VICIdial for healthcare — HIPAA-aware managed dialer

Healthcare runs VICIdial for appointment reminders, patient outreach, billing follow-up, post-discharge calls, and clinical-trial recruitment. HIPAA changes the operational shape vs general dialing — the platform handles the infrastructure-side safeguards so your team focuses on the call flows.

HIPAA — what the platform handles

If your dialer touches PHI, HIPAA applies. The platform's posture:

| HIPAA requirement | How VICIfast handles it | | ------------------------- | -------------------------------------------------------------------------------------------------- | | BAA available | Business plan and above. Talk to us before signing — we ship the standard template. | | Encryption at rest | Hetzner volumes encrypted; recordings + DB on encrypted disk. | | Encryption in transit | TLS on every customer endpoint; PJSIP via TLS / SRTP available. | | Audit log | Every admin action + state transition logged with actor + timestamp. Recorded SSH sessions on top. | | 6-year retention | External Backups to your own S3 bucket; set lifecycle policy to match the contract. | | Access control | Sub-users with roles (Owner / Operator / Viewer); patient-record access logged in VICIdial itself. |

You're still responsible for: patient consent flow, BAA with downstream vendors, recording deletion on patient request, and the PHI handling inside the dialer (campaign config, list management, agent training).

Recording considerations

Healthcare-specific:

• Pre-call disclosure — most state laws require "this call may be recorded for quality and treatment purposes". VICIdial's announce-beep + IVR prompt covers it.
• Two-party consent states — CA, CT, FL, IL, MD, MA, MT, NV, NH, PA, WA. Set RECORDING_ANNOUNCE = Y per campaign.
• Patient-request deletion — HIPAA Right to Access + Amend means you must be able to delete specific recordings on demand. The platform ships a per-recording delete in /dashboard/servers/[id]/snapshots + the External Backups manifest.
• 6-year retention is the HIPAA floor for most healthcare contexts. Push recordings to your own S3 with a 6-year lifecycle policy — see /features/external-backups.

Plan sizing for healthcare

| Operation | Plan suggestion | | -------------------------------------- | ------------------------------------ | | Single practice, appointment reminders | Starter or Growth | | Practice group, 10–30 outreach staff | Growth (4 vCPU, 8 GB) | | Hospital outreach team, 30–100 agents | Pro (2 dedicated vCPU, 8 GB) | | Healthcare BPO, 100–300 agents | Business (4 dedicated vCPU, 16 GB) | | Enterprise multi-system, 300+ | Scale + custom regions, BAA required |

BAA-required deployments land on Business plan or above. Talk to us first.

Common workflows

• Appointment reminders — auto-dial via VICIdial IVR; press 1 to confirm, 2 to reschedule, 0 for a live agent.
• Billing follow-up — outbound campaign to past-due accounts. HIPAA-careful: no PHI in CallerID or pre-recorded message, just account-reference.
• Post-discharge — clinical follow-up calls; agent uses a script with no minimum-necessary PHI exposure.
• Clinical-trial recruitment — typically inbound (patient calls a specific DID after seeing an ad). VICIdial in-group routes to a screener.

Carrier choice

Healthcare outbound benefits from A-attestation — answer rates on appointment reminders are 2–3× higher when STIR/SHAKEN A passes.

• Telnyx — A-attestation on owned DIDs, moderate volume sweet spot.
• Bandwidth — A-attestation, best wholesale tier above 500K min/mo.
• Avoid aggregator-routed carriers — reputation matters more than per-minute price.

VICIdial settings that matter

| Setting | Value | | ---------------------- | ------------------------------------------------------------------ | | Local Call Time | 8am-9pm patient local | | Recording Override | ALLFORCE + announce-beep in two-party states | | Recording deletion | Per-recording delete must be operational | | Calls per Day per Lead | 2 typically (state-specific — collections has stricter limits) | | Voicemail behaviour | Don't leave PHI in voicemails. Generic "please call us back" only. |

Common mistakes

1. Leaving PHI in voicemail — your voicemail script names the procedure, the appointment time, the medication. That's a HIPAA breach. Voicemails must be generic ("Please call us back at <number>").
2. PHI in outbound CallerID — some practices set CallerID to the clinic name including condition info. Strip it.
3. No BAA with downstream vendors — VICIfast signs a BAA, but if you also push recordings to a separate transcription service (Gong, Otter, etc.) you need a BAA with them too.
4. 6-year retention via daily snapshots — daily snapshots roll 7 days. They're not a 6-year retention strategy. Wire External Backups before scaling.
5. One Recording Override for the whole campaign — billing follow-up is recording-mandatory; some clinical follow-ups are recording-prohibited per consent contract. Split into separate campaigns.

What VICIfast handles

| Concern | Who | | --------------------- | -------------------------------------------- | | OS + Asterisk patches | Platform | | Encryption at rest | Platform (Hetzner volume encryption) | | TLS everywhere | Platform (Let's Encrypt auto-issued) | | Audit log | Platform | | Daily snapshots | Platform | | BAA | Platform signs ours; you sign downstream | | PHI handling in calls | You (agent training, scripts, IVR prompts) | | Patient consent flow | You | | Recording retention | Both (snapshot rollover + your S3 lifecycle) |

Get started

Healthcare deployments need the Business plan or above + a signed BAA. Contact us so we can scope the right region + plan and get the BAA in front of your legal team.