HIPAA Compliance

Learn how to ensure privacy when using Vapi’s voice assistant platform.

Introduction to Privacy at Vapi

At Vapi, we are committed to delivering exceptional voice assistant services while upholding the highest standards of privacy and data protection for our users. We understand the importance of balancing service quality with the need to respect and protect personal and sensitive information. Our privacy policies and practices are designed to give you control over your data while benefiting from the full capabilities of our platform.

Understanding HIPAA Compliance Basics

The Health Insurance Portability and Accountability Act (HIPAA) is a United States legislation that provides data privacy and security provisions for safeguarding medical information. HIPAA compliance is crucial for any entity that deals with protected health information (PHI), ensuring that sensitive patient data is handled, stored, and transmitted with the highest standards of security and confidentiality. The key concepts of HIPAA compliance include the Privacy Rule, which protects the privacy of individually identifiable health information; the Security Rule, which sets standards for the security of electronic protected health information (e-PHI); and the Breach Notification Rule, which requires covered entities to notify individuals, HHS, and in some cases, the media of a breach of unsecured PHI. Compliance with these rules is not just about adhering to legal requirements but also about building trust with your customers by demonstrating your commitment to protecting their sensitive data. By enabling the hipaaEnabled configuration in Vapi’s voice assistant platform, you are taking a significant step towards aligning your operations with these HIPAA principles, ensuring that your use of technology adheres to these critical privacy and security standards.

Understanding Default Settings

By default, Vapi records your calls and stores logs and transcriptions. This practice is aimed at continuously improving the quality of our service, ensuring that you receive the best possible experience. However, we recognize the importance of privacy and provide options for users who prefer more control over their data.

Opting for Privacy: The HIPAA Compliance Option

For users prioritizing privacy, particularly in compliance with the Health Insurance Portability and Accountability Act (HIPAA), Vapi offers the flexibility to opt out of our default data recording settings. Choosing HIPAA compliance through our platform ensures that you can still use our voice assistant services without compromising on privacy requirements.

Enabling HIPAA Compliance

HIPAA compliance can be ensured by enabling the hipaaEnabled configuration in your assistant settings. This simple yet effective setting guarantees that no call logs, recordings, or transcriptions are stored during or after your calls. An end-of-call report message will be generated and stored on your server for record-keeping, ensuring compliance without storing sensitive data on Vapi’s systems.

To enable HIPAA compliance, set hipaaEnabled to true within your assistant’s configuration:

1{
2 "hipaaEnabled": true
3}

Note: The default value for hipaaEnabled is false. Activating this setting is a proactive measure to align with HIPAA standards, requiring manual configuration adjustment.

FAQs

Enabling HIPAA compliance does not degrade the quality of the voice assistant services. However, it limits access to certain features, such as reviewing call logs or transcriptions, that some users may find valuable for quality improvement purposes.

This feature is particularly useful for businesses and organizations in the healthcare sector or any entity that handles sensitive health information and must comply with HIPAA regulations.

Yes, users can toggle the hipaaEnabled setting as needed. However, we recommend carefully considering the implications of each option on your data privacy and compliance requirements.

Where can PHI be used with Vapi?

When using Vapi with PHI, you may only pass PHI through the /call endpoint. All other endpoints in the API Reference should not contain PHI. For example, you should not put PHI in an /assistant prompt or in a /phone-number label. The restriction applies to all configuration endpoints where data would be stored on Vapi’s platform.

No, there are no designated “HIPAA-safe endpoints.” Instead, when hipaaEnabled is turned on, Vapi will only use HIPAA-compliant services (such as Azure OpenAI) for processing PHI through the pipeline. The voice pipeline (STT → LLM → TTS) can process PHI when properly configured, but Vapi does not store this data.

HIPAA Compliance Configuration

Enable hipaaEnabled at the organization level. This ensures that all appropriate compliance measures are in place across your Vapi implementation. You can also toggle HIPAA-compliance at the assistant-level by setting Assistant.compliancePlan.hipaaEnabled=true in your configuration.

No. Even when using your own HIPAA-compliant provider keys, it remains your responsibility not to store PHI via Vapi’s endpoints. The model keys are a separate concern from the storage of PHI on Vapi’s platform. You must both use HIPAA-compliant keys AND ensure you’re not storing PHI on Vapi.

Best Practices

  • Enable hipaaEnabled at the organization level
  • Ensure that PHI only passes through the call pipeline and is not stored in configuration
  • Use HIPAA-compliant enterprise accounts with all third-party providers (STT, LLM, TTS)
  • Be mindful of test/demo assistants where compliance might be turned off for testing purposes - never use these with real PHI
  • Remember that with HIPAA compliance enabled, Vapi won’t store logs, recordings, or transcriptions

Yes, but be extremely careful. If you have test or demo assistants where HIPAA compliance is turned off for testing purposes, ensure you never intermingle these with real PHI. It’s safest to enable HIPAA compliance at the organization level to avoid accidental misconfigurations.

Under the Business Associate Agreement (BAA), you agree:

  1. Not to introduce PHI onto Vapi’s platform through its API or dashboard except as permitted
  2. To use HIPAA-compliant accounts with external providers when providing keys
  3. Not to use underlying providers through Vapi without having HIPAA-compliant enterprise accounts with those providers
  4. To use the platform in accordance with all BAA requirements

Need Further Assistance?

If you have more questions about privacy, HIPAA compliance, or how to configure your Vapi assistant, our support team is here to help. Contact us at security@vapi.ai for personalized assistance and more information on how to make the most of Vapi’s voice assistant platform while ensuring your data remains protected.