HIPAA call center requirements apply to any organization that handles patient data during calls or texts, regardless of size. The Health Insurance Portability and Accountability Act (HIPAA) covers hospital billing departments and healthcare advocacy nonprofits equally. If your team makes outreach calls involving patient health information, the Office for Civil Rights (OCR) holds you to the same standards as an enterprise contact center. Per HHS enforcement data, a non-compliant setup can mean penalties of up to $2.19 million per violation category per year, an OCR investigation, and significant reputational damage.
This guide covers what those requirements look like in practice, what features to demand from any platform you evaluate, and how to run a compliant calling program at scale.
What makes a call center subject to HIPAA?
A call center becomes subject to HIPAA when it handles, transmits, or accesses protected health information (PHI) on behalf of a covered entity. PHI is any individually identifiable health information tied to a person’s past, present, or future health status, treatment, or payment. If your agents encounter names, diagnoses, treatment records, or health insurance details during calls, your call center is handling PHI and HIPAA applies.

Covered entity vs. business associate: Which one are you?
HIPAA defines two categories of regulated organizations.
Covered entities are healthcare providers, health plans, and healthcare clearinghouses. Hospitals, clinics, and insurance companies fall here by default.
Business associates (BAs) are organizations that perform functions on behalf of covered entities and, in doing so, access PHI. If your healthcare advocacy nonprofit runs calling programs for a hospital system or health plan, your organization is almost certainly a business associate.
The distinction matters because both categories carry the same core compliance obligations under the HIPAA Omnibus Rule. Business associates do not get a lighter compliance burden simply because they are not hospitals.
When a healthcare outreach program becomes a business associate
Healthcare outreach programs, patient advocacy organizations, and community health callers often assume they sit outside HIPAA’s reach. That assumption is wrong. The moment your calling program:
- Uses a contact list that includes patient names and health conditions
- Makes appointment reminder calls on behalf of a clinic or health plan
- Calls patients to confirm medication adherence or care plan follow-up
- Runs health surveys that collect or transmit health status information
…your organization is functioning as a business associate and every call center safeguard applies. According to cybersecurity researchers, stolen healthcare records are approximately 25 times more valuable than credit card data on the black market and account for 95% of all identity theft cases. OCR does not limit its enforcement actions to hospital IT departments.
The core HIPAA requirements for call centers
A HIPAA-compliant call center must implement administrative, technical, and physical safeguards to protect any PHI that agents access during calls. These safeguards are required under the HIPAA Security Rule for electronic PHI (ePHI) and under the HIPAA Privacy Rule for all PHI. The requirements apply regardless of whether you are a covered entity or a business associate.

