VICIfast
All compliance

HIPAA-aware dialing for call centers

Operator-perspective guide to HIPAA for VICIdial deployments — what the law covers, what the platform supports, where Business Associate Agreements come in.

The Health Insurance Portability and Accountability Act (HIPAA, 45 CFR Parts 160, 162, 164) governs the handling of Protected Health Information (PHI) in the United States. If your dialer ever processes a patient name, date of birth, diagnosis, appointment time, insurance ID, or anything else that ties an individual to their healthcare, HIPAA applies. This page is operator-perspective — not legal advice. Talk to healthcare counsel before any program touching PHI.

When HIPAA applies to a dialer

You are a Covered Entity (CE) if you are a provider, plan, or clearinghouse. You are a Business Associate (BA) if you handle PHI on behalf of a Covered Entity. Most outbound healthcare call centers are Business Associates — even appointment-reminder shops. The CE will require a signed Business Associate Agreement (BAA) before you can dial.

If your campaign is purely B2B sales to physicians without PHI in the leads file, HIPAA does not apply to that program. If a single lead row carries any PHI element, every column in that row falls under HIPAA.

What HIPAA requires of the dialer

1. Encryption at rest + in transit

PHI on disk must be encrypted; PHI in flight must be TLS. The leads database, recording files, transcripts, and backups all count.

2. Access controls + audit log

Every read or write of PHI must be attributable to a named user, retained for at least 6 years. Shared logins do not satisfy this — sub-users with unique credentials are mandatory.

3. Minimum necessary

Agents see only what they need for the call. A receptionist scheduling an appointment doesn't see prescription history.

4. Breach notification

A breach of unsecured PHI triggers notification to the affected individuals, HHS, and (for breaches > 500 individuals) media. The clock starts the day discovery is reasonable, not the day you got around to looking.

5. Workforce training + sanctions

Documented training on PHI handling for every agent + supervisor with PHI access. Sanctions policy on file for violations.

6. Risk analysis + Security Rule controls

An ongoing risk analysis covering administrative, physical, and technical safeguards — not a one-time checkbox. Encryption is one technical safeguard; the Security Rule lists many more.

Penalties

  • Tier 1 (unaware): $137 – $34,464 per violation, $34,464 annual cap
  • Tier 2 (reasonable cause): $1,379 – $68,928 per violation
  • Tier 3 (willful neglect, corrected): $13,785 – $68,928 per violation
  • Tier 4 (willful neglect, not corrected): $68,928 – $2,067,813 per violation

Civil penalties stack per identifier exposed. Criminal penalties (up to 10 years federal prison) apply for knowing sale of PHI.

Operational checklist for a HIPAA-aware VICIdial deployment

  • [ ] BAA signed with every Covered Entity client before the first dial
  • [ ] BAA signed with every Business Associate sub-processor (including your hosting provider — see below)
  • [ ] Sub-users with unique credentials; shared logins disabled
  • [ ] Federal + state Recording laws layered on top (HIPAA does not pre-empt state two-party consent rules)
  • [ ] Recordings retention policy in writing, deletion automated to the documented schedule
  • [ ] Internal DNC scrubbed against last-known PHI patient lists where relevant
  • [ ] Workforce training documented, refreshed annually
  • [ ] Risk analysis on file, updated whenever the architecture changes
  • [ ] Encrypted backup destination (your own S3 with SSE-KMS, not a generic Dropbox)
  • [ ] Breach response runbook, including 60-day notification clock

Where VICIfast fits

VICIfast is a hosting platform. We are not a Covered Entity. We can act as a Business Associate to you under a BAA when your dialer processes PHI — talk to enterprise@ to start that conversation. Today the platform supports the technical-safeguard pieces:

  • TLS via Let's Encrypt on every customer subdomain
  • AES-256-GCM at rest for sensitive secrets (VICIdial admin password, carrier tokens, CA private keys)
  • Sub-user RBAC (Owner / Operator / Billing / Viewer) — distinct credentials per agent
  • Audit log of every state-changing dashboard action, retained for the life of the account
  • Region pinning so US-only data stays on US infrastructure
  • Daily snapshots + on-demand restore for the disaster-recovery side of the Security Rule
  • Encrypted backups to your own S3 bucket (BYO destination — your keys, your retention)

What we don't do: sign BAAs with your downstream CE clients, train your agents, write your sanctions policy, or assume your breach-notification clock. Those stay with you.

Related