HIPAA · BAA included

HIPAA-compliant
communications.

Q: How do I get a BAA signed?

Upgrade to Advanced or higher, then email support@dialphone.ai with subject "BAA request". The BAA is e-signed in under 3 minutes. No legal back-and-forth required for the standard agreement.

DialPhone is a HIPAA-compliant VoIP phone system and communications platform. Healthcare practices, payers, and life-sciences organizations use DialPhone for patient calls, SMS reminders, telehealth meetings, and AI receptionists under a signed BAA at no additional cost.

Updated April 20, 2026 · Reviewed by the DialPhone Compliance Office

Request a BAA Talk to compliance

The short version

5 things you need to know

BAA included on Advanced ($34), Ultra ($54), and all Contact Center plans, no surcharge.
Covered: calls, recordings, SMS, fax, video, team chat, AI transcripts, AI Receptionist, contact center.
Technical controls: end-to-end encryption, audit logs, PHI redaction, minimum-necessary access.
72-hour breach notification SLA with written root-cause and remediation.
Pre-built EHR integrations (Epic, Cerner, athenahealth) + FHIR API for custom workflows.

How to get a BAA signed

The BAA is a short, standard agreement. Most customers e-sign in the portal in under 3 minutes. If your legal team requires red-lines, our compliance team responds within one business day.

1 Upgrade to Advanced, Ultra, or any Contact Center tier (BAA requires an eligible plan).
2 Email [email protected] with subject "BAA request".
3 Review the Business Associate Agreement, standard, no red-lines required for most customers. Legal review welcome.
4 E-sign with an authorized signatory. BAA activates immediately; confirmation email sent to the account admin.
5 Enable PHI redaction, audit log export, and minimum-necessary access policies inside Admin → Security.

HIPAA safeguards

Every HIPAA Security Rule safeguard category, technical, administrative, and physical, is mapped to an implemented control, audited annually against SOC 2 Type II and HIPAA Security Rule requirements.

Technical safeguards

Access control: Unique user IDs, role-based permissions, automatic logoff, SSO/SAML, MFA enforcement.
Encryption in transit: TLS 1.3 for signaling, SRTP with AES-256 for voice media, DTLS for WebRTC meetings.
Encryption at rest: AES-256-GCM for recordings, transcripts, voicemails, SMS, and fax images. Hardware-backed KMS.
Audit controls: Immutable audit logs for every read/write of PHI, retained 6 years, exportable to customer SIEM.
Integrity controls: Signed recordings with SHA-256 hashes. Tamper-evident storage.
Transmission security: Geo-diverse carrier routes, STIR/SHAKEN A-level attestation, DDoS protection.

Administrative safeguards

Security Officer: Named CISO, quarterly risk analysis, documented incident response.
Workforce training: Annual HIPAA training required for all staff with PHI access. Policies re-certified every 12 months.
Minimum-necessary access: Customer support cannot read PHI unless explicit break-glass approval is granted and logged.
Incident response: 24-hour detection SLA, 72-hour written breach notification, post-mortem shared with customer.
Business Associate Agreements: Every subprocessor handling PHI has a signed BAA. Subprocessor list public.
Annual risk assessment: Third-party HIPAA security risk assessment, findings remediated against published timeline.

Physical safeguards

Data center security: SOC 2 + ISO 27001 certified facilities. 24/7 guarded, biometric access, CCTV, redundant power.
Workstation security: Managed-device enforcement (MDM), full-disk encryption, remote wipe for all staff laptops.
Media disposal: NIST 800-88 sanitization for retired drives. Certificates of destruction on request.

What’s covered under the BAA

Feature	BAA status
Business phone (calls, voicemail, recording)	Covered
Video meetings and webinars	Covered
Team messaging and file sharing	Covered
Business SMS and MMS	Covered (with PHI-redaction option)
Online fax (cloud fax)	Covered
Contact center (omnichannel)	Covered on all CCaaS tiers
AI meeting summaries, transcripts, SMS drafting	Covered, PHI tokens redacted before model processing
AI Receptionist (Smart Virtual Concierge)	Covered, HIPAA-compliant intent handling
Analytics and reporting	Covered, PHI-scrubbed reports available

Not covered (and why)

Free trial accounts (BAA not active until paid plan is signed)
Core plan without BAA upgrade (BAA requires Advanced or higher)
Customer-installed third-party integrations outside the DialPhone subprocessor list
Public social-media channel connectors (LinkedIn, public Twitter), excluded per HIPAA minimum-necessary standard
International numbers in countries where DialPhone does not hold a BAA-eligible license

HIPAA-compliant VoIP: what a phone system must do

DialPhone is a HIPAA-compliant VoIP phone system, voice, video, SMS, and fax delivered over the internet rather than legacy copper lines. VoIP itself is not automatically HIPAA-compliant. A VoIP provider transmits, processes, and often records protected health information (PHI), which makes it a Business Associate under HIPAA. Compliance depends on the controls the vendor implements and the agreement it signs, not on the technology label.

The single non-negotiable requirement is a signed Business Associate Agreement. No VoIP service can be used for PHI without a BAA in place, consumer-grade calling apps that refuse to sign one cannot be used by a covered entity. DialPhone signs a BAA on every Advanced, Ultra, and Contact Center plan at no extra cost, which is what makes the platform a HIPAA-compliant VoIP phone system rather than ordinary internet calling.

Beyond the BAA, a HIPAA-compliant phone system has to enforce the HIPAA Security Rule end to end. Voice and video must be encrypted in transit, DialPhone uses TLS 1.3 for signaling and SRTP with AES-256 for media, so calls cannot be intercepted as they cross the public internet. Recordings, voicemails, transcripts, faxes, and SMS containing PHI must be encrypted at rest with AES-256 and hardware-backed key management. The system must apply access controls, unique user IDs, role-based permissions, MFA, and automatic logoff, so only authorized staff reach PHI, and it must keep immutable audit logs of every read and write of PHI, retained six years and exportable to a customer SIEM.

