HIPAA compliance at Vocatech is opt-in. It becomes effective only when an authorized person at your company explicitly accepts the Business Associate Agreement (BAA) inside the admin portal. Until then, HIPAA protections are not in force even if the platform itself supports them.
This article walks through finding the BAA, accepting it, and understanding what changes on each side of the relationship.
What HIPAA covers
HIPAA governs how Protected Health Information (PHI) is stored, transmitted, and accessed. If your business handles patient information, appointment details, medical records, or anything similar, HIPAA likely applies.
Vocatech supports HIPAA-compliant use of the phone system, but only after the BAA is accepted. The BAA is the written agreement that defines who is responsible for what.
Find the BAA
Sign into admin.vocatech.com. Go to the HIPAA section in your account settings. You will see the agreement text and an Accept button.
Only a full admin can accept. Read-only and restricted roles do not have the button.
Accept electronically
Read the agreement. When ready, check the box confirming you have the authority to bind your company and click Accept. The system records the date, time, and IP address of the acceptance along with the user account that clicked.
You get an emailed copy for your records. We also retain a copy on our side. This is your proof of acceptance in any future audit.
What Vocatech is responsible for
After acceptance, Vocatech is responsible for:
- Encryption of stored call data, recordings, voicemail, fax, and messaging.
- Encryption of transmission between Vocatech systems.
- Role-based access controls on the admin portal.
- Audit logs for sensitive actions like recording playback and user changes.
- System monitoring and incident response.
What you are responsible for
After acceptance, you are responsible for:
- Configuring the system correctly. A misconfigured auto attendant that reads patient names over the public IVR is on you.
- Managing user access and removing logins when people leave.
- Securing endpoints, browsers, and devices used to access the portal.
- Ensuring any third-party service that touches PHI is also HIPAA-compliant with its own BAA.
- Training staff on proper handling of PHI over the phone.
- Preventing PHI from being sent through channels the BAA does not cover.
What changes operationally
For most customers, nothing changes in daily use. Calls work the same. Recordings work the same. The portal looks the same.
Behind the scenes, we treat your account with the stricter controls spelled out in the BAA. If your compliance officer asks whether the BAA is in place, you can point them at the acceptance record in the portal.
Revoking or amending
If you need to change the BAA or remove someone's authority to accept on your behalf, contact support. Changes after the fact require review by both sides.