Administrative safeguards
Administrative safeguards are the policies and procedures that govern how PHI is handled. Required elements include:
- Designated security officer: One person owns HIPAA compliance and oversight for the organization
- Risk analysis: A documented assessment of where ePHI exists, how it moves, and what vulnerabilities exist
- Risk management policy: A plan to address the risks identified in the assessment
- Identity verification procedures: Agents must confirm caller identity before discussing any health information
- Workforce training: All agents who handle PHI must complete HIPAA training before accessing any PHI-containing systems
- Sanction policy: Defined consequences for employees who violate HIPAA
For a full checklist of administrative requirements, see the HIPAA compliance checklist for healthcare outreach teams.
Technical safeguards
Technical safeguards cover the systems and tools your call center uses. For ePHI, the HIPAA Security Rule requires:
- Encryption in transit: All ePHI transmitted over networks must be encrypted. The current standard is AES-256 for data at rest and TLS 1.2 or higher for data in transit.
- Access controls: Unique user IDs, automatic session timeouts, and role-based access that limits which agents see which data
- Audit controls: Logs that record who accessed ePHI, when, and what was done with it. OCR requires these logs to be available for review.
- Multi-factor authentication (MFA): Required for any system that stores or transmits ePHI. Single-factor authentication (username and password only) is insufficient for a HIPAA-compliant environment.
- Transmission security: Any PHI transmitted electronically must be encrypted, including call recordings, post-call notes, and contact records
The minimum necessary standard also applies: agents should access only the PHI required to complete their specific task, nothing more.
Physical safeguards
Physical safeguards govern where agents work and how workstations are secured:
- Screen locks on all devices after a short idle period
- Clear desk policies for agents who handle any printed PHI
- Remote agent policies that address home office security: no shared devices, no unsecured Wi-Fi, screens locked when unattended
- Physical access controls for any facility where PHI is processed
For healthcare outreach programs with distributed volunteer or remote agent teams, the remote agent policy is where most compliance gaps appear.
Business Associate Agreement requirements
A Business Associate Agreement (BAA) is a legally binding contract between a covered entity and any vendor or partner that handles PHI on its behalf. Your call center software vendor must sign a BAA before your agents use that platform for calls involving PHI.
A BAA must specify:
- What PHI the business associate will access and why
- How the business associate will protect PHI
- That the business associate will report breaches to the covered entity
- That the business associate will return or destroy PHI at contract termination
- That the business associate will comply with the applicable HIPAA provisions
If your calling platform has not provided a signed BAA and your agents handle PHI, you are out of compliance. A data processing agreement is not equivalent to a BAA.
HIPAA training for call center agents
Every agent who accesses PHI-containing systems must complete HIPAA training before working with patient data. Training must cover:
- What PHI is and why it requires protection
- How to verify caller identity before discussing health information
- What to do if they suspect a breach or unauthorized access
- Call recording procedures that involve PHI
- Organization-specific policies on minimum necessary access
Training is not a one-time event. Document all completions with dates and agent names.
Breach notification requirements
Under the HIPAA Breach Notification Rule, a covered entity must notify affected individuals and HHS within 60 days of discovering a breach of unsecured PHI. Business associates must notify the covered entity within 60 days so the covered entity can meet its own notification obligations.
Breaches that must be reported include:
- Unauthorized access to agent accounts containing call records with PHI
- Improperly recorded calls transmitted to unauthorized parties
- PHI transmitted without encryption over an unsecured channel
Low-probability exceptions exist, but do not assume an incident qualifies without legal review. Under-reporting is a common source of OCR enforcement actions.
HIPAA call recording requirements
Call recording in a healthcare context is not automatically prohibited, but it is tightly regulated. The core principle: Any recording that captures PHI is ePHI and must be treated accordingly.

Consent, encryption, and retention rules
Consent: Most states require one-party or two-party consent before recording a call. In healthcare contexts, best practice is two-party consent with a clear verbal disclosure at the start of the call. State law governs consent requirements and HIPAA does not override stricter state rules.
Encryption: Recordings that contain PHI must be stored with AES-256 encryption and transmitted only over TLS-secured connections. Unencrypted call recordings stored in a shared folder are a breach waiting to happen.
Retention: HIPAA does not specify a retention period for call recordings specifically, but the HIPAA Privacy Rule generally requires covered entities to retain documentation for six years from creation or last effective date. Many compliance officers apply this standard to call recordings that contain PHI.
Access controls: Only authorized personnel should be able to access, download, or share call recordings. Audit logs must track every access event.
For outreach programs that also communicate via text, the same PHI protections apply to SMS records. See HIPAA-compliant texting for healthcare organizations for how texting compliance sits alongside call center requirements.
6 features to require in any HIPAA-compliant call center software
Not all call center software is built for healthcare environments. When evaluating platforms, require these six capabilities before signing any contract.

- Signed Business Associate Agreement available: The vendor must be willing and able to sign a BAA. If they are not, they cannot legally handle PHI on your behalf. This is a binary pass/fail criterion, not a negotiation.
- End-to-end encryption: AES-256 for data at rest, TLS 1.2 or higher for data in transit, including call recordings. Ask specifically whether recordings are encrypted by default or require an add-on.
- Role-based access controls: Agents should only see the contact records and call data required for their specific function. Supervisors, compliance officers, and agents should have different permission levels by default.
- Audit logging: Every login, data access, and recording export should generate a timestamped log entry. These logs are required for OCR investigations and breach inquiries.
- Multi-factor authentication (MFA): Required for any platform that stores or transmits ePHI. Confirm it is enforced by default, not listed as an optional setting that users can bypass.
- Defined data retention and deletion controls: The platform must support your retention policy and allow you to delete or export PHI upon contract termination. Vendor lock-in that prevents PHI deletion is a compliance liability.
Before purchasing, ask the vendor to confirm in writing which of these are built into the base platform versus available as paid add-ons. The complete call center software buyer’s guide covers the broader evaluation framework for outreach calling platforms.
How CallHub meets HIPAA call center requirements
CallHub is built for the compliance requirements of healthcare outreach organizations. The platform holds SOC2, GDPR, ISO 27001, and HIPAA compliance certifications, with all calling and messaging infrastructure hosted on AWS. See the full documentation at CallHub’s security and compliance certifications.

