Ask three MedSpa owners whether they're a HIPAA-covered entity and you'll get three different answers — usually "no," "maybe," and "I thought my EHR handles that." It's the single most common compliance question we get, and the stakes are real once you bring an AI phone agent into the picture.

This is the plain-English version. It's not legal advice — we'll say that up front. If the answer below sounds like it matters to your practice, talk to a healthcare attorney. But the vast majority of operators we talk to don't even know which questions to ask, so let's start there.

First: are you actually covered?

HIPAA applies to "covered entities" and their "business associates." You are almost certainly a covered entity if either of these is true:

• You're a provider who transmits any health information electronically in connection with a HIPAA-covered transaction (most common: billing insurance). This sweeps in most therapists, any cosmetic practice that bills medical insurance for any procedure, and MedSpas with a physician/NP who files any claims.

• Your MedSpa operates under a medical director who prescribes treatments (injectables, laser, anything requiring a standing order). Even if you're cash-only, the physician relationship and the handling of patient medical records typically pulls you in.

You're likely not covered if you're a pure-cash aesthetic business that does no medical procedures, keeps no medical records, and never bills insurance — think eyelash extensions, basic facials, massage. The gray zone is wider than people think, though, and the safer default is to assume you're covered and build accordingly.

Therapists: if you see clients and keep records in any clinical capacity, assume HIPAA. There are narrow exceptions for pastoral counseling and life coaching, but most licensed therapists are covered.

What a phone call has to do with HIPAA

Anything that reveals Protected Health Information (PHI) during a call falls under HIPAA. PHI is broader than most people think — it's not just diagnoses. A caller saying "I'm calling about my appointment for the Juvederm consult" plus their name and phone number is PHI. A therapist's intake line capturing a first name and a reason for calling is PHI.

That means if your phone agent — AI or human — captures, transmits, or stores any of that, the agent's infrastructure is in scope.

What to demand from an AI phone agent vendor

If you're a covered entity, the non-negotiables:

1. A signed Business Associate Agreement (BAA). This is the single biggest tell. Any vendor that can't or won't sign one is either not a HIPAA-capable product or doesn't understand the space. Walk away.

2. Encryption in transit and at rest. Standard but worth confirming. TLS for voice streams, AES-256 for storage.

3. Clear data retention and deletion policies. How long are call recordings kept? Where? Who can access them? Can you delete a specific caller's data on request (a patient's right of access / right to amend under HIPAA)?

4. Controlled sub-processors. If the vendor uses a voice model from another provider (OpenAI, ElevenLabs, Google), that sub-processor also needs a BAA with the vendor. Ask to see the list.

5. Audit logs. You should be able to see who accessed what, when.

If any of these answers are vague, that's your answer.

Three things that look compliant but aren't

A few patterns we see that catch people out:

"We use AWS so we're HIPAA-compliant." AWS has HIPAA-eligible services, but hosting on AWS does not make an application HIPAA-compliant. The vendor still needs the BAA, the configuration, the controls, and the processes.

"We transcribe calls with ChatGPT." The consumer ChatGPT product is not a HIPAA-covered service. OpenAI has enterprise tiers that are, under the right agreements. If the vendor can't tell you which tier and show you the BAA, they're out of scope.

"We delete calls after 30 days." Good — but where are they during those 30 days? Who can listen to them? Are they copied for model training? The policy matters less than the plumbing.

What changes for MedSpas specifically

MedSpas have a unique wrinkle: callers often don't know they're sharing PHI when they are. "I'm calling about my Botox appointment" is PHI. A prospective patient describing a skin condition they want treated is PHI. Your AI agent needs to handle that language naturally without recording or transmitting it outside your compliant environment.

For therapists, the bar is effectively higher. Mental health information is treated with extra sensitivity in many states, and a phone line is often where the most sensitive disclosures happen.

A practical checklist

Before you deploy an AI phone agent at a covered practice:

• Signed BAA in hand.

• You know where call data is stored and for how long.

• You've run a test call with realistic PHI and verified retention works as expected.

• Staff have a one-page document on when the AI handles a call versus when it routes to a human.

• The intake script you give the agent does not invite unnecessary PHI disclosure ("How can I help?" is better than "What medical condition are you calling about?").

Final note

Compliance is not the most exciting part of bringing in an AI phone agent, but it is the part that determines whether you can sleep at night. The good news: the vendors who do this well will answer every question in this post without blinking. The ones who can't are telling you something about how they'll show up when something actually goes wrong.

If you want a straight answer on whether your setup passes muster, we're happy to look at it. That's the kind of call we'd rather handle with a human.