The moment an AI picks up your phones, it starts hearing everything your front desk does: names, birth dates, why someone is calling, what insurance they carry. That's protected health information, and how your vendor handles it is now your compliance problem too.
An AI receptionist is HIPAA-compliant when the vendor meets healthcare's privacy rules and signs a Business Associate Agreement (BAA), a contract that makes it legally accountable for the patient information it handles. Hello Patient builds AI agents to that standard. Its HIPAA-compliant AI receptionist is SOC 2 Type 2 certified (an independent security audit), signs a BAA with every client, logs every interaction, and never gives medical advice. What follows covers the requirements themselves, the state laws that layer on top, and what to check before choosing a vendor.
What does it mean for an AI receptionist to be HIPAA-compliant?
A HIPAA-compliant AI receptionist follows the same privacy rules your practice does, and it works under a signed BAA. Meet both and it's compliant; miss either and it isn't.
Patient calls carry protected health information, or PHI: a patient's name, date of birth, the reason for the visit, and insurance details. HIPAA sets the rules for handling all of it. Under HIPAA, any vendor that answers those calls counts as a business associate, meaning a company trusted to handle patient data on your behalf. A business associate has to sign a BAA before it can touch that data at all.
The trap is assuming that a capable-sounding AI is automatically a compliant one. A general-purpose AI or a consumer chatbot with no BAA is not compliant, no matter how polished it sounds on a call. If you want the broader view of how these tools work on a front desk, start with our guide to the AI medical receptionist.
Hello Patient clears every one of these bars. It's HIPAA-compliant, SOC 2 Type 2 certified, and signs a BAA with every client.
Why the BAA is the first thing to check
The BAA is the contract that makes a vendor legally accountable for patient information, so it's the first proof of compliance to ask for. Everything that follows builds on it.
A BAA is a signed agreement where the vendor takes on legal responsibility for protecting PHI under HIPAA. It is not marketing. It is a binding contract with real obligations attached. A compliance badge on a website or a "HIPAA-ready" line in a sales deck is not the same thing. Those are claims. A BAA is proof.
Hello Patient signs one with every client. Ask any vendor for theirs early. If a vendor won't share its BAA, keep looking.
What the agent does with patient information on a call
Hello Patient's agent handles patient information under the BAA and logs every interaction, so there's a record of what was said on each call. It's handled under the same rules your practice follows.
The agent stays in its lane. It answers questions about scheduling, hours, and insurance. It takes refill requests and routes the rest to your staff. It never gives medical advice. When a call turns clinical, urgent, or sensitive, it hands off to a real person with the full context, so the patient never has to start over.
Every interaction is logged. That means each call leaves a record your team can check. For calls about payments and statements, where billing details are their own kind of PHI, see how the AI agent for the patient billing line handles that conversation.
Do patients have to be told they're talking to an AI?
In some states, yes. It varies by state, so check your own state's rules.
Some states now require disclosing that a caller is speaking with an AI. California's SB 243 and parts of Illinois HB 1806 point this way, and more rules are emerging in 2026. Other states have no such requirement. Hello Patient's agent can run two ways. In one, it introduces itself as your practice's AI. In the other, it doesn't say so out loud. You choose, based on your state's rule. Either way, the agent never pretends to be a person, and it never borrows a staff member's name to seem human.
Confirm what your state requires. Most practices have the agent introduce itself anyway, because patients tend to trust a line that is upfront.
How state laws on recording and consent change the setup
Recording and consent laws vary by state, and the agent's consent prompts are set to match. You set the rule, the agent follows it.
Nine states use two-party consent, which means both people on a recorded call have to agree to it. Those states are California, Florida, Illinois, Massachusetts, Maryland, Montana, New Hampshire, Pennsylvania, and Washington. One-party states require only one person to agree. The agent's consent prompts get set to whichever rule applies where you operate.
The rules are different in every state. Your practice confirms what its own state requires, and the agent gets set up to match.
How a compliant AI receptionist differs from a regular chatbot or answering service
The difference is legal accountability. A free or general-purpose AI chatbot and a basic answering service were never built to carry PHI under a BAA. A HIPAA-compliant AI receptionist was.
Look at the two it gets confused with. A consumer chatbot has no BAA and no healthcare privacy obligations, so it has no business handling a patient's birth date or diagnosis. An old answering service takes a message and passes it along, but it isn't accountable for PHI the way a business associate is. Neither one carries the legal weight a patient call demands.
