HIPAA & FrontDesk — overview

FrontDesk is built to be HIPAA-eligible for healthcare practices. Call audio, transcripts, patient records, and AI summaries all live in HIPAA-eligible infrastructure (AWS), encrypted at rest and in transit. We sign a Business Associate Agreement (BAA) with practices on qualifying plans before any real patient data is processed. This article is the overview — see "Sign your BAA" for the how-to.

Updated May 1, 20262 min read

What HIPAA actually requires

HIPAA (the Health Insurance Portability and Accountability Act) applies to Covered Entities (most healthcare providers) and their Business Associates (vendors who handle PHI on their behalf). It requires:

A signed Business Associate Agreement (BAA) between the Covered Entity and any Business Associate that handles Protected Health Information (PHI).
Administrative, physical, and technical safeguards for that PHI — access controls, audit logs, encryption, breach notification, etc.
Minimum necessary access — staff and vendors should only see the PHI they need to do their job.

When your AI receptionist answers a call from your patient, the call audio, the transcript, the patient's name and phone number, and any clinical content they mention are PHI. That means FrontDesk is acting as a Business Associate to your practice.

How FrontDesk meets the technical bar

Safeguard	How we do it
Encryption at rest	AES-256 on all databases, S3 buckets, and audio storage.
Encryption in transit	TLS 1.2+ on every API call, WebRTC media, and SIP trunk.
Access controls	Per-user roles inside your practice; principle-of-least-privilege internally; SSO and 2FA available.
Audit logs	Every PHI access (by your team or by FrontDesk staff) is logged for 6 years.
Data residency	U.S.-based AWS regions only.
Sub-processors	Listed in-app under Settings → Compliance. All sub-processors that touch PHI have signed BAAs with us.
Breach notification	We notify Covered Entities within HIPAA's required 60 days (we target within 72 hours).
AI training	Your patient data is never used to train generic AI models. Period.

How FrontDesk handles the administrative side

BAA on every qualifying plan. No extra cost, no negotiation friction. See "Sign your BAA" for the request flow.
Workforce training. All FrontDesk staff with PHI access complete annual HIPAA training.
Documented policies. Our Security & Privacy Whitepaper is available under NDA on request.
Incident response. Documented runbooks, on-call rotation, breach disclosure process.

What's still on you

A signed BAA is not a magic wand. You still need to:

Restrict team access. Don't share logins. Use real per-person team accounts (Settings → Team).
Don't paste PHI into unrelated tools. Don't copy a transcript into ChatGPT, Slack, or a public ticket.
Get patient consent where state law requires it for call recording (two-party-consent states). See "Call recording and consent."
Set a retention policy that matches your practice (Settings → Compliance → Retention). The default is reasonable; some practices want shorter.
Respond to patient requests for their data within HIPAA's timelines.

Where to go next

Sign your BAA — the actual how-to.
Call recording & consent — the state-by-state two-party-consent rules.
Data retention & deletion — how long we keep calls, transcripts, and patient records, and how to change it.

Frequently asked questions

Is FrontDesk HIPAA-compliant out of the box?

'HIPAA-compliant' isn't a checkbox — it's a shared responsibility between you and us. FrontDesk is HIPAA-eligible on qualifying plans, meaning the platform meets HIPAA's technical and administrative safeguards AND we'll sign a BAA. You still have to use it correctly (don't paste PHI into unrelated tools, restrict team access, etc.).

Do I need a BAA before I can take real calls?

If you're a Covered Entity (a healthcare provider) or a Business Associate, yes. You can run test calls with fake data before signing, but route real patient calls only after the BAA is countersigned.

Which plans include a BAA?

All paid plans intended for healthcare use include a BAA at no extra cost. Free trial accounts can request a BAA before going live. See "Sign your BAA" for the request flow.

Where does my data physically live?

U.S.-based AWS regions. Audio, transcripts, and database records are encrypted at rest (AES-256) and in transit (TLS 1.2+). We do not train AI models on your patient data.

Can OpenAI / Twilio / our other AI sub-processors see my PHI?

Only the sub-processors that have signed a BAA with us, and only for the minimum data needed to process a call. We maintain a current sub-processor list in your account under Settings → Compliance.

What if a patient asks for their data?

Use Settings → Compliance → Data requests to export or delete a patient's records. We respond to documented patient access/deletion requests within HIPAA's timelines.

Was this article helpful?

Still need help?

Our team replies fast. Or just ask the in-app Setup Assistant.

Contact support