HIPAA Compliance
How 24CallDesk handles protected health information
If you're in healthcare, you already know the stakes. Patient data requires serious protection, and any vendor touching that data needs to meet the same standards you do.
24CallDesk is built to handle healthcare communication. Here's what that means in practice.
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) establishes data privacy and security standards for medical information. It comprises three main components:
- Privacy Rule: Protects individually identifiable health information (PHI)
- Security Rule: Sets standards for securing electronic protected health information (ePHI)
- Breach Notification Rule: Requires notification of affected parties in case of a data breach
Any organization handling PHI must comply with these rules, including technology vendors like 24CallDesk.
Enabling HIPAA Mode
HIPAA mode can be enabled for your account through settings or by contacting support.
When HIPAA mode is active:
- Call recordings are encrypted with per-customer keys
- Transcripts are stored in isolated, encrypted storage
- Audit logging tracks all access to PHI
- Retention controls let you set custom data lifecycle policies
- Minimum necessary principle guides AI data collection
HIPAA mode is available on Business and Enterprise plans. Contact support@24calldesk.com to enable it for your account.
Business Associate Agreement
We sign BAAs with healthcare customers. This establishes our legal obligation to protect PHI and defines how we handle it on your behalf.
What the BAA covers:
- Call recordings containing patient information
- Transcripts and call summaries
- Appointment data synced with your systems
- Any data the AI collects during conversations
Request a BAA during onboarding or contact support@24calldesk.com if you're already a customer.
Technical Safeguards
Encryption
All data is encrypted:
- In transit: TLS 1.3 for all connections
- At rest: AES-256 encryption for stored data
- Call recordings: Encrypted separately with per-customer keys
Access Controls
- Role-based permissions for your team
- Audit logs of all data access
- Session timeouts and forced re-authentication
- IP allowlisting available for enterprise accounts
Infrastructure
- SOC 2 Type II certified hosting
- HIPAA-eligible cloud infrastructure (Vercel, Railway)
- Geographic data residency options
- Regular third-party security audits
HIPAA-Compliant Providers
All underlying services in the 24CallDesk voice pipeline are HIPAA-compliant:
| Component | Providers |
|---|---|
| Voice Platform | Vapi |
| Speech-to-Text | Deepgram |
| AI Processing | OpenAI, Anthropic |
| Text-to-Speech | Cartesia |
| Telephony | Twilio |
| Hosting | Vercel, Railway |
How PHI Flows Through 24CallDesk
When a patient calls:
- Call connects via encrypted channel
- AI processes speech in real-time (no permanent storage at this stage)
- Recording saved to encrypted storage after call ends
- Transcript generated and encrypted separately
- Data synced to your EHR/PM via encrypted API connection
We never sell or share patient data. We don't use it to train our models. It stays in your account, under your control.
What You're Responsible For
HIPAA is a shared responsibility. You handle:
- Obtaining consent: Make sure patients know calls may be recorded
- Training your team: Anyone accessing the dashboard should understand PHI handling
- Device security: The devices used to access 24CallDesk should be secured
- Breach notification: If you suspect a breach involving our system, notify us immediately
We provide the secure infrastructure. You provide the compliant processes around it.
Common Healthcare Scenarios
Appointment Reminders
AI: "Hi, this is a reminder from Dr. Martinez's office about your
appointment tomorrow at 2pm. Reply CONFIRM to confirm or RESCHEDULE
if you need a different time."Reminders don't include sensitive health details. Just time, date, and provider name.
Prescription Refill Requests
Patient: "I need to refill my prescription."
AI: "I can help with that. To verify your account, can you confirm
your date of birth?"
[Verifies identity]
AI: "Got it. I'll send a refill request to your pharmacy. They
should have it ready within 24 hours. Anything else?"The AI verifies identity before accessing any account-specific information.
Test Results
We recommend sensitive results be delivered by clinical staff:
Patient: "Are my test results back?"
AI: "I see you have results available. For test results,
Dr. Martinez prefers to discuss them directly. I can
schedule a call with her team. What time works for you?"You configure what the AI can and can't share.
Configuration for Healthcare
Additional healthcare-specific settings:
- Emergency escalation: Urgent health situations transfer to staff immediately
- Sensitive topic handling: Configure what the AI can and cannot discuss
- Identity verification: Require patient verification before sharing account details
- Clinical staff routing: Route medical questions to appropriate personnel
Questions
Do you sign BAAs? Yes. Contact support@24calldesk.com.
Where is data stored? US-based infrastructure via Vercel and Railway with HIPAA-eligible services.
How long are recordings kept? You control retention. Default is 90 days, configurable to your requirements.
Can staff access call recordings? Yes, with proper permissions. All access is logged.
What happens if there's a breach? We notify you within 24 hours of discovery. Our incident response plan meets HIPAA requirements for breach notification.
For healthcare-specific pricing and integration support, contact support@24calldesk.com.