Hello Patient operates as a business associate under a signed BAA. That is the line between a tool that sounds fine and one you can actually put on a medical phone line.
What it takes to put a compliant agent on your line
Getting a compliant agent live starts with the BAA, and most of the setup happens on Hello Patient's side. You are not building a compliance program from scratch.
The BAA is signed on every account. The agent is configured to your state's disclosure and consent rules. It connects to the systems you already run, including ModMed, athenahealth, and eClinicalWorks. And it logs every interaction from the very first call, so you have a record from day one.
Want to see it work on your own line? Book a call and we'll walk through it.
Frequently asked questions
What is a BAA, and why does an AI receptionist need one?
A BAA, or Business Associate Agreement, is a signed contract where a vendor takes legal responsibility for protecting patient information under HIPAA. Any AI receptionist handling patient calls is a business associate, because those calls carry protected health information like names, birth dates, and insurance details. Without a signed BAA, a vendor has no legal grounding to touch that information at all. The BAA is what turns "we're careful" into a binding obligation. Hello Patient signs a BAA with every client, which is why it can handle patient calls in the first place. It is the foundation everything else sits on.
Are free or general-purpose AI chatbots HIPAA-compliant?
No. Free or general-purpose AI chatbots were not built to carry protected health information, and they don't come with a signed BAA. That means they have no legal accountability for patient data, no matter how capable they sound on a call. A consumer chatbot answering questions is a very different thing from a business associate handling PHI under HIPAA. Hello Patient is built for healthcare from the ground up. It's HIPAA-compliant, SOC 2 Type 2 certified, and operates under a BAA on every account. If a tool can't sign a BAA, it can't compliantly handle a patient call.
Who is responsible for HIPAA compliance, the practice or the AI receptionist vendor?
Both share it, and the BAA is what divides the responsibility. Your practice stays responsible for patient information as the healthcare provider, and Hello Patient takes on legal responsibility for the patient data its agent handles, spelled out in the BAA it signs with every client. That is the point of the agreement. It puts the vendor on the hook for protecting the information, in writing, instead of leaving it to trust. Without a signed BAA, your practice would carry all of that risk alone, which is why the agreement comes first. Hello Patient is HIPAA-compliant and SOC 2 Type 2 certified on top of it.
Is Hello Patient SOC 2 Type 2 certified, and what does that add to HIPAA?
Yes, Hello Patient is SOC 2 Type 2 certified. SOC 2 Type 2 is an independent audit of how a company's security controls perform over a period of time, not just at a single moment. HIPAA and the BAA set the legal rules for protecting patient information. SOC 2 Type 2 adds an outside auditor's confirmation that the security practices behind those rules actually hold up over time. For a practice weighing a vendor, that is a second, independent signal on top of the HIPAA floor. Hello Patient carries both, which is the standard large multi-location groups look for.
Where does patient information go when an AI receptionist takes a call?
When Hello Patient's agent takes a call, the patient information is handled under the BAA and logged, the same way your own practice would handle it. The BAA is what legally permits the agent to handle protected health information at all. Every interaction is recorded, so your team has a clear account of what was said and what the patient asked for. The agent stays inside its scope, answering questions about scheduling and insurance and routing anything clinical to your staff. Patient information is treated as protected health information at every step.
Does an AI receptionist keep a record of every patient call?
Yes. Hello Patient's agent logs every interaction, so there's a record of what was said on each call. Nothing gets handled off the books. Your team can go back and see what a patient asked for and where the call went. For a compliance-minded practice, that record matters as much as the privacy protections themselves, because you can always account for what happened on the line. Every call is logged, from the very first one the agent takes. You don't configure it separately. It comes with operating under a BAA.
What should you ask a vendor to prove an AI receptionist is HIPAA-compliant?
Ask any vendor to show its work, and a serious one will. Hello Patient can show all of this. Here is what to request:
- A signed BAA, not a "HIPAA-ready" claim on a website
- A current SOC 2 report, so you can see the security controls were independently audited
- A plain explanation of how patient information is handled and logged
- How the agent handles your state's AI disclosure and recording consent rules
If a vendor stalls on the BAA or can't answer how patient information is handled, treat that as your answer and keep looking.
Hello Patient's agents handle patient calls, texts, and web chat under a BAA on every account, HIPAA-compliant and SOC 2 Type 2 certified, with every interaction logged. If you want to see how a compliant agent sounds and behaves on your own line, book a call and we'll walk you through it.

.jpeg)