HIPAA

HIPAA (Health Insurance Portability and Accountability Act) is a U.S. federal law enacted in 1996 that sets national standards for protecting sensitive patient health information (Protected Health Information, or PHI). Any healthcare provider, health plan, or healthcare technology vendor must comply with HIPAA or face fines up to $100 per violation (capped at $1.5M per violation type per year).

HIPAA's Three Rules

• Privacy Rule: Controls how PHI is used and disclosed; requires patient authorization for most uses beyond treatment.
• Security Rule: Mandates technical, physical, and administrative safeguards (encryption, access controls, audit logs).
• Breach Notification Rule: Requires notification of affected individuals and regulators if PHI is accessed or disclosed without authorization.

Who Must Comply

• Covered entities: healthcare providers, health plans, healthcare clearinghouses.
• Business associates: any vendor handling PHI on behalf of a covered entity (e.g., voice platform, email, cloud storage provider).

Voice Platform Compliance

A healthcare provider using an AI voice agent for appointment scheduling or triage must:

• Require the voice platform to sign a BAA.
• Ensure the platform encrypts all PHI in transit and at rest.
• Audit access logs to verify no unauthorized access.

Workforce Wave HIPAA

Workforce Wave is HIPAA-compliant: we provide a signed BAA for healthcare customers, encrypt all PHI using industry-standard ciphers, maintain detailed audit logs, and undergo annual SOC 2 Type II audits proving compliance.