Put together, that is the checklist for any HIPAA-compliant phone system: a signed BAA, encryption in transit and at rest, granular access controls, audit logging, and a vendor that holds BAAs with every subprocessor touching PHI. DialPhone maps each item to an implemented, annually audited control, the full breakdown is in the HIPAA safeguards section above. The result is a HIPAA-compliant VoIP platform healthcare practices can use for patient calls, appointment reminders, and telehealth without standing up separate compliant infrastructure.

Healthcare use cases DialPhone supports

Patient intake & appointment reminders, AI Receptionist + SMS with PHI redaction.
Telehealth visits, HIPAA-eligible video meetings with transcript on request.
Clinical call centers, omnichannel contact center with minimum-necessary routing.
Pharmacy refill lines, IVR and SMS workflows with EHR sync.
Medical device support, multi-site contact center with audit-grade recording.
Health plan member services, AI coaching and PCI-DSS for co-pay capture.

Read the dedicated healthcare solutions page for implementation playbooks.

Related compliance & trust

→ Trust Center, SOC 2, GDPR, PCI-DSS, FINRA, ISO 27001
→ SOC 2 Type II, independent audit report (NDA)
→ GDPR compliance, DPA, residency, subprocessors
→ Subprocessor registry, public, updated in real time
→ Security overview, seven-layer defense
→ HIPAA-compliant AI Receptionist

HIPAA compliance FAQ

Is DialPhone HIPAA compliant?

Yes. DialPhone meets the HIPAA Privacy, Security, and Breach Notification rules and signs a Business Associate Agreement (BAA) with customers on Advanced, Ultra, and Contact Center plans. BAAs are signed at no additional cost.

How do I get a BAA signed?

Upgrade to Advanced or higher, then email [email protected] with subject "BAA request". The BAA is e-signed in under 3 minutes. No legal back-and-forth required for the standard agreement.

Which plans include a BAA?

Advanced ($34/user/mo), Ultra ($54/user/mo), all Contact Center tiers (Standard $65, Professional $95, Elite $145, Enterprise custom), and all AI add-ons purchased alongside a BAA-eligible plan. Core does not include a BAA, upgrade to Advanced to enable healthcare use.

Does the AI process PHI?

AI features operate on transcripts and message bodies only after PHI tokens are detected and redacted or tokenized. Raw PHI is never passed to shared foundation models. Customer workspaces using opt-in fine-tuning keep data isolated, it is never blended with other customers' data.

Where is PHI stored?

US-region data centers by default (Virginia, Oregon). EU customers can request EU-only residency. Data never crosses region boundaries unless the customer explicitly enables cross-region replication for disaster recovery.

Is call recording HIPAA compliant?

Yes. Recordings are encrypted at rest (AES-256), access-controlled, audit-logged, and integrity-hashed. Retention is configurable (30 days to 10 years). PHI redaction on transcripts is available as a one-click toggle.

Is the AI Receptionist HIPAA compliant?

Yes, the Smart Virtual Concierge handles patient intake, appointment scheduling, and PHI-aware routing under the BAA. Multilingual HIPAA-compliant voice prompts are included.

How long does DialPhone retain PHI?

Retention is customer-controlled (default 2 years, configurable 30 days to 10 years). Audit logs are retained 6 years per HIPAA §164.316(b)(2)(i). Upon account termination, data is deleted within 30 days from primary storage and 90 days from backups. Certificate of destruction on request.

What happens in the event of a breach?

Detected incidents are reported to the customer within 24 hours. If a reportable breach is confirmed, written notification is delivered within 72 hours with affected records, root cause, remediation steps, and post-mortem. DialPhone cooperates with HHS OCR investigations.

Are there HIPAA-specific features I need to turn on?

After the BAA is signed, enable these in Admin → Security: (1) PHI redaction on transcripts and SMS, (2) audit log SIEM export, (3) 30-day minimum-necessary access policy, (4) automatic off-hours logoff, (5) encryption-at-rest key rotation. Onboarding team walks through this on a 30-minute call.

Do you work with specific EHR systems?

Yes, bi-directional integrations with Epic, Cerner, athenahealth, and Salesforce Health Cloud. Custom FHIR integrations available through the API. See the integrations catalog or the healthcare solution page.

Can DialPhone staff access my PHI?

No, not by default. Customer support is trained not to request or view PHI. Break-glass access for critical troubleshooting requires dual approval, time-bounded access, and a logged audit event visible to the customer.

Is VoIP HIPAA compliant?

VoIP is not HIPAA compliant by default. Because a VoIP provider transmits, processes, and records PHI it is a HIPAA Business Associate, and it can only be used for healthcare communication once a Business Associate Agreement is signed and the HIPAA Security Rule is enforced (encryption in transit and at rest, access controls, and audit logs). DialPhone is a HIPAA-compliant VoIP phone system: it signs a BAA on Advanced, Ultra, and Contact Center plans at no extra cost and implements every required safeguard.

What makes a phone system HIPAA compliant?

A HIPAA-compliant phone system needs five things: a signed BAA with the provider, end-to-end encryption in transit (TLS 1.3, SRTP/AES-256), encryption at rest (AES-256) for recordings, voicemails, transcripts, and SMS, role-based access controls with unique user IDs and MFA, and immutable audit logs of every PHI access retained six years. The provider must also hold BAAs with every subprocessor handling PHI. DialPhone maps each requirement to an audited control.

HIPAA-compliantcommunications.