Telehealth + AI Receptionist HIPAA Patterns After the COVID Waivers
The OCR telehealth enforcement discretion expired in 2023. Here is the 2026 pattern for combining a HIPAA-aligned AI receptionist with telehealth visits.
The COVID-era telehealth flexibilities are over. Every video call, every chat, every AI receptionist that touches PHI is back to standard HIPAA.
What the rule says
flowchart TD
In[Patient interaction] --> MinNec{Minimum necessary?}
MinNec -->|yes| Process[AI process]
MinNec -->|no| Reject[Block + log]
Process --> Encrypt[(AES-256 at rest)]
Encrypt --> DB[(PostgreSQL)]
Process --> Audit[(Audit trail)]
DB --> Right[Right of access §164.524]In March 2020, OCR announced enforcement discretion that allowed providers to use non-public-facing video tools for telehealth even without BAAs. That waiver expired August 9, 2023, with a 90-day transition window ending November 6, 2023. Since then, every covered entity providing telehealth must use HIPAA-compliant communication tools with BAAs in place, full Security Rule controls, and standard breach notification. The 2024 42 CFR Part 2 Final Rule (effective April 16, 2024, compliance by February 16, 2026) layers additional confidentiality requirements on substance use disorder telehealth.
What it means for AI voice/chat agents
The modern telehealth front door is rarely just a video link. It is an AI receptionist that handles intake, eligibility, copay, scheduling, pre-visit instructions, and post-visit follow-up — usually via voice, often via chat. Each surface area is its own HIPAA path.
Hear it before you finish reading
Talk to a live CallSphere AI voice agent in your browser — 60 seconds, no signup.
The right pattern decomposes the workflow. The AI receptionist captures the minimum-necessary fields with strict tool calls into the EHR. The telehealth video session itself runs on a HIPAA-eligible video platform with a signed BAA. The post-visit summary, when generated by an LLM, runs through a BAA-eligible model with PHI redaction. Recording of the video session — if any — is stored encrypted with documented retention and access controls. Every leg of the journey is logged in the same audit trail so the patient's full episode is reconstructable.
State telehealth licensure rules layer on top of HIPAA. The AI receptionist needs to know which state the patient is calling from to route to a licensed provider. Out-of-state telehealth without proper licensure is a separate regulatory problem that often surfaces during HIPAA audits.
CallSphere implementation
CallSphere's Healthcare Voice Agent integrates with Zoom for Healthcare, Doxy.me, and other BAA-covered telehealth platforms. The agent captures intake fields (name, DOB, insurance, chief complaint, state of residence) via strict tool calls; books the telehealth slot with the licensed provider; sends the patient a HIPAA-compliant SMS via Twilio (under our Twilio BAA) with the secure video link; and logs the full episode into our healthcare_voice audit trail. Post-visit, the agent can summarize the encounter through a BAA-covered model and route the summary back to the EHR. For behavioral-health practices, /lp/behavioral-health ships with the 42 CFR Part 2 consent flow turned on by default. Our 50+ healthcare customers run this pattern at $499 or $1499/month with a /trial.
Build/audit checklist
- Confirm your telehealth video platform is BAA-covered and the BAA is signed.
- Confirm your AI receptionist vendor signs a BAA and does not bypass it for "marketing" calls.
- Use strict tool-call schemas to capture only minimum-necessary intake fields.
- Verify state of residence and route to a state-licensed provider before booking.
- Send appointment links through BAA-covered SMS, not plain SMS gateways.
- Encrypt any session recording at rest and document retention and access policies.
- Log the full episode — call, intake, booking, video, summary — in a unified audit trail.
- For substance use disorder workflows, layer 42 CFR Part 2 consent capture on top.
- Refresh your telehealth-specific Security Risk Analysis annually.
FAQ
Can we still use FaceTime for telehealth? No. FaceTime, Apple Messages, and other consumer tools have not been BAA-covered, and the OCR enforcement discretion that allowed them ended in 2023.
Still reading? Stop comparing — try CallSphere live.
CallSphere ships complete AI voice agents per industry — 14 tools for healthcare, 10 agents for real estate, 4 specialists for salons. See how it actually handles a call before you book a demo.
Is Zoom HIPAA-compliant? Zoom for Healthcare and Zoom Workplace under a signed BAA are HIPAA-eligible. Free Zoom is not.
Can the AI receptionist join the video visit? Only if the entire chain — video platform, transcription, model — is BAA-covered, the patient has been informed, and the audit trail captures it. Most practices use the receptionist for pre- and post-visit, not in the visit itself.
What about behavioral health? Behavioral health adds 42 CFR Part 2 on top of HIPAA. Our /industries/behavioral-health workflow includes the Part 2 consent flow and stricter disclosure controls.
Sources
- HHS Notification of enforcement discretion expiration (telehealth): https://www.hhs.gov/about/news/2023/04/11/hhs-office-civil-rights-announces-the-expiration-covid-19-public-health-emergency-hipaa-notifications-enforcement-discretion.html
- 42 CFR Part 2 Final Rule fact sheet (HHS): https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html
- HHS Telehealth and HIPAA: https://www.hhs.gov/hipaa/for-professionals/special-topics/telehealth/index.html
Try CallSphere AI Voice Agents
See how AI voice agents work for your industry. Live demo available -- no signup required.