Here is how CallHub maps to the requirements covered in this guide:
- Encryption: All data in transit is encrypted via TLS. Data at rest uses AES-256 encryption. Applies to call recordings, contact records, and all ePHI transmitted through the platform.
- BAA: CallHub will sign a Business Associate Agreement for healthcare customers who handle PHI.
- Access controls: Role-based access controls let compliance teams define what each agent and supervisor can see and do within the platform.
- Audit logging: All user activity is logged and available for compliance review and OCR response.
- MFA: Two-factor authentication (2FA) is available for all accounts and required for administrator access.
- Compliance certifications: SOC2 Type II, ISO 27001, HIPAA, and GDPR. These are third-party audited certifications.
For healthcare outreach programs that call and text patients, volunteers, donors, or advocates, the HIPAA-compliant call center software built for outreach teams addresses the technical requirements from this guide without requiring a custom enterprise deployment.
Run your calling program on a platform your compliance team trusts
HIPAA call center requirements apply the moment your outreach program handles patient data. Whether you run a hospital system’s patient engagement program, a healthcare advocacy nonprofit, or a patient-facing calling campaign, the obligations are the same: documented safeguards, encrypted infrastructure, signed BAAs, and trained agents.
Meeting those requirements does not require a custom enterprise system. It requires choosing a platform that is already certified and has the contractual and technical controls in place. Start by reviewing CallHub’s HIPAA, SOC2, and ISO 27001 compliance certifications, then evaluate the HIPAA-compliant call center software built for outreach teams against the six-feature checklist from this guide.
Frequently asked questions
Are phone calls covered by HIPAA?
Phone calls are covered by HIPAA if they involve protected health information (PHI). Any call where an agent discusses, accesses, or transmits information related to a person’s health status, treatment, or payment on behalf of a covered entity falls under HIPAA’s Privacy and Security Rules. HIPAA does not apply to general calling programs that do not touch health data.
Does HIPAA apply to call centers?
Yes, HIPAA applies to call centers that handle PHI as part of their operations. Covered entities (hospitals, clinics, health plans) are subject to HIPAA directly. Call centers and outreach programs that work on behalf of covered entities are business associates and subject to the same core safeguards under the HIPAA Omnibus Rule.
What encryption standard does HIPAA require for call centers?
HIPAA requires that electronic PHI (ePHI) be encrypted both in transit and at rest. The current standard is AES-256 for stored data and TLS 1.2 or higher for data in transit. HIPAA does not specify a particular encryption algorithm in the regulation text, but these are the standards referenced in HHS guidance and applied by compliance auditors.
Do call center agents need HIPAA training?
Yes. Every agent who accesses PHI or systems that contain PHI must complete HIPAA training before working with patient data. Training must cover what PHI is, identity verification procedures, breach reporting obligations, and organization-specific policies. All training completions must be documented with dates and agent names.
What are the HIPAA penalties for call centers?
HIPAA penalties are tiered by culpability. The highest tier (willful neglect that goes uncorrected) carries penalties of up to $2.19 million per violation category per year (2025 inflation-adjusted), per HHS enforcement data. Penalties accumulate per violation category and can compound quickly in a breach affecting multiple individuals.
What should a BAA with a call center software vendor include?
A BAA with a software vendor should specify: what PHI the vendor will access and for what purpose, the security safeguards the vendor will implement, breach notification obligations and timelines, what happens to PHI at contract termination (return or destruction), and that the vendor agrees to comply with applicable HIPAA provisions. Review any BAA with legal counsel before signing.
What are the HIPAA call recording rules for outbound campaigns?
Recordings that capture PHI are electronic PHI and must be encrypted at rest (AES-256) and in transit (TLS 1.2 or higher). Consent disclosure is required before recording, with state law governing whether one-party or two-party consent applies. Access to recordings must be role-restricted and logged. Retention periods should follow your organization’s documentation policy, with six years as a standard reference under the HIPAA Privacy Rule.


