HIPAA-Compliant AI Phone Answering — What Dental Practices Need to Know

AI phone answering services are transforming how dental practices handle calls. But not all services are created equal when it comes to HIPAA compliance. Using a non-compliant service to handle patient calls — even basic scheduling calls that mention patient names and appointment details — violates HIPAA and exposes your practice to penalties of $100 to $50,000 per violation.

What Makes an AI Service HIPAA Compliant

1. Business Associate Agreement (BAA) — The AI vendor must sign a BAA with your practice. This is the single most important document. No BAA = no HIPAA compliance, regardless of what their marketing says.
2. Encrypted data transmission — All call data, transcripts, and patient information must be encrypted in transit (TLS 1.2+) and at rest (AES-256 or equivalent).
3. Access controls — Only authorized personnel should be able to access call recordings and patient data. Role-based access with audit trails is the standard.
4. Data retention policies — The vendor must have documented policies for how long call data is retained and how it is disposed of.
5. Breach notification — The vendor must notify you within 60 days of any data breach, as required by HIPAA.

Red Flags to Watch For

• The vendor says they are 'HIPAA compatible' instead of 'HIPAA compliant' — these are not the same thing
• They will not sign a BAA or say it is 'not necessary for phone services'
• Call recordings are stored on servers without encryption
• No documented data retention or breach notification policies
• Consumer-grade AI (ChatGPT wrapper) marketed as healthcare-ready without proper safeguards

What Hazel Does

Hazel is HIPAA compliant with a signed BAA included for every customer. All call data is encrypted in transit and at rest. Access is role-based with audit trails. Data retention follows HIPAA minimum necessary standards. Hazel was built for healthcare from day one — not retrofitted from a consumer product.