Compliance & Security
HIPAA, BAA, call-recording laws, data retention, and security practices.
- HIPAA & FrontDesk — overviewFrontDesk is built to be HIPAA-eligible for healthcare practices. Call audio, transcripts, patient records, and AI summaries all live in HIPAA-eligible infrastructure (AWS), encrypted at rest and in transit. We sign a Business Associate Agreement (BAA) with practices on qualifying plans before any real patient data is processed. This article is the overview — see "Sign your BAA" for the how-to.2 min
- Sign your Business Associate Agreement (BAA)HIPAA requires a signed Business Associate Agreement between you (covered entity) and us (business associate) before we can handle PHI on your behalf. Sign electronically from Settings → Organization → HIPAA Compliance. Takes 2 minutes; valid for the life of your account.2 min
- Understand call recording consent13 US states require all parties on a call to consent to recording. FrontDesk auto-detects when a caller is in a two-party state and plays a consent prompt at the start of the call. Decline = call continues without recording. Accept = full audio recording.2 min
- Data retention and deletionDefaults differ by data type and whether you're a healthcare org — call recordings 7 years (healthcare) or 1 year (non-healthcare), transcripts the same, patients indefinitely, audit logs 6 years. All defaults are configurable, and you can honor individual deletion requests with the per-patient delete tool.2 min