https://vapi.ai/ logo
Join Discord
Powered by
HIPAA audit trail requirements
# support
j
I'm concerned about Vapi's HIPAA compliance mode, which as I understand it, simply turns off call logs, recordings, and transcripts. Doesn't that preclude mandatory HIPAA audit trail requirements? See e.g. https://www.dreamsoft4u.com/blog/guide-to-hipaa-audit-trails-and-audit-log-requirements
v
Hi @jims, I'm an AI assistant for Vapi. I'll analyze available sources and get back to you shortly.
----------------------------- **While I generate an answer, here are some sources that might be helpful**: * [HIPAA Compliance]() * [Create Assistant]() * [On-Prem Deployments]() * [Update Assistant]() -----------------------------
### Answer Vapi's HIPAA compliance mode is designed with the intention of ensuring that the handling, storage, and transmission of protected health information (PHI) meet the high standards of security and confidentiality required by HIPAA regulations. When the 
hipaaEnabled
configuration is set to true, it indeed stops the storage of call logs, recordings, or transcriptions to comply with these privacy standards [(1)]() . Regarding the HIPAA audit trail requirements, it's essential to understand that HIPAA compliance encompasses a broad spectrum of regulations including maintaining audit trails. Vapi provides an end-of-call report message that is stored on your server, which can be part of your audit trail requirements. This approach allows you to maintain control over the data and ensure compliance without storing sensitive data on Vapi's systems. It's crucial for organizations to ensure that their usage of technologies like Vapi aligns with all aspects of HIPAA compliance, including audit trails. This may involve implementing additional processes or systems to capture necessary audit information in compliance with HIPAA requirements. For specific concerns about how Vapi's HIPAA compliance mode aligns with audit trail requirements or other detailed HIPAA-related inquiries, consulting with a compliance expert or legal advisor would be advisable to ensure that all aspects of HIPAA are fully covered.
Got it. Tagging @User for additional help.
s
v
Got it. Tagging @User for additional help.
j
Yes, the question was certainly not answered.
a
Are talking about Us Based or International?
s
Vapi is HIPAA compliant you can check this out https://security.vapi.ai/ and if you have any more questions then you email us at support@vapi.ai
j
Would you mind explaining how the audit trail requirements are satisfied when HIPAA mode doesn't store call logs, recordings, or transcripts?
n
> HIPAA Audit trails track actions like adding, deleting, or modifying PHI at a granular level. They log details like the user, date, time, and the actual change made. Audit trials are for entities that store PHI. We explicity require you to not introduce any PHI to our platform in the BAA. We're a business associate with a no PHI requirement. You will be a covered entity that needs to satisfy the audit trial requirements around PHI you store.
n
if we're interested in getting access to the call recordings while being HIPAA compliant, should we approach Twilio with a BAA instead of Vapi?
j
According to @jordan you can get everything necessary for full audit trail requirements, the HIPAA mode just means Vapi and their Business Associates won't store the sensitive stuff.
n
hmm so i was curious then how to access the call recordings if we have HIPAA mode on. Is it possible for Vapi to send the call recording over the webhook once the calls ends and not store it in their system?
s
You will be sent with array of byte data of the recording to your Server URL
PreviousNext
Powered by