HIPAA — Healthcare Compliance
Healthcare organizations using Converse for patient communication — appointment reminders, care coordination, prescription notifications — must comply with HIPAA. This page explains what Converse provides and what your organization is responsible for.
Business Associate Agreement (BAA)
What counts as PHI in voice AI
Protected Health Information includes any data that can identify a patient and relates to their health condition, treatment, or payment. In voice AI, this commonly includes:
- Patient name + medical condition mentioned in a call
- Phone number used to call a patient (with any health-related context)
- Appointment details, prescription information, test results
- Account numbers linking to a medical record
- Caller transcripts discussing health conditions
HIPAA controls available in Converse
1. PHI Protection (transcript redaction)
Enable this in Settings → Security → PHI Protection. When active:
- Phone numbers, email addresses, and card numbers are redacted from stored transcripts before they are written to the database.
- Redaction uses pattern matching on the final transcript — the live transcript during a call is unaffected.
- Stored transcripts show
[PHONE],[EMAIL],[CARD]in place of the original values. - Agent logs and debug output also apply redaction when this flag is enabled.
2. End-to-end call encryption
Enable in Settings → Security → End-to-End Encryption. When active:
- Call audio is encrypted at the media layer. Each participant has an independently encrypted audio track.
- Audio cannot be intercepted or decrypted by any intermediate party — only the verified session participants.
- Required for organizations that need encryption of PHI in transit at the media level, beyond standard TLS.
3. Call recording with encrypted storage
Enable in Settings → Security → Call Recording. When active:
- Audio recordings are stored with per-track encryption.
- Recordings are accessible only to authorized team members in your organization.
- Retention policies can be configured to automatically delete recordings after a specified period.
4. Tamper-evident audit log
All configuration changes, logins, and API calls are recorded in an append-only audit log. The log includes:
- Who performed the action (user ID, email, IP address)
- What changed (before and after values)
- When it happened (UTC timestamp)
- What resource was affected (agent, flow, channel, knowledge doc, etc.)
The audit log cannot be modified or deleted by any user, including organization owners.
5. Minimum necessary access (RBAC)
Implement the HIPAA "minimum necessary" principle using roles:
- Only Admin and Owner roles can configure agents and access raw transcripts.
- Customer Support Agent role can only claim escalated calls — they cannot access historical transcripts or configurations.
- Viewer role sees only aggregated analytics — no individual call data.
Your organization's HIPAA responsibilities
Converse provides technical safeguards, but HIPAA compliance is a shared responsibility. Your organization must additionally:
- Workforce training: Train all staff who access Converse on HIPAA privacy and security rules.
- Risk assessment: Conduct and document an annual HIPAA risk assessment covering your use of Converse.
- Policies and procedures: Create written policies for how Converse is used to contact patients.
- Minimum necessary: Ensure agent system prompts and flows only request the minimum necessary PHI for the intended purpose.
- Patient authorization: Obtain required patient authorization or ensure the use falls under a HIPAA exception (e.g., treatment, operations).
- Breach notification: Have a breach notification procedure in place. Report security incidents to us immediately so we can support your investigation.
Recommended configuration for healthcare
Execute BAA with Converse before processing any patient data
Enable PHI Protection in Settings → Security
Enable End-to-End Encryption
Enable Call Recording with encrypted storage
Enable Tamper-evident Audit Log
Restrict agent access: only Admin/Owner can view transcripts
Do not include PHI in agent system prompts — inject it via variables at runtime only
Set knowledge base documents to agent-specific (not org-wide)
Configure transcript retention policy to delete after required period
Enable MFA for all user accounts
