HIPAA Compliance

HIPAA Compliance

Effective Date:

Effective Date:

Effective Date:

Jan 1, 2025

Last Updated

Last Updated

Last Updated

Jul 10, 2025

This document establishes the Health Insurance Portability and Accountability Act (HIPAA) compliance framework for VoiceAIWrapper, a white-label voice AI platform operated by New XP Technologies Limited. VoiceAIWrapper enables agencies to provide voice AI services to healthcare clients while maintaining full HIPAA compliance through a shared responsibility model.

CRITICAL REQUIREMENT: Agencies using VoiceAIWrapper for healthcare use cases must ensure their voice AI provider accounts (e.g. Vapi, Retell AI, ElevenLabs, etc. - as indicated in our sub-processors list) are properly configured and contracted for HIPAA compliance before processing any Protected Health Information (PHI) through VoiceAIWrapper.

2. Shared Responsibility Model

2.1 VoiceAIWrapper Platform Responsibilities

VoiceAIWrapper is responsible for the following platform-specific HIPAA compliance measures:

Technical Safeguards:

  • Implementing secure API connections with voice providers

  • Maintaining encrypted data transmission (TLS 1.3)

  • Providing role-based access controls within the platform

  • Ensuring secure user authentication and session management

  • Maintaining audit logs of platform access and activities

Administrative Safeguards:

  • Designating a security officer for platform security

  • Implementing access management procedures

  • Conducting regular security assessments of platform infrastructure

  • Maintaining incident response procedures for platform-related events

Physical Safeguards:

  • Leveraging AWS SOC 2 Type II certified infrastructure

  • Ensuring proper facility access controls through cloud provider

  • Maintaining secure workstation access for platform administration

2.2 Agency Client Responsibilities

Agencies using VoiceAIWrapper bear primary responsibility for comprehensive HIPAA compliance, including:

Voice AI Provider Configuration:

  • Executing Business Associate Agreements (BAAs) with applicable voice AI providers (such as Vapi, Retell, ElevenLabs, etc. - as indicated in our sub-processors list)

  • Configuring voice provider accounts for HIPAA compliance

  • Ensuring proper encryption settings in voice provider platforms

  • Setting appropriate data retention policies on their voice AI provider accounts

  • Implementing access controls within voice AI provider systems

Healthcare Client Management:

  • Executing BAAs with healthcare clients (covered entities)

  • Implementing comprehensive HIPAA policies and procedures

  • Conducting staff training on HIPAA requirements

  • Managing end-user consent and authorization processes

  • Handling data subject requests from healthcare clients

Compliance Monitoring:

  • Conducting regular risk assessments

  • Monitoring voice provider compliance status

  • Maintaining compliance documentation

  • Implementing corrective actions for compliance gaps

Note: Agencies must verify that their chosen voice AI providers offer HIPAA-compliant services and execute appropriate BAAs before using VoiceAIWrapper for healthcare applications.

3. Incident Response Framework

3.1 VoiceAIWrapper Incident Response

VoiceAIWrapper's incident response is limited to platform-related security events:

  • Platform Security Breaches: Unauthorized access to VoiceAIWrapper platform

  • API Security Incidents: Compromised data transmission between systems

  • Authentication Failures: Compromised user accounts or access controls

  • Data Transmission Issues: Encryption failures or data leakage in transit

Response Timeline: VoiceAIWrapper will notify affected agencies within 24 hours of discovering platform-related incidents.

3.2 Agency Incident Response

Agencies are responsible for all other incident response activities:

  • Healthcare client PHI breach notifications (60-day timeline)

  • HHS breach notifications (60-day timeline)

  • Voice provider incident coordination

  • End-user breach notifications

  • Regulatory reporting and compliance actions

4. Business Associate Agreement (BAA) Framework

4.1 VoiceAIWrapper BAA Scope

VoiceAIWrapper's Business Associate Agreement covers only platform-specific services and does not extend to comprehensive healthcare solution delivery. Our BAA is available at: VoiceAIWrapper BAA Document

Permitted Uses under BAA:

  • Platform administration and user management

  • API integration and data routing

  • Technical support and troubleshooting

  • Security monitoring and incident response

  • Platform analytics and usage reporting

4.2 Required Agency BAAs

Agencies must execute separate BAAs with:

  • Voice AI Providers: Applicable Voice AI Providers supported by VoiceAIWrapper (e.g. Vapi, Retell, ElevenLabs, etc.)

  • Healthcare Clients: All covered entities using VoiceAIWrapper’s Client’s agency services

  • VoiceAIWrapper: Platform usage agreement. Execute VoiceAIWrapper BAA here

5. Compliance Verification

5.1 Agency Compliance Requirements

Before using VoiceAIWrapper for healthcare applications, VoiceAIWrapper may ask agencies to provide:

  • Executed BAAs with all voice AI providers

  • Documentation of HIPAA-compliant voice provider configuration

  • Completed HIPAA training certificates for staff

  • Current HIPAA policy and procedure documentation

  • Risk assessment and security evaluation results

5.2 Ongoing Compliance Monitoring

VoiceAIWrapper will conduct limited compliance monitoring focused on platform usage:

  • Annual review of agency compliance documentation

  • Platform security audits and assessments

  • Incident response testing and validation

  • BAA renewal and update processes

6. Data Processing and Storage

6.1 VoiceAIWrapper Data Handling

VoiceAIWrapper processes only the minimum necessary data for platform functionality:

  • Voice Data: Links to voice recordings (stored by voice providers)

  • Metadata: Call logs, timestamps, and usage statistics

  • User Data: Agency and customer account information

  • Configuration Data: Platform settings and preferences

Data Retention: Platform usage data are retained for 7 days in logs and backups, with immediate deletion upon agency request.

6.2 Voice AI Provider Data Responsibility

Agencies are responsible for ensuring voice AI providers maintain HIPAA-compliant data handling:

  • Proper PHI encryption and storage

  • Appropriate data retention policies

  • Secure data destruction procedures

  • Access controls and audit logging

7. Training and Awareness

7.1 VoiceAIWrapper Staff Training

VoiceAIWrapper provides HIPAA training focused on platform-specific responsibilities:

  • Platform security awareness

  • Limited PHI handling procedures

  • Incident response protocols

  • Customer support guidelines for healthcare clients

7.2 Agency Training Requirements

Agencies must ensure comprehensive HIPAA training for all staff, including:

  • HIPAA Privacy and Security Rules

  • Voice provider platform usage

  • PHI handling and protection procedures

  • Incident response and breach notification

  • Patient rights and consent management

8. Audit and Assessment

8.1 VoiceAIWrapper Audit Rights

Agencies may audit VoiceAIWrapper's platform-specific HIPAA compliance measures with reasonable notice and scope limitations focused on our defined responsibilities.

8.2 Agency Audit Obligations

Agencies must conduct regular audits of:

  • Voice provider HIPAA compliance

  • Internal HIPAA policies and procedures

  • Staff training completion and effectiveness

  • Healthcare client satisfaction and compliance

  • Risk assessment and mitigation measures

9. Contact Information

For HIPAA compliance questions or concerns:

Compliance Officer: SP Parasar

Email: team@newxp.co

Company: New XP Technologies Limited

For Business Associate Agreement execution: VoiceAIWrapper BAA