Most healthcare-focused voice providers think HIPAA only kicks in when something goes wrong. They're already behind.
There's a version of the HIPAA conversation that most UC providers have with themselves, and it goes something like this: "We're just carrying calls. We're a conduit. That's not our problem."
That version is wrong — and increasingly, it's expensive to be wrong about it.
If you're a BroadWorks-based provider — or running on NetSapiens, Alianza, or any hosted UCaaS platform — and your customers include doctors' offices, clinics, home health agencies, or behavioral health providers, you are already in contact with Protected Health Information (PHI). The question isn't whether HIPAA applies to you. It's whether you've built your service to handle it.
Here's the moment that stops most providers cold: even caller ID can be considered to contain protected health information, because it provides personally identifiable information about callers who are potentially calling into healthcare services.
The Department of Health and Human Services built a safe-haven doctrine for voice service providers — one that says carriers can do basic 1995 telephone features without signing a BAA, and a medical provider can buy those services from them. But that safe haven is narrow, and most modern UC providers have already left it.
The moment your platform stores voicemail, logs caller names in CDRs, or handles anything beyond a plain audio call, the obligation shifts. It's up to the healthcare provider — the covered entity — to buy services from a provider that will make real security and privacy guarantees. If that's you, you need a BAA. And if you've signed one, you need to back it up.
Think of HIPAA compliance for UC providers as a three-tier stack, where each layer you add multiplies your obligation:
Tier 1 Basic voice calls: PSTN audio only. Covered by the safe-haven doctrine. No BAA required.
Tier 2: Voicemail, CDRs, caller name. You're storing PHI. A BAA is required. Encryption at rest, access controls, and audit logging kick in.
Tier 3: Call recording & transcription. Full HIPAA technical safeguards on lots of data required. Where you process and store the data becomes critical.
Most BroadWorks-based, NetSapiens and Alianza counterparts — are operating at Tier 2 or above for every healthcare customer they serve, whether they've formalized that or not.
Building a HIPAA-compliant Cloud Communications service is not as hard as GDPR, but it is meaningfully more than standard BroadWorks-based VoIP out of the box.
Adding call transcription is where things get materially more complex — and where most cloud-based solutions create a hidden compliance problem. When you get transcriptions of calls and meetings, clients become much more aware of the risk than they are if they were merely storing recordings. Recordings are really hard to access — somebody has to sit and listen. Once it's text and searchable, everything people said is suddenly visible.
The shift from recordings to transcripts is a risk multiplier. A recording is a box of tapes. A transcript is a searchable corpus of everything your customer's staff has ever said on a phone. The same PHI is present in both — but the transcript makes it instantly accessible in a way that creates real exposure.
This matters especially for how you source your transcription. If you're routing call audio to a third-party cloud transcription service — even a major one — you've created a new BAA obligation. That provider needs to be willing to sign a BAA for that service. Many won't. Most of the cloud-based call transcription offerings available to service providers right now simply don't pass muster for cybersecurity compliance in healthcare contexts.
The answer is to keep transcription inside infrastructure you control. If you can run your own servers with your own compute, you don't have to execute a BAA with an external party. You process the audio in your own environment, and you retain the controls.
If you're signing a BAA — or thinking about it — here's what responsible providers implement. These are not theoretical requirements; they're the things that come up in real audits.
Technical Safeguards Checklist
If you're preparing for a third-party HIPAA audit, these are the specific failure points that come up repeatedly for voice providers — and that are easy to miss precisely because they feel like infrastructure details, not compliance issues.
Claiming "mere conduit" status when you're storing voicemail, recordings, or CDRs. That exemption was written before UC existed. It doesn't apply to you.
Voicemail accessible over unencrypted interfaces — IMAP or plain HTTP. This is a common default configuration that needs to be hardened.
Caller ID in plain-text CDR exports. If you're exporting CSV CDRs that contain caller name, those files are unencrypted PHI sitting on a server.
Shared user accounts for accessing admin systems or stored data. No individual accountability means no audit trail.
Logs that exist but aren't reviewed. Having logs is not the same as having an audit program. OCR wants to see that someone is actually looking at them.
No documented rationale for access. If Person A in job function X can view PHI, the auditor wants to see why — in writing.
One practical note on infrastructure control: the rule of thumb is you have to control where things are stored, or have agreements with whoever is storing them. If you don't own and operate the infrastructure, it just got more complicated. You've got to delegate responsibility to somebody else, and they have to be willing to take the risk, buy appropriate cyber insurance, and sign the agreements.
Internal storage — running on flash arrays or SSDs that you operate, with physical access controls and known access paths — is the straightforward option. It puts you in a much better position to stand behind a BAA yourself rather than delegating that to someone else.
Here's something that often gets missed in the HIPAA conversation: done right, call transcription doesn't just create compliance obligations — it creates compliance capability.
Healthcare providers want to know what their staff are talking about on the phone. By doing transcription and then feeding the output into models that are watching for specific topics, you can detect when conversations cross lines that matter to the practice.
"You can take that same logic and turn it into: is the person on the phone who's making the appointment giving medical advice? Are they crossing the line over into compliance? These doctors and medical providers are responsible for the behavior of their employees on the phone."
Real-time transcription, combined with configurable alerting, lets a practice manager get notified when a call flags for review — without having to listen to hours of recordings. The same infrastructure that creates your HIPAA obligation can become one of your most valuable tools for managing the practice's own compliance.
ECG's Wingman platform is built specifically for this environment. It provides call recording and AI-powered transcription that operates inside the service provider's or healthcare organization's own data center — not in a third-party cloud. That single design decision eliminates the most common HIPAA problem with transcription services: the need to route PHI through an external vendor who may not sign a BAA.
Within Wingman, data is segmented by tenant — Healthcare Org 1's CDRs and recordings are stored separately from Healthcare Org 2's. Access is role-based, logged, and auditable. The system is designed to support the access-log reviews that HIPAA requires, and to give the covered entity meaningful control over their own data.
The result is a service you can actually stand behind when a healthcare customer asks: "Where does our call data go, and who can see it?"