By Sagar Shankaran, Founder of CallSphere
The OCR telehealth enforcement discretion expired in 2023. Here is the 2026 pattern for combining a HIPAA-aligned AI receptionist with telehealth visits.
Key takeaways
The COVID-era telehealth flexibilities are over. Every video call, every chat, every AI receptionist that touches PHI is back to standard HIPAA.
flowchart TD
In[Patient interaction] --> MinNec{Minimum necessary?}
MinNec -->|yes| Process[AI process]
MinNec -->|no| Reject[Block + log]
Process --> Encrypt[(AES-256 at rest)]
Encrypt --> DB[(PostgreSQL)]
Process --> Audit[(Audit trail)]
DB --> Right[Right of access §164.524]In March 2020, OCR announced enforcement discretion that allowed providers to use non-public-facing video tools for telehealth even without BAAs. That waiver expired August 9, 2023, with a 90-day transition window ending November 6, 2023. Since then, every covered entity providing telehealth must use HIPAA-compliant communication tools with BAAs in place, full Security Rule controls, and standard breach notification. The 2024 42 CFR Part 2 Final Rule (effective April 16, 2024, compliance by February 16, 2026) layers additional confidentiality requirements on substance use disorder telehealth.
The modern telehealth front door is rarely just a video link. It is an AI receptionist that handles intake, eligibility, copay, scheduling, pre-visit instructions, and post-visit follow-up — usually via voice, often via chat. Each surface area is its own HIPAA path.
Hear it before you finish reading
Talk to a live CallSphere AI voice agent in your browser — 60 seconds, no signup.
The right pattern decomposes the workflow. The AI receptionist captures the minimum-necessary fields with strict tool calls into the EHR. The telehealth video session itself runs on a HIPAA-eligible video platform with a signed BAA. The post-visit summary, when generated by an LLM, runs through a BAA-eligible model with PHI redaction. Recording of the video session — if any — is stored encrypted with documented retention and access controls. Every leg of the journey is logged in the same audit trail so the patient's full episode is reconstructable.
State telehealth licensure rules layer on top of HIPAA. The AI receptionist needs to know which state the patient is calling from to route to a licensed provider. Out-of-state telehealth without proper licensure is a separate regulatory problem that often surfaces during HIPAA audits.
CallSphere's Healthcare Voice Agent integrates with Zoom for Healthcare, Doxy.me, and other BAA-covered telehealth platforms. The agent captures intake fields (name, DOB, insurance, chief complaint, state of residence) via strict tool calls; books the telehealth slot with the licensed provider; sends the patient a HIPAA-compliant SMS via Twilio (under our Twilio BAA) with the secure video link; and logs the full episode into our healthcare_voice audit trail. Post-visit, the agent can summarize the encounter through a BAA-covered model and route the summary back to the EHR. For behavioral-health practices, /lp/behavioral-health ships with the 42 CFR Part 2 consent flow turned on by default. Our 50+ healthcare customers run this pattern at $499 or $1499/month with a /trial.
Can we still use FaceTime for telehealth? No. FaceTime, Apple Messages, and other consumer tools have not been BAA-covered, and the OCR enforcement discretion that allowed them ended in 2023.
Still reading? Stop comparing — try CallSphere live.
CallSphere ships complete AI voice agents per industry — 14 tools for healthcare, 10 agents for real estate, 4 specialists for salons. See how it actually handles a call before you book a demo.
Is Zoom HIPAA-compliant? Zoom for Healthcare and Zoom Workplace under a signed BAA are HIPAA-eligible. Free Zoom is not.
Can the AI receptionist join the video visit? Only if the entire chain — video platform, transcription, model — is BAA-covered, the patient has been informed, and the audit trail captures it. Most practices use the receptionist for pre- and post-visit, not in the visit itself.
What about behavioral health? Behavioral health adds 42 CFR Part 2 on top of HIPAA. Our /industries/behavioral-health workflow includes the Part 2 consent flow and stricter disclosure controls.
Written by
Sagar Shankaran· Founder, CallSphere
Sagar Shankaran is the founder of CallSphere, where he builds production AI voice and chat agents deployed across healthcare, hospitality, real estate, and home services. He writes about agentic AI, LLM engineering, and shipping voice agents that handle real calls in production.
See how AI voice agents work for your industry. Live demo available -- no signup required.
Using GPT-Realtime-2 for healthcare voice agents. BAA scope, PHI handling, retention, logging, and why a managed platform usually wins this build.
AI Control Tower is the governance layer for ServiceNow's Project Arc — policy, monitoring, and audit logs for autonomous agents. Here is how it works.
CAISI announced new agreements with Google DeepMind, Microsoft, and xAI in May 2026. What gets tested, what changes for enterprise AI buyers, what to watch.
The 2024 NPRM proposes mandatory penetration tests every 12 months and vulnerability scans every 6 months. Here is how an AI voice agent should be tested in 2026.
AWS HealthScribe became the open scribe layer EHR vendors built on top of in 2026. Here's the API surface, the per-encounter pricing, the BAA terms.
Why Claude salon AI is reshaping voice and chat automation, with concrete patterns for appointment AI in production deployments. A field-tested view from production teams shippi...
© 2026 CallSphere LLC. All rights reserved.