Signing a BAA With Your AI Voice Vendor: The 2026 Buyer's Checklist

If your AI voice vendor will not sign a Business Associate Agreement, the conversation ends there. Everything else — features, pricing, demos — is moot until that signature exists.

What the rule says

flowchart TD
  In[Patient interaction] --> MinNec{Minimum necessary?}
  MinNec -->|yes| Process[AI process]
  MinNec -->|no| Reject[Block + log]
  Process --> Encrypt[(AES-256 at rest)]
  Encrypt --> DB[(PostgreSQL)]
  Process --> Audit[(Audit trail)]
  DB --> Right[Right of access §164.524]

The HIPAA Privacy Rule at 45 CFR 164.502(e) and 164.504(e) requires that a covered entity (a provider, plan, or clearinghouse) obtain "satisfactory assurances" — in writing — that any business associate handling PHI on its behalf will safeguard that information. Those satisfactory assurances are formalized in a Business Associate Agreement, or BAA. The HITECH Act of 2009 extended direct HIPAA liability to business associates and their subcontractors, meaning the AI voice vendor that records a patient call is on the hook the same way the practice is. The Breach Notification Rule at 45 CFR 164.410 requires the business associate to notify the covered entity of a breach of unsecured PHI without unreasonable delay and no later than 60 days after discovery.

What it means for AI voice/chat agents

An AI voice agent that answers your phone, captures patient names, dates of birth, insurance details, symptoms, or appointment requests is a business associate the moment any of that data crosses its systems. There is no "we just route the call" exception. If audio is recorded, transcribed, embedded for retrieval, or fed into an LLM prompt, you are creating, receiving, maintaining, or transmitting ePHI on behalf of a covered entity. That triggers the BAA requirement automatically.

A real BAA needs eight things buyers should look for line by line. First, an explicit list of permitted uses and disclosures of PHI — vague "as needed for services" language is a red flag. Second, a flow-down clause that requires every subcontractor (the LLM provider, the speech-to-text vendor, the cloud host, the analytics tool) to sign an equivalent BAA. Third, a written security commitment to the HIPAA Security Rule's administrative, physical, and technical safeguards in 45 CFR 164.308–164.312. Fourth, a breach notification clause with a contractual deadline tighter than the regulatory 60 days — most mature healthcare buyers demand 24 to 72 hours. Fifth, a clear obligation to make books and records available for HHS audit. Sixth, a return-or-destroy clause at termination. Seventh, a defined data residency commitment so PHI does not leak to non-eligible regions or models. Eighth, an indemnification or insurance section that survives termination.

CallSphere implementation

CallSphere ships HIPAA-aligned and SOC 2-aligned voice and chat agents that come with a signed BAA on every healthcare contract. Our Healthcare Voice Agent — one of 37 production agents across 6 verticals — runs on a dedicated, encrypted PostgreSQL instance called healthcare_voice with row-level access controls and JWT authentication. Every tool call (eligibility lookup, scheduling write, EHR fetch) is recorded in an append-only audit trail with caller ID, timestamp, tool name, arguments, response, and operator context. We sign downstream BAAs with our hosting provider, our LLM provider, and our telephony carrier so the chain of custody is complete. Behavioral-health clinics start at our /lp/behavioral-health landing page where 42 CFR Part 2 workflows are turned on by default. Pricing is transparent: $149, $499, or $1499/month with a 14-day trial — no surprise enterprise gating just to get a BAA.

Build/audit checklist

1. Confirm the vendor offers a BAA at every pricing tier, not only on enterprise contracts.
2. Read the permitted-uses section and flag any clause that says "as reasonably required for services."
3. Demand the names of every subcontractor that processes PHI and confirm a signed BAA with each.
4. Set a contractual breach-notification window of 24 to 72 hours, not the regulatory 60 days.
5. Require encryption at rest (AES-256, FIPS 140-validated) and in transit (TLS 1.2 or higher) in writing.
6. Require return-or-destroy of PHI within 30 days of contract termination.
7. Require an annual SOC 2 Type II report and the latest HIPAA Security Risk Assessment summary.
8. Confirm data residency: PHI must not leave the contracted region or fall back to non-BAA-eligible models.
9. Confirm the vendor's cyber-insurance policy and indemnification limits in writing.
10. File the executed BAA in your compliance system before the agent processes a single live call.

FAQ

Do you sign a BAA? Yes. CallSphere signs a BAA on every healthcare and behavioral-health contract before go-live. Contact /contact and we will send our standard BAA the same business day.

Where does PHI live? PHI lives in our encrypted PostgreSQL healthcare_voice database, hosted in a US region under a downstream BAA with our cloud provider. Audio recordings are encrypted at rest with AES-256 and stored only as long as your retention policy requires.

Which model providers do you use, and are they BAA-covered? We route healthcare prompts only to BAA-eligible deployments — currently OpenAI's API platform under a signed BAA, Anthropic Claude through AWS Bedrock under the AWS BAA, or Google Vertex AI under Google Cloud's BAA. Consumer ChatGPT and consumer Claude.ai are not used.

What about the breach notification clock? Our standard BAA commits to notifying the covered entity within 48 hours of breach discovery — well inside the 60-day regulatory ceiling at 45 CFR 164.410.

Can I see your SOC 2 report? Yes, under NDA. We share the SOC 2 Type II report and our most recent HIPAA Security Risk Assessment summary with prospective customers under a one-page mutual NDA.

Sources

• HHS, Business Associate Contracts: https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html
• 45 CFR 164.504(e) (eCFR): https://www.ecfr.gov/current/title-45/section-164.504
• 45 CFR 164.410 Breach notification by a business associate: https://www.law.cornell.edu/cfr/text/45/164.410
• HHS Breach Notification Rule overview: https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html