Trust & Compliance

HIPAA-Aware Architecture

Voice AI introduces unique privacy considerations that generic answering services never address. VIGMA is designed from the ground up with healthcare data requirements in mind — not retrofitted after the fact.

What HIPAA Means for Voice AI

Most people associate HIPAA with electronic health records and patient portals. But voice interactions introduce a distinct category of privacy considerations that many technology providers overlook entirely.

When a patient calls your practice, the conversation itself can contain protected health information (PHI) — names, dates of birth, symptoms, medication details, appointment reasons. A voice AI system that handles these calls must treat every element of that interaction with the same rigor applied to your EHR.

There is no such thing as "HIPAA certification." HIPAA compliance is a continuous process, not a one-time credential.

VIGMA is designed with HIPAA requirements in mind and implements the administrative, physical, and technical safeguards outlined in the HIPAA Security Rule. Any vendor claiming "HIPAA certification" is misrepresenting how the regulation works.

Voice AI adds layers of complexity that text-based systems don't face: real-time audio streams, speech-to-text conversion, natural language processing, and potential call recordings all create touchpoints where PHI could be exposed if not handled properly.

VIGMA addresses each of these touchpoints with purpose-built safeguards rather than bolting security onto an existing consumer product.

Encryption: In Transit and At Rest

Every data transmission within the VIGMA system is encrypted using current industry-standard protocols. This isn't optional — it's the default for every practice, every call, every interaction.

Data in Transit — TLS 1.3

All voice data, API calls, and system communications are encrypted using Transport Layer Security (TLS) 1.3 — the latest version of the protocol. TLS 1.3 eliminates legacy cipher suites, reduces handshake latency, and provides forward secrecy by default, meaning even if a key were compromised in the future, past sessions remain protected.

Data at Rest — AES-256

Any stored data — call metadata, transcripts, configuration — is encrypted using AES-256 (Advanced Encryption Standard with 256-bit keys). AES-256 is the same encryption standard used by the U.S. government for classified information and is approved for use in HIPAA-regulated environments. Encryption keys are managed separately from the encrypted data and rotated on a regular schedule.

These encryption standards apply universally. There is no "unencrypted tier" and no way to disable encryption. Every practice gets the same level of protection regardless of plan.

Protected Health Information Handling

VIGMA's approach to PHI follows a clear principle: minimize what is collected, encrypt what must be stored, and give practices full control over retention.

  • No PHI stored without explicit authorization. VIGMA does not retain patient health information beyond what is required to complete the interaction — unless the practice explicitly configures it to do so.
  • Real-time processing, not storage. Voice data is processed in real-time to understand and respond to the caller. Raw audio streams are not persisted by default.
  • Call summaries over full transcripts. Rather than storing verbatim transcripts, VIGMA generates structured call summaries that capture actionable information (appointment requests, callback needs) without retaining unnecessary PHI detail.
  • Configurable data scope. Practices choose exactly which data points VIGMA retains — from minimal (call time, duration, outcome) to comprehensive (full transcripts with caller details).
  • Automatic data expiration. Retained data is subject to configurable retention windows. When the window closes, data is permanently deleted — not archived, not moved to cold storage. Deleted.

VIGMA is designed so practices can use voice AI without expanding their PHI footprint beyond what's operationally necessary.

Business Associate Agreements

Under HIPAA, any vendor that handles PHI on behalf of a covered entity must enter into a Business Associate Agreement (BAA). This is a legal requirement, not an upsell.

VIGMA provides BAAs to all customers. This isn't limited to enterprise tiers or premium plans. If your practice is a covered entity under HIPAA, you're entitled to a BAA — and we execute one as a standard part of onboarding.

What Our BAA Covers

  • Permitted uses and disclosures of PHI
  • Safeguards VIGMA implements to protect PHI
  • Breach notification procedures and timelines
  • Requirements for subcontractors who may access PHI
  • Data return and destruction obligations upon termination
  • Obligations under the HITECH Act

Many generic answering services and consumer AI products either don't offer BAAs or charge significant premiums for them. For VIGMA, it's included for every customer because healthcare practices shouldn't pay extra for baseline regulatory requirements.

How VIGMA Differs from Generic Answering Services

Traditional answering services and general-purpose AI assistants were not designed with healthcare regulations in mind. The differences are significant — and they matter when a compliance officer is reviewing your vendor stack.

Capability VIGMA.ai Generic Services
BAA available for all customers✓ Standard✗ Rarely offered
End-to-end encryption (TLS 1.3 + AES-256)✓ Always on✗ Varies widely
Configurable PHI retention✓ Practice-controlled✗ Vendor-controlled
No data used for AI model training✓ Never✗ Often in fine print
Audit logs for every interaction✓ Complete✗ Limited or none
Role-based access controls✓ Granular✗ Basic or none
Built specifically for healthcare✓ From day one✗ Retrofitted

The core difference: VIGMA was built for healthcare from the start. We didn't take a consumer product and add a HIPAA layer. The architecture, data flows, access controls, and retention policies were designed with healthcare requirements as foundational constraints — not afterthoughts.

Call Recording Handling

Call recordings are among the most sensitive data in voice AI. They contain raw patient speech — potentially including PHI — and require careful handling at every stage.

Recording Lifecycle

  • Recording is optional. Practices choose whether calls are recorded. It is not enabled by default.
  • Encrypted from capture. When recording is enabled, audio is encrypted immediately upon capture using AES-256. At no point does an unencrypted recording exist on disk.
  • Access-controlled. Recordings are accessible only to authorized personnel with appropriate role-based permissions. Every access event is logged.
  • Configurable retention. Practices set their own retention period — 30 days, 90 days, 1 year, or custom. When the period expires, recordings are permanently destroyed.
  • Consent handling. VIGMA can be configured to provide automatic recording disclosures to callers, supporting compliance with applicable state consent laws.

For practices that don't need recordings, VIGMA provides call summaries and structured data that capture the essential information without retaining raw audio. This approach reduces PHI exposure while preserving the operational value of every patient interaction.

Questions About Compliance? Let's Talk.

We understand that adopting voice AI in a healthcare setting requires due diligence. We're happy to walk through our architecture, answer specific compliance questions, or connect your team with our technical staff.

Schedule a Conversation →

No sales pressure. Real technical answers from people who understand healthcare.