7 min read
HIPAA-Compliant Answering Services: What To Verify
By: Shaun Grubert on Jun 16, 2026 10:00:03 AM
TL;DR — Key takeaways
- "HIPAA compliant" is a claim — your job as a practice is to verify it. The Department of Health and Human Services holds your practice responsible for the compliance of any vendor handling Protected Health Information (PHI), including your answering service.
- A compliant medical answering service must: sign a Business Associate Agreement (BAA), encrypt PHI in transit and at rest, train every agent in HIPAA annually, document safeguards, log and audit access to PHI, and have a breach notification plan.
- The eight things to verify are: the signed BAA, agent training records, message encryption, physical security of the operations center, access controls, audit logs, incident response plan, and compliance program ownership.
- Common violations aren't dramatic data breaches — they're small operational lapses like unencrypted text messages, agents working from home without proper controls, or messages retained longer than policy allows.
---
Why this matters more than most practices realize
When a medical answering service handles your patient calls, they become a HIPAA Business Associate. That means the practice ("Covered Entity") and the answering service share legal responsibility for protecting Protected Health Information. If your answering service has a HIPAA violation, the Department of Health and Human Services Office for Civil Rights can — and has — fined both the vendor and the practice.
The answering service vendors that will cost your practice dearly aren't the ones with obvious red flags. They're the ones with confident "we're HIPAA compliant" marketing copy and shaky underlying practices. The verification work this article lays out takes a few hours. Skipping it can cost six figures.
What HIPAA actually requires from a Business Associate
The HIPAA Privacy Rule, Security Rule, and Breach Notification Rule collectively require that a Business Associate handling PHI (like an answering service) must:
1. Execute a Business Associate Agreement (BAA) with your practice that specifies permitted uses, required safeguards, and breach notification obligations
2. Implement administrative safeguards: written policies, workforce training, access management procedures, and a designated security officer
3. Implement physical safeguards: secure facility access controls, workstation security, device and media controls
4. Implement technical safeguards: access controls, audit controls, integrity controls, transmission security (encryption)
5. Document everything: policies, training records, risk assessments, security incidents, and remediation actions
6. Notify you of any breach involving your PHI within 60 days of discovery
7. Subcontract carefully: any subcontractor handling PHI must also sign a BAA
8. Cooperate with audits and make documentation available to your practice and HHS
A compliant answering service will have all of the above. An "HIPAA compliant" answering service that can't show you the first five items in writing is not actually compliant.
The 8-point verification checklist
Use this when vetting any medical answering service. Ask for documentation on each point, not just verbal assurance.
1. Signed Business Associate Agreement
Ask for their standard BAA template. Read it. The BAA should specifically list the permitted uses of PHI, required safeguards, breach notification timelines, and termination rights. If the vendor can't or won't send a BAA before contracting, walk.
2. Agent HIPAA training records
Every agent handling medical accounts should complete HIPAA training on hire and at least annually. Ask what training program is used, how completion is documented, and what happens when an agent fails a refresher.
3. Message encryption in transit and at rest
All PHI should be encrypted — both when it's being transmitted (to your phone, email, pager, secure messaging system) and when it's stored. Ask for specifics: what encryption standard (AES-256 is standard), what transport protocols (TLS 1.2+), and how message retention is managed.
### 4. Physical security of the operations center
Where are the agents? What controls the physical access to the room where they work? If agents work from home, what are the additional controls (company-issued devices, encrypted endpoints, private rooms)? This is the question most practices never ask.
5. Access controls
Only agents who need access to your PHI should have it. Ask how user access is provisioned, reviewed, and deprovisioned. Ask what happens when an agent leaves. Ask about unique user IDs, session timeouts, and password policies.
6. Audit logs
Every access to your PHI should be logged and the logs retained for a defined period (six years is HIPAA's minimum retention for most documentation). Ask whether the service can produce an audit log of who accessed your practice's data and when, on request.
7. Incident response and breach notification plan
Every compliant Business Associate has a written incident response plan and a breach notification process. Ask for a summary. Ask how they'd notify you in the event of a breach, within what timeline, and what information they'd provide.
8. Compliance program ownership
Someone at the service must own HIPAA compliance. Ask who. Ask their title and credentials. Ask how often the program is reviewed. If the answer is vague or delegated to a part-time role, quality will be vague and part-time too.
Common misconceptions
"We're HIPAA compliant because our software is HIPAA compliant." Software is one component. People, process, and physical security are the rest. A compliant technology platform operated by untrained staff is not a compliant service.
"We sign a BAA, so we're compliant." Signing a BAA is table stakes, not proof. The BAA is a contract; compliance is an operational reality.
