the service
- BAAs with upstream voice / TTS providers
- Required — the call audio crosses these vendors
- BAAs with upstream LLM providers
- Required — transcripts are sent for summarization or extraction
- BAA with telephony provider
- Required — call origination and routing crosses telephony
- BAA with data storage provider
- Required if call recordings, transcripts, or collected fields are retained
- Breach notification procedure
- Vendor must commit to HIPAA-grade breach notification timelines
- Audit log retention
- Required for HIPAA Security Rule compliance
What HIPAA actually requires of phone answering
HIPAA's Privacy Rule and Security Rule together require that any vendor handling Protected Health Information on behalf of a covered entity (a healthcare practice) is a Business Associate. The Business Associate must sign a Business Associate Agreement that specifies how PHI is stored, transmitted, accessed, and breached-notified. Without a signed BAA, the vendor cannot lawfully process PHI for a covered practice. The practice carries the legal liability for using a non-covered vendor — fines run from $100 to $50,000 per violation under the HIPAA enforcement tiers.
The technology layer matters but is not sufficient on its own. Encryption in transit, encryption at rest, access controls, and audit logging are all required by the Security Rule. But these technical safeguards do not make a vendor HIPAA-compliant — only the BAA does. "HIPAA-grade infrastructure" or "end-to-end encryption" without a BAA does not protect the practice from liability.
Aira's current posture
Aira does not currently sign Business Associate Agreements with healthcare practices. The underlying stack — voice synthesis, telephony, language models, and data storage — does not have BAAs in place across all components. We are explicit about this and we have removed prior HIPAA-compliance claims from Aira's marketing surfaces.
Aira is designed for appointment coordination and general practice inquiries. Practices using Aira should not share or be asked for Protected Health Information through the service. PHI on Aira calls includes patient-stated diagnoses tied to a name, prescription details, test result questions, or symptoms tied to an existing treatment plan. Generic scheduling statements ("I'd like a cleaning appointment next Tuesday") are not PHI on their own.
A HIPAA-capable Aira tier is on the product roadmap and ships when the necessary upstream BAAs are executed. No firm launch date has been announced. For the current state of Aira's HIPAA posture and the BAA roadmap, see the dedicated HIPAA page.
Related questions
- What is a medical answering service?A medical answering service handles patient calls when your office is closed or staff is busy. Here's what one does, who staffs it, and what HIPAA requires.
- How much does a medical answering service cost?Medical answering services range from $25 to $3,000+/mo. Here's what drives the bill — call volume, HIPAA, after-hours coverage — and where the price brackets land in 2026.
- What is a virtual medical receptionist?A virtual medical receptionist handles full front-desk duties remotely. Here's what they do, how they're staffed, and how AI versions compare.