Converse Logo
Security & Compliance

HIPAA — Healthcare Compliance

Healthcare organizations using Converse for patient communication — appointment reminders, care coordination, prescription notifications — must comply with HIPAA. This page explains what Converse provides and what your organization is responsible for.

Business Associate Agreement (BAA)

Before using Converse to handle Protected Health Information (PHI), your organization must execute a Business Associate Agreement (BAA) with us. Contact your account manager or reach out at support@converse.axllabs.in to request a BAA. Do not process PHI before the BAA is signed.

What counts as PHI in voice AI

Protected Health Information includes any data that can identify a patient and relates to their health condition, treatment, or payment. In voice AI, this commonly includes:

HIPAA controls available in Converse

1. PHI Protection (transcript redaction)

Enable this in Settings → Security → PHI Protection. When active:

2. End-to-end call encryption

Enable in Settings → Security → End-to-End Encryption. When active:

3. Call recording with encrypted storage

Enable in Settings → Security → Call Recording. When active:

4. Tamper-evident audit log

All configuration changes, logins, and API calls are recorded in an append-only audit log. The log includes:

The audit log cannot be modified or deleted by any user, including organization owners.

5. Minimum necessary access (RBAC)

Implement the HIPAA "minimum necessary" principle using roles:

Your organization's HIPAA responsibilities

Converse provides technical safeguards, but HIPAA compliance is a shared responsibility. Your organization must additionally:

Recommended configuration for healthcare

Execute BAA with Converse before processing any patient data

Enable PHI Protection in Settings → Security

Enable End-to-End Encryption

Enable Call Recording with encrypted storage

Enable Tamper-evident Audit Log

Restrict agent access: only Admin/Owner can view transcripts

Do not include PHI in agent system prompts — inject it via variables at runtime only

Set knowledge base documents to agent-specific (not org-wide)

Configure transcript retention policy to delete after required period

Enable MFA for all user accounts

Data residency

Healthcare organizations in the US can request that all data be stored in US data centers only. Contact support to configure data residency for your account before processing patient data.