By Sagar Shankaran, Founder of CallSphere
HIPAA is the floor. California CMIA, NY SHIELD, Texas Medical Records Privacy Act, and Illinois BIPA add real obligations on top — especially for AI voice agents in 2026.
Key takeaways
Building HIPAA-compliant AI does not get you a 50-state pass. State medical privacy laws add real teeth — and they enforce.
flowchart LR
Patient["Patient call/chat"] -- "TLS 1.3" --> Edge["Cloudflare WAF"]
Edge --> App["CallSphere App<br/>HIPAA + SOC 2 aligned"]
App -- "encrypted" --> AI["AI Voice Agent"]
AI -- "tool_call · audit" --> Audit[("Audit log<br/>§164.312")]
AI --> EHR[("EHR · BAA-signed")]
EHR --> AI
AI --> PatientHIPAA at 45 CFR 160.203 is a federal floor — state laws that are more protective of PHI are not preempted. Four states matter most for AI voice agents in 2026.
California Confidentiality of Medical Information Act (CMIA), Civ. Code 56 et seq., applies to providers, plans, contractors, and increasingly AI tools that handle medical information. Penalties run up to $250,000 per violation. The California AG has explicitly stated AI systems handling patient data must comply with CMIA.
New York SHIELD Act, GBL 899-bb, was amended in December 2024 to add medical and health insurance information to the definition of "private information" and to require breach notification within 30 days, with simultaneous notice to NYDFS, the AG, and State Police.
Hear it before you finish reading
Talk to a live CallSphere AI voice agent in your browser — 60 seconds, no signup.
Texas Medical Records Privacy Act, HB 300, treats more entities as "covered entities" than HIPAA does, requires biennial workforce training, and triggers state Attorney General enforcement.
Illinois Biometric Information Privacy Act (BIPA), 740 ILCS 14, governs voiceprints and biometric identifiers — directly relevant to AI voice agents that build voice fingerprints — with statutory damages of $1,000–$5,000 per violation and a private right of action.
Each state layer adds an obligation HIPAA does not. CMIA expands who is regulated and increases per-violation penalties. SHIELD compresses the breach notification timeline to 30 days and pulls additional state regulators into the loop. HB 300 expands "covered entity" and adds workforce training. BIPA imposes specific consent and retention rules on voiceprints — and is the most-litigated state privacy statute in the country.
The practical consequence: an AI voice agent vendor and its healthcare customer both need to know which state the patient is in and apply the strictest applicable rule. A multi-state practice cannot just run a single playbook off HIPAA.
Still reading? Stop comparing — try CallSphere live.
CallSphere ships complete AI voice agents per industry — 14 tools for healthcare, 10 agents for real estate, 4 specialists for salons. See how it actually handles a call before you book a demo.
CallSphere's Healthcare Voice Agent captures the patient's state on every call and tags downstream artifacts with the applicable state law set. Our compliance documentation includes state-specific addenda for CA, NY, TX, and IL — covering CMIA-specific authorization elements, SHIELD-compliant breach playbooks, HB 300 workforce training tracking, and explicit BIPA consent capture before any voiceprint feature is enabled. We default voiceprint creation to off; customers must enable it, capture explicit consent, and define a retention period before the feature activates. Our standard BAA includes state law flow-through clauses to subcontractors. We have customers in all four states across our 50+ business base, and the state-aware controls have held up under customer-side audit.
Does HIPAA preempt state medical privacy laws? No, only when the state law is less protective. More-protective state law applies on top of HIPAA at 45 CFR 160.203.
Are voiceprints regulated under HIPAA? HIPAA treats them as ePHI when tied to identity. Illinois BIPA goes further with explicit consent, retention limits, and a private right of action — meaning class-action exposure even without an OCR action.
What is the SHIELD breach notification window? 30 days as of the December 2024 amendment, with simultaneous notice to NY AG, NYDFS, and State Police.
Can CallSphere disable voiceprint features for customers in Illinois? Yes, voiceprint features are off by default and must be explicitly enabled with a documented BIPA consent flow.
Written by
Sagar Shankaran· Founder, CallSphere
Sagar Shankaran is the founder of CallSphere, where he builds production AI voice and chat agents deployed across healthcare, hospitality, real estate, and home services. He writes about agentic AI, LLM engineering, and shipping voice agents that handle real calls in production.
See how AI voice agents work for your industry. Live demo available -- no signup required.
Using GPT-Realtime-2 for healthcare voice agents. BAA scope, PHI handling, retention, logging, and why a managed platform usually wins this build.
AI Control Tower is the governance layer for ServiceNow's Project Arc — policy, monitoring, and audit logs for autonomous agents. Here is how it works.
CAISI announced new agreements with Google DeepMind, Microsoft, and xAI in May 2026. What gets tested, what changes for enterprise AI buyers, what to watch.
The 2024 NPRM proposes mandatory penetration tests every 12 months and vulnerability scans every 6 months. Here is how an AI voice agent should be tested in 2026.
AWS HealthScribe became the open scribe layer EHR vendors built on top of in 2026. Here's the API surface, the per-encounter pricing, the BAA terms.
Why Claude salon AI is reshaping voice and chat automation, with concrete patterns for appointment AI in production deployments. A field-tested view from production teams shippi...
© 2026 CallSphere LLC. All rights reserved.