By Sagar Shankaran, Founder of CallSphere
Concierge and direct primary care practices often assume cash-pay means HIPAA-optional. It does not — and the AI intake agent is the workflow most likely to expose the gap.
Key takeaways
A concierge practice that does not bill insurance is not automatically outside HIPAA. The trigger is electronic standard transactions — and the AI intake agent that runs an eligibility check or sends an electronic claim has just dragged the practice in.
flowchart TD
In[Patient interaction] --> MinNec{Minimum necessary?}
MinNec -->|yes| Process[AI process]
MinNec -->|no| Reject[Block + log]
Process --> Encrypt[(AES-256 at rest)]
Encrypt --> DB[(PostgreSQL)]
Process --> Audit[(Audit trail)]
DB --> Right[Right of access §164.524]A prospective member calls about joining the concierge practice. The AI intake agent walks them through the membership model, qualifies fit (chronic conditions, expectations, geography), captures intake data (medical history, medications, allergies, prior records), schedules the meet-and-greet, runs the membership-payment processing, and onboards the new member into the practice. For practices that occasionally bill insurance for ancillary services (labs, imaging), the agent handles eligibility checks separately and the practice's covered-entity status follows the transaction.
Done well, the workflow turns a high-touch sales process into a 15-minute call. Done badly, it conflates marketing PHI with intake PHI and trips the practice into an uncertain HIPAA posture.
A health care provider becomes a covered entity at 45 CFR 160.103 when it transmits health information in connection with a HIPAA standard transaction (eligibility, claims, claim status, referral certification, prior authorization, premium payment, enrollment, coordination of benefits, and a few others). A pure cash-pay practice that never transmits a standard transaction may not be a covered entity — but the moment it runs an eligibility check on a member's separate insurance, it is.
Hear it before you finish reading
Talk to a live CallSphere AI voice agent in your browser — 60 seconds, no signup.
State law fills the gap. California CMIA, New York SHIELD Act, Texas HB 300, and Washington's My Health My Data Act all impose privacy requirements on health information regardless of HIPAA covered-entity status. Concierge and DPC practices typically assume HIPAA-aligned safeguards as a default because state law and professional liability expect them.
Marketing rules under 45 CFR 164.508 apply when the practice is a covered entity and pushes elective services or third-party offerings.
CallSphere's Healthcare Voice Agent runs concierge intake through the qualify_member, capture_intake, process_membership, and onboard tools — 4 of 14 healthcare tools. The agent does not assume HIPAA covered-entity status; it assumes HIPAA-aligned safeguards regardless. Membership payments are PCI-DSS-aligned through a tokenized processor. Prior medical-records collection runs through a HIPAA-compliant release flow with the previous provider. Eligibility checks for ancillary insurance services use the dedicated eligibility tool with the standard 270/271 path. State-specific privacy notices load by patient state. Every intake is captured in post-call analytics with sentiment (–1.0 to +1.0), lead score (0–100), AI summary, and audit trail in the encrypted healthcare_voice PostgreSQL database (1 of 115+ tables). HIPAA and SOC 2 aligned, 37 agents and 90+ tools across 6 verticals. Pricing $149/$499/$1,499; concierge groups typically start at Pro ($499/month) and land on Scale ($1,499/month). Start with 14-day trial. 22% recurring affiliate program available.
Is a pure cash-pay practice a HIPAA covered entity? Only if it conducts a standard transaction electronically. A practice that takes cash, does not file insurance, and does not run electronic eligibility checks may not be a covered entity. Most concierge practices file at least some labs and imaging, which can pull them in.
Still reading? Stop comparing — try CallSphere live.
CallSphere ships complete AI voice agents per industry — 14 tools for healthcare, 10 agents for real estate, 4 specialists for salons. See how it actually handles a call before you book a demo.
Why apply HIPAA-aligned safeguards if not required? State privacy law, professional liability, member expectations, and the operational reality that PHI flows in and out of the practice every day. The cost of HIPAA-aligned hygiene is small; the downside of a state-law breach is large.
What about prospective-member intake before they join? Pre-membership intake is health information. Treat it as PHI under HIPAA-aligned safeguards regardless of formal covered-entity status; capture it through a secure channel; retain only what the qualification decision required.
Can the agent reference health conditions in marketing follow-up? No. Marketing content is generic; condition-specific follow-up requires consent.
Does the practice need a Notice of Privacy Practices if not a covered entity? Not under HIPAA, but state law often requires equivalent notice. Plus members expect one.
Written by
Sagar Shankaran· Founder, CallSphere
Sagar Shankaran is the founder of CallSphere, where he builds production AI voice and chat agents deployed across healthcare, hospitality, real estate, and home services. He writes about agentic AI, LLM engineering, and shipping voice agents that handle real calls in production.
See how AI voice agents work for your industry. Live demo available -- no signup required.
Using GPT-Realtime-2 for healthcare voice agents. BAA scope, PHI handling, retention, logging, and why a managed platform usually wins this build.
The 2024 NPRM proposes mandatory penetration tests every 12 months and vulnerability scans every 6 months. Here is how an AI voice agent should be tested in 2026.
AWS HealthScribe became the open scribe layer EHR vendors built on top of in 2026. Here's the API surface, the per-encounter pricing, the BAA terms.
Apollo, Manipal, and Narayana scaled AI agents across Bangalore in 2026. Here's the deployments across radiology, intake, and follow-up, the costs.
Notable's AI agents now handle scheduling, intake, and revenue cycle for 6,000+ clinics in 2026. Here's the multi-agent architecture, the per-clinic pricing.
Abridge raised $250M in April 2026 at a $2.7B valuation. We break down the deployment numbers, the EHR integrations across Epic and Cerner. The Q2 2026 buyer briefing.
© 2026 CallSphere LLC. All rights reserved.