It is 2:00 AM and a patient calls your practice. Your answering service picks up, takes the patient’s name, date of birth, a description of their symptoms, and a callback number. That operator just received protected health information on your behalf. If your answering service has not signed a Business Associate Agreement, every after-hours call for the past however-many-years has been a HIPAA exposure. And if that answering service is not training its operators on HIPAA requirements, the exposure compounds with every message.
Why Answering Services Are Business Associates
Under 45 CFR 164.502(e), any entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity is a business associate. A medical answering service unambiguously qualifies. When an operator takes a message that includes a patient’s name, symptoms, medications, or any other health-related information, they are receiving PHI on your behalf. The BAA requirement is triggered the moment the service begins handling calls for your practice.
This applies to all types of answering services:
- Live operator answering services
- Automated call routing and voicemail services that record patient messages
- After-hours triage services staffed by nurses or medical professionals
- Virtual receptionist services
- Secure messaging relay services
The format of the PHI does not matter. Spoken information received over the phone is PHI. Written messages transcribed from those calls are PHI. Call recordings are PHI. Message logs stored in the answering service’s system are PHI.
What a HIPAA-Compliant Answering Service Looks Like
Not all answering services are prepared to handle medical calls in a HIPAA-compliant manner. When evaluating your current service or shopping for a new one, look for these indicators of compliance:
Signed BAA
This is the baseline requirement. The answering service must sign a BAA that meets the requirements of 45 CFR 164.504(e) before they handle a single call. The BAA should specify how they will safeguard PHI, their breach notification obligations, and the terms for return or destruction of PHI at termination.
Operator Training
Operators who handle medical calls must receive HIPAA training. This includes understanding what constitutes PHI, the minimum necessary standard (collecting only the information needed to relay the message), and how to handle calls in a way that prevents unauthorized disclosure. Ask the answering service to provide documentation of their training program.
Secure Message Delivery
How does the answering service transmit messages to your practice? If they send messages via unencrypted email, text message, or public-facing messaging apps, the transmission is not compliant. Compliant delivery methods include encrypted email, secure web portals, HIPAA-compliant messaging platforms, or direct integration with your EHR’s messaging system.
Call Recording Safeguards
If calls are recorded (and many answering services record calls for quality assurance), those recordings contain PHI and must be secured with access controls, encryption, and retention policies. Ask how long recordings are retained, who has access, and how they are destroyed when the retention period expires.
Physical and Technical Safeguards
The answering service’s facility should implement physical safeguards (restricted access to the call center floor, screen privacy measures) and technical safeguards (unique user IDs, automatic logoff, audit logging). Remote operators present additional challenges — if operators work from home, the service must ensure that the home environment meets HIPAA security standards.
Common Compliance Failures in Answering Services
Based on our experience helping practices manage vendor compliance through GuardWell’s platform, these are the most frequent problems we see with answering service arrangements:
- No BAA in place. The practice has used the service for years without ever discussing HIPAA or executing a BAA. This is the most common and most serious gap.
- Messages sent via unencrypted channels. The answering service sends patient messages to the on-call provider’s personal cell phone via SMS or unencrypted email. Every message is a potential violation.
- Excessive information collection. Operators ask for and record more patient information than necessary to relay the message. A message does not need to include a patient’s full medical history — it needs enough information for the provider to return the call.
- No training documentation. The answering service cannot produce records showing that operators received HIPAA training.
- Shared login credentials. Multiple operators use the same login to access the message system, making it impossible to audit who accessed what information.
Steps to Remediate an Answering Service Compliance Gap
- Contact your answering service immediately and ask whether they have a BAA available. If they serve other medical practices, they likely do. Execute it promptly.
- Request evidence of their HIPAA compliance program. Training records, security policies, breach notification procedures, and evidence of a security risk assessment.
- Evaluate message delivery methods. If messages are delivered via unencrypted SMS or email, require the service to switch to a secure delivery method. If they cannot, find a service that can.
- Review message scripts. Work with the answering service to ensure operators collect only the minimum necessary information: patient name, callback number, and a brief description of the concern. Avoid collecting Social Security numbers, insurance information, or detailed medical histories during after-hours calls.
- Add the answering service to your vendor management inventory. Track the BAA status, review date, and compliance assessment alongside all your other business associate relationships.
- Document the gap and remediation. As with any compliance gap, create a written record of the issue, your risk assessment, and the corrective actions taken.
What If Your Answering Service Will Not Sign a BAA?
If your answering service refuses to sign a BAA, you must find a new answering service. There is no workaround. You cannot instruct operators to “avoid collecting PHI” because patient names and symptom descriptions are inherently PHI in the context of a medical call. A service that refuses to sign a BAA is telling you that they are not prepared to handle patient information in a compliant manner — and continuing to use them exposes your practice to enforcement action.
The good news is that HIPAA-compliant medical answering services are widely available. Many specialize in healthcare and have built their operations around HIPAA requirements from the ground up. The cost difference between a compliant service and a non-compliant one is minimal compared to the cost of an OCR enforcement action.
Frequently Asked Questions
Does my answering service need a BAA if they only take messages and never access our EHR?
Yes. The BAA requirement is triggered by the creation, receipt, maintenance, or transmission of PHI — not by EHR access specifically. When an operator takes a message containing a patient’s name and symptoms, they have received PHI on your behalf. EHR access is irrelevant to the BAA determination.
What about an automated voicemail system that patients call into directly?
If the voicemail system is operated by a third-party vendor and stores recordings of patient messages, the vendor is a business associate and a BAA is required. If the voicemail system is part of your own phone system and recordings are stored on your premises or in a cloud service you control (with its own BAA), no separate answering-service BAA is needed for that component — but the cloud provider BAA still applies.
Can I just tell patients not to leave medical information in their messages?
You can include a prompt suggesting that callers leave only their name and callback number, but you cannot control what patients say. Patients will leave symptoms, medication names, and other PHI in messages regardless of your instructions. Your compliance program must assume that PHI will be present in answering service communications and ensure safeguards are in place accordingly.
How do I verify that my answering service is actually training their operators on HIPAA?
Request documentation: training curricula, completion records, and attestation logs. A reputable medical answering service will be able to produce these readily. Include a provision in your BAA requiring the answering service to provide training documentation upon request and to notify you of any compliance gaps identified during their own assessments. Periodic review of this documentation should be part of your annual risk assessment.
Part of our guide to
HIPAA ComplianceSee how GuardWell helps medical practices manage hipaa compliance end to end — checklists, policies, training, and audit-ready documentation in one platform.
Ready to simplify compliance?
GuardWell brings HIPAA, OSHA, OIG, and 7 more compliance modules into one affordable platform built for medical practices.
Start Free TrialRelated Articles
Do I Need a BAA With My Cloud Fax, IT Company, or Answering Service?
If a vendor touches patient information on your behalf, you probably need a Business Associate Agreement. Here is how to identify which vendors require BAAs and what to do if you are missing them.
HIPAAUnderstanding Business Associate Agreements Under HIPAA
Everything medical practices need to know about HIPAA Business Associate Agreements — who qualifies as a BA, what the agreement must include, and how to manage your vendor relationships.
HIPAAHIPAA Compliance Checklist for Small Medical Practices in 2026
A practical HIPAA compliance checklist for small medical practices covering the Privacy Rule, Security Rule, breach notification, risk assessments, and staff training requirements.