"We've never had a breach." Neither had anyone else before their first one. Past performance is interesting; documented controls are what matter.
"AI voicebots are safer because there's no human listening to the call." AI systems processing PHI are still subject to HIPAA. The storage, transmission, and logging of those AI interactions must meet the same standards. A voicebot behind an inadequate compliance program is no safer than a human behind one.
How to verify the claims
1. Request the BAA in writing** and read it cover to cover. If it's vague or missing required sections, push back.
2. Ask for the most recent HIPAA risk assessment** executive summary. A mature vendor will have one and will summarize it for you.
3. Ask for reference customers — specifically medical practices that have audited the vendor themselves.
4. Ask where agents physically sit. Visit if possible. Ask about work-from-home policies.
5. Ask to review an agent HIPAA training certificate or completion record.
6. Ask about their breach history— and what was done in response. Every mature organization has had incidents; the question is how they responded.
7. Ask about subcontractors. Are overnight calls or overflow handled by a subcontractor? Does that subcontractor have a BAA with the service?
Real-world examples of HIPAA lapses at answering services
The most common lapses we see in the industry aren't cinematic:
- Unencrypted text messages*delivered to physician personal phones
- Shared login credentials among agents in violation of unique-user-ID requirements
- Messages retained indefinitely in a voicemail system with no retention policy
- Agents working from home on personal laptops without encrypted storage
- Subcontracted overnight coverage to a provider without a BAA or comparable controls
- Audit logs that don't actually get audited — present, but never reviewed
Each of these has triggered enforcement actions in the past decade. Each is preventable. Each is exactly what the verification checklist above is designed to surface.
What questions medical practices should ask themselves
Not about the vendor — about yourself:
- Do you know who signs our BAA? Do you have a copy on file?
- Do you review your answering service's controls annually?
- Do you know what would happen if you terminated the relationship tomorrow — how your PHI would be returned or destroyed?
- Does your compliance officer meet with your answering service's compliance counterpart at least annually?
These are easy tasks that too many practices skip — and they're exactly what a HIPAA auditor will ask about.
Final thoughts
HIPAA compliance in an answering service isn't a feature list. It's an operational posture — policies, training, encryption, physical security, audit logs, breach response — backed by documentation and maintained continuously. Any vendor can claim compliance. Only a mature vendor can prove it in writing, top to bottom, without hesitation.
If you're evaluating a medical answering service, start with the 8-point checklist above. Ask for documentation on each point. Walk from any vendor that can't produce it — because "we're HIPAA compliant" is a sentence, not a program.
Frequently Asked Questions
What is a HIPAA Business Associate Agreement (BAA)?
A Business Associate Agreement (BAA) is a contract required by HIPAA between a covered entity (such as a medical practice) and a business associate (such as an answering service) that handles Protected Health Information. The BAA specifies permitted uses, required safeguards, breach notification obligations, and termination rights. Without a signed BAA, an answering service cannot legally handle PHI on behalf of a medical practice.
How do I verify that an answering service is actually HIPAA-compliant?
Ask for documentation on eight points: a signed BAA, agent HIPAA training records, message encryption standards in transit and at rest, physical security of the operations center, access controls, audit logs, written incident response and breach notification plan, and the name of the person who owns the compliance program. Verbal assurance is not enough — every point should be documented.
What are the most common HIPAA violations in answering services?
The most common violations aren't dramatic data breaches — they're small operational lapses: unencrypted text messages containing PHI, agents working from home without proper controls, messages retained longer than policy allows, missing or incomplete BAAs, and agents who have not completed annual HIPAA refresher training. Any of these can result in significant penalties for both the answering service and the medical practice that uses it.
Is my medical practice responsible if our answering service violates HIPAA?
Yes. Under HIPAA, the covered entity (medical practice) and the business associate (answering service) share legal responsibility for protecting Protected Health Information. The Department of Health and Human Services Office for Civil Rights can fine both the answering service and the practice if a violation occurs. Verifying the answering service's compliance is therefore not optional — it is a HIPAA obligation of the practice itself.
What encryption standards should a HIPAA-compliant answering service use?
AES-256 is the standard for encryption of PHI at rest. TLS 1.2 or higher is the standard for encryption in transit. All message delivery channels — text, email, pager, secure messaging — should use end-to-end encryption. Ask the answering service to specify their encryption standards in writing, and confirm that messages are encrypted both during transmission to the practice and during any storage period the service maintains.
---
A Message Center has been operating a HIPAA-compliant medical answering service from Millville, New Jersey since 1962. We're happy to share our BAA, compliance documentation, and operations posture with any practice evaluating us. support@amessagecenter.com or call (800) 248-2255.