If your AI voice vendor will not sign a Business Associate Agreement, the conversation ends there. Everything else — features, pricing, demos — is moot until that signature exists.

What the rule says

flowchart TD
  In[Patient interaction] --> MinNec{Minimum necessary?}
  MinNec -->|yes| Process[AI process]
  MinNec -->|no| Reject[Block + log]
  Process --> Encrypt[(AES-256 at rest)]
  Encrypt --> DB[(PostgreSQL)]
  Process --> Audit[(Audit trail)]
  DB --> Right[Right of access §164.524]

CallSphere reference architecture

The HIPAA Privacy Rule at 45 CFR 164.502(e) and 164.504(e) requires that a covered entity (a provider, plan, or clearinghouse) obtain "satisfactory assurances" — in writing — that any business associate handling PHI on its behalf will safeguard that information. Those satisfactory assurances are formalized in a Business Associate Agreement, or BAA. The HITECH Act of 2009 extended direct HIPAA liability to business associates and their subcontractors, meaning the AI voice vendor that records a patient call is on the hook the same way the practice is. The Breach Notification Rule at 45 CFR 164.410 requires the business associate to notify the covered entity of a breach of unsecured PHI without unreasonable delay and no later than 60 days after discovery.

What it means for AI voice/chat agents

An AI voice agent that answers your phone, captures patient names, dates of birth, insurance details, symptoms, or appointment requests is a business associate the moment any of that data crosses its systems. There is no "we just route the call" exception. If audio is recorded, transcribed, embedded for retrieval, or fed into an LLM prompt, you are creating, receiving, maintaining, or transmitting ePHI on behalf of a covered entity. That triggers the BAA requirement automatically.

Hear it before you finish reading

Talk to a live CallSphere AI voice agent in your browser — 60 seconds, no signup.

Try Live →

Try Live Demo →

A real BAA needs eight things buyers should look for line by line. First, an explicit list of permitted uses and disclosures of PHI — vague "as needed for services" language is a red flag. Second, a flow-down clause that requires every subcontractor (the LLM provider, the speech-to-text vendor, the cloud host, the analytics tool) to sign an equivalent BAA. Third, a written security commitment to the HIPAA Security Rule's administrative, physical, and technical safeguards in 45 CFR 164.308–164.312. Fourth, a breach notification clause with a contractual deadline tighter than the regulatory 60 days — most mature healthcare buyers demand 24 to 72 hours. Fifth, a clear obligation to make books and records available for HHS audit. Sixth, a return-or-destroy clause at termination. Seventh, a defined data residency commitment so PHI does not leak to non-eligible regions or models. Eighth, an indemnification or insurance section that survives termination.

CallSphere implementation

CallSphere ships HIPAA-aligned and SOC 2-aligned voice and chat agents that come with a signed BAA on every healthcare contract. Our Healthcare Voice Agent — one of 37 production agents across 6 verticals — runs on a dedicated, encrypted PostgreSQL instance called healthcare_voice with row-level access controls and JWT authentication. Every tool call (eligibility lookup, scheduling write, EHR fetch) is recorded in an append-only audit trail with caller ID, timestamp, tool name, arguments, response, and operator context. We sign downstream BAAs with our hosting provider, our LLM provider, and our telephony carrier so the chain of custody is complete. Behavioral-health clinics start at our /lp/behavioral-health landing page where 42 CFR Part 2 workflows are turned on by default. Pricing is transparent: $149, $499, or $1499/month with a 14-day trial — no surprise enterprise gating just to get a BAA.

Build/audit checklist

Confirm the vendor offers a BAA at every pricing tier, not only on enterprise contracts.
Read the permitted-uses section and flag any clause that says "as reasonably required for services."
Demand the names of every subcontractor that processes PHI and confirm a signed BAA with each.
Set a contractual breach-notification window of 24 to 72 hours, not the regulatory 60 days.
Require encryption at rest (AES-256, FIPS 140-validated) and in transit (TLS 1.2 or higher) in writing.
Require return-or-destroy of PHI within 30 days of contract termination.
Require an annual SOC 2 Type II report and the latest HIPAA Security Risk Assessment summary.
Confirm data residency: PHI must not leave the contracted region or fall back to non-BAA-eligible models.
Confirm the vendor's cyber-insurance policy and indemnification limits in writing.
File the executed BAA in your compliance system before the agent processes a single live call.

FAQ

Do you sign a BAA? Yes. CallSphere signs a BAA on every healthcare and behavioral-health contract before go-live. Contact /contact and we will send our standard BAA the same business day.

Where does PHI live? PHI lives in our encrypted PostgreSQL healthcare_voice database, hosted in a US region under a downstream BAA with our cloud provider. Audio recordings are encrypted at rest with AES-256 and stored only as long as your retention policy requires.

Still reading? Stop comparing — try CallSphere live.

CallSphere ships complete AI voice agents per industry — 14 tools for healthcare, 10 agents for real estate, 4 specialists for salons. See how it actually handles a call before you book a demo.

Try Live Demo → Book 30-min Walkthrough See Pricing

Which model providers do you use, and are they BAA-covered? We route healthcare prompts only to BAA-eligible deployments — currently OpenAI's API platform under a signed BAA, Anthropic Claude through AWS Bedrock under the AWS BAA, or Google Vertex AI under Google Cloud's BAA. Consumer ChatGPT and consumer Claude.ai are not used.

What about the breach notification clock? Our standard BAA commits to notifying the covered entity within 48 hours of breach discovery — well inside the 60-day regulatory ceiling at 45 CFR 164.410.

Can I see your SOC 2 report? Yes, under NDA. We share the SOC 2 Type II report and our most recent HIPAA Security Risk Assessment summary with prospective customers under a one-page mutual NDA.

Sources

HHS, Business Associate Contracts: https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html
45 CFR 164.504(e) (eCFR): https://www.ecfr.gov/current/title-45/section-164.504
45 CFR 164.410 Breach notification by a business associate: https://www.law.cornell.edu/cfr/text/45/164.410
HHS Breach Notification Rule overview: https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html

Signing a BAA With Your AI Voice Vendor: The 2026 Buyer's Checklist

What the rule says

What it means for AI voice/chat agents

CallSphere implementation

Build/audit checklist

FAQ

Sources

Try CallSphere AI Voice Agents

Related Articles You May Like

GPT-Realtime-2 For Healthcare Voice: HIPAA and BAA Considerations

ServiceNow AI Control Tower: Agent Governance for the Enterprise in 2026

CAISI Adds Google, Microsoft, and xAI: What Pre-Release Testing Covers

HIPAA Pen-Test and Risk Assessment for AI Voice in 2026

AWS HealthScribe 2026: The Open Medical Scribe API Layer

Claude-Powered Voice Agents for Salon and Spa Bookings

Product

Resources

Company

Legal

Industries

Integrations

Solutions

Compare

Pillar Guides