https://vapi.ai/ logo
Join Discord
Powered by
HIPAA audit trail requirements
# support
j
I'm concerned about Vapi's HIPAA compliance mode, which as I understand it, simply turns off call logs, recordings, and transcripts. Doesn't that preclude mandatory HIPAA audit trail requirements? See e.g. https://www.dreamsoft4u.com/blog/guide-to-hipaa-audit-trails-and-audit-log-requirements
v
Hi @jims, I'm an AI assistant for Vapi. I'll analyze available sources and get back to you shortly.
----------------------------- **While I generate an answer, here are some sources that might be helpful**: * [HIPAA Compliance]() * [Create Assistant]() * [On-Prem Deployments]() * [Update Assistant]() -----------------------------
### Answer Vapi's HIPAA compliance mode is designed with the intention of ensuring that the handling, storage, and transmission of protected health information (PHI) meet the high standards of security and confidentiality required by HIPAA regulations. When the 
hipaaEnabled
configuration is set to true, it indeed stops the storage of call logs, recordings, or transcriptions to comply with these privacy standards [(1)]() . Regarding the HIPAA audit trail requirements, it's essential to understand that HIPAA compliance encompasses a broad spectrum of regulations including maintaining audit trails. Vapi provides an end-of-call report message that is stored on your server, which can be part of your audit trail requirements. This approach allows you to maintain control over the data and ensure compliance without storing sensitive data on Vapi's systems. It's crucial for organizations to ensure that their usage of technologies like Vapi aligns with all aspects of HIPAA compliance, including audit trails. This may involve implementing additional processes or systems to capture necessary audit information in compliance with HIPAA requirements. For specific concerns about how Vapi's HIPAA compliance mode aligns with audit trail requirements or other detailed HIPAA-related inquiries, consulting with a compliance expert or legal advisor would be advisable to ensure that all aspects of HIPAA are fully covered.
Got it. Tagging @User for additional help.
s
v
Got it. Tagging @User for additional help.
j
Yes, the question was certainly not answered.
a
Are talking about Us Based or International?
s
Vapi is HIPAA compliant you can check this out https://security.vapi.ai/ and if you have any more questions then you email us at support@vapi.ai
j
Would you mind explaining how the audit trail requirements are satisfied when HIPAA mode doesn't store call logs, recordings, or transcripts?
n
> HIPAA Audit trails track actions like adding, deleting, or modifying PHI at a granular level. They log details like the user, date, time, and the actual change made. Audit trials are for entities that store PHI. We explicity require you to not introduce any PHI to our platform in the BAA. We're a business associate with a no PHI requirement. You will be a covered entity that needs to satisfy the audit trial requirements around PHI you store.
n
if we're interested in getting access to the call recordings while being HIPAA compliant, should we approach Twilio with a BAA instead of Vapi?
j
According to @jordan you can get everything necessary for full audit trail requirements, the HIPAA mode just means Vapi and their Business Associates won't store the sensitive stuff.
n
hmm so i was curious then how to access the call recordings if we have HIPAA mode on. Is it possible for Vapi to send the call recording over the webhook once the calls ends and not store it in their system?
s
You will be sent with array of byte data of the recording to your Server URL
u
@jims I just wanted to know if is it required to get a HIPAA compliant phone number as well or just vapi HIPAA Setting is more than enough, While working within the Health Care Niche in the USA? I have 2 potential clients rn interested And I really need to know this thanks in advance
@nandu7948 Looks like you are also working with HIPAA. I wanted to know this from you as well! if you could help, I would really appreciate that.
j
As far as I know, there is no such thing as a HIPAA compliant phone number, but HIPAA compliance is a lot more than just flipping the switch on the Vapi dashboard. There are six or seven different reports you need to draft and deposit with the care provider's regulator.
In fact, the default HIPAA compliance option in Vapi will prevent you from creating audit trails, so you might have to keep it off and use the API, to download, securely store, and then delete PII-laden artifacts like call transcripts programmatically, which is what some Vapi users governed by HIPAA actually do instead.
In either case, you will have to draft, in many cases have signed, and deposit: one or more Business Associate Agreements (including with Vapi and everything else you use to process any kind of PII), one or more Privacy Policies and Procedures, a Risk Analysis and Management Plan, a Data Backup and Disaster Recovery Plan, an Incident Response Plan, and Privacy Training Documentation. On that last point, you have to have all the administrative users of the system sign off on the training document, which will typically contain most of all the other documents inside it. It's normally a couple weeks of work for all this, and while some people (HIPAA compliance consultants) will say it's a lot more work, much of what they do is optional filler, and LLMs are remarkably good at helping to draft all those docs.
u
I see Bro thanks a lot should I send a DM? I have got several questions. Your help will be VERYYY much appreciated!
You are the most knowledgeable person I have seen! Regarding this HIPAA Issue. You are Like Finding a gem in the dust to me.
j
Sure, DM away
c
(it appears the answer is YES, which is awesome)
s
yes
10 Views
PreviousNext
Powered by