HIPAA Compliance
Learn how to ensure privacy when using Vapi's voice assistant platform.
At Vapi, we are committed to delivering exceptional voice assistant services while upholding the highest standards of privacy and data protection for our users. We understand the importance of balancing service quality with the need to respect and protect personal and sensitive information. Our privacy policies and practices are designed to give you control over your data while benefiting from the full capabilities of our platform.
The Health Insurance Portability and Accountability Act (HIPAA) is a United States legislation that provides data privacy and security provisions for safeguarding medical information. HIPAA compliance is crucial for any entity that deals with protected health information (PHI), ensuring that sensitive patient data is handled, stored, and transmitted with the highest standards of security and confidentiality. The key concepts of HIPAA compliance include the Privacy Rule, which protects the privacy of individually identifiable health information; the Security Rule, which sets standards for the security of electronic protected health information (e-PHI); and the Breach Notification Rule, which requires covered entities to notify individuals, HHS, and in some cases, the media of a breach of unsecured PHI. Compliance with these rules is not just about adhering to legal requirements but also about building trust with your customers by demonstrating your commitment to protecting their sensitive data. By enabling the hipaaEnabled configuration in Vapi’s voice assistant platform, you are taking a significant step towards aligning your operations with these HIPAA principles, ensuring that your use of technology adheres to these critical privacy and security standards.
By default, Vapi records your calls and stores logs and transcriptions. This practice is aimed at continuously improving the quality of our service, ensuring that you receive the best possible experience. However, we recognize the importance of privacy and provide options for users who prefer more control over their data.
For users prioritizing privacy, particularly in compliance with the Health Insurance Portability and Accountability Act (HIPAA), Vapi offers the flexibility to opt out of our default data recording settings. Choosing HIPAA compliance through our platform ensures that you can still use our voice assistant services without compromising on privacy requirements.
HIPAA compliance can be ensured by enabling the hipaaEnabled configuration in your assistant settings. This simple yet effective setting guarantees that no call logs, recordings, or transcriptions are stored during or after your calls. An end-of-call report message will be generated and stored on your server for record-keeping, ensuring compliance without storing sensitive data on Vapi’s systems.
To enable HIPAA compliance, set hipaaEnabled to true within your assistant’s configuration:
Note: The default value for hipaaEnabled is false. Activating this setting is a proactive measure to align with HIPAA standards, requiring manual configuration adjustment.
When enabling HIPAA compliance, only HIPAA compliant providers may be chosen.
Enabling HIPAA compliance does not degrade the quality of the voice assistant services. However, it limits access to certain features, such as reviewing call logs or transcriptions, that some users may find valuable for quality improvement purposes.
This feature is particularly useful for businesses and organizations in the healthcare sector or any entity that handles sensitive health information and must comply with HIPAA regulations.
Yes, users can toggle the hipaaEnabled setting as needed. However, we recommend carefully considering the implications of each option on your data privacy and compliance requirements.
When using Vapi with PHI, you may only pass PHI through the /call endpoint. All other endpoints in the API Reference should not contain PHI. For example, you should not put PHI in an /assistant prompt or in a /phone-number label. The restriction applies to all configuration endpoints where data would be stored on Vapi’s platform.
No, there are no designated “HIPAA-safe endpoints.” Instead, when hipaaEnabled is turned on, Vapi will only use HIPAA-compliant services (such as Azure OpenAI) for processing PHI through the pipeline. The voice pipeline (STT → LLM → TTS) can process PHI when properly configured, but Vapi does not store this data.
Enable hipaaEnabled at the organization level. This ensures that all appropriate compliance measures are in place across your Vapi implementation. You can also toggle HIPAA-compliance at the assistant-level by setting Assistant.compliancePlan.hipaaEnabled=true in your configuration.
No. Even when using your own HIPAA-compliant provider keys, it remains your responsibility not to store PHI via Vapi’s endpoints. The model keys are a separate concern from the storage of PHI on Vapi’s platform. You must both use HIPAA-compliant keys AND ensure you’re not storing PHI on Vapi.
When HIPAA mode is enabled, Vapi does not store structured outputs by default. This protects privacy but limits your ability to use structured outputs in Insights and Call Logs. For non-sensitive outputs, you can override this behavior.
By default, when HIPAA mode is on, Vapi doesn’t store structured outputs. This keeps data private but limits your ability to use structured outputs in Insights and Call Logs.
You can enable storage for specific structured outputs using the compliancePlan.forceStoreOnHipaaEnabled setting. This allows you to store non-sensitive outputs even when HIPAA mode is active.
Important: Your organization is responsible for ensuring that any structured output with storage enabled does NOT extract or generate PHI or sensitive data. Only use this for non-sensitive information.
Enable storage ONLY for structured outputs that extract non-sensitive, non-PHI information.
Safe use cases:
appointmentBooked: true/falseissueResolved: true/falseissueCategory: "billing" | "technical" | "general"csatScore: 1-10sentiment: "positive" | "neutral" | "negative"Never enable storage for:
Warning: Enabling storage for outputs containing PHI violates HIPAA compliance and your BAA with Vapi.
You can enable storage for specific structured outputs via the Dashboard or API.
Via Dashboard:
Via API:
When creating a structured output:
When updating a structured output:
IMPORTANT: Only set forceStoreOnHipaaEnabled: true if you are certain your structured output does NOT extract PHI or sensitive data. Your organization is responsible for ensuring compliance. Misuse could result in BAA violations.
hipaaEnabled at the organization levelYes, but be extremely careful. If you have test or demo assistants where HIPAA compliance is turned off for testing purposes, ensure you never intermingle these with real PHI. It’s safest to enable HIPAA compliance at the organization level to avoid accidental misconfigurations.
Under the Business Associate Agreement (BAA), you agree:
For HIPAA-enabled organizations, call recordings and logs are stored in a private bucket and cannot be downloaded directly from the URLs returned in webhooks or API responses. To retrieve recordings, call logs, or other artifacts, call the Vapi API with your Private API Key — see Retrieve call artifacts for the full list of endpoints and example requests.
If you have more questions about privacy, HIPAA compliance, or how to configure your Vapi assistant, our support team is here to help. Contact us at security@vapi.ai for personalized assistance and more information on how to make the most of Vapi’s voice assistant platform while ensuring your data remains protected.