HIPAA Business Associate Agreement.

If you are a covered entity under HIPAA (a medical practice, therapy group, home care agency, or similar) or a business associate of one, Vocatech will sign a Business Associate Agreement with you.

We handle Protected Health Information (PHI) that passes through our platform (voicemails, transcripts, call recordings, messages) with appropriate safeguards. Per-extension recording toggles, controlled-access voicemail delivery, and retention policies you configure.

This page describes what our BAA covers and how to request a signed copy.

You need a BAA if your use of Vocatech will involve PHI. Typical cases: medical or therapy practices with patient voicemails, home care agencies coordinating with caregivers and patients, allied-health providers scheduling and documenting care over the phone.

You do not need a BAA if PHI will never touch the platform (for example, a plumber calling residential customers).

If you are unsure, email compliance@vocatech.com with a short description of your use case and we will confirm.

PHI that passes through call recordings, voicemails, transcripts, AI summaries, and messaging (SMS, WhatsApp, email bridge) on Vocatech.

Safeguards required by HIPAA: administrative, physical, and technical. Encryption in transit and at rest, access logging, restricted access to production systems, breach notification procedures.

Subcontractor obligations: our downstream providers (Google Cloud, Bandwidth, etc.) operate under HIPAA-compliant agreements where PHI could be involved.

Per-extension recording toggles. Clinicians who do not want to record can opt out; administrative lines can record.

Controlled voicemail delivery. Voicemail transcripts can land in a shared, access-controlled team inbox instead of personal email.

Retention policies. Set per-mailbox and per-number retention. Auto-delete old recordings and transcripts.

Role-based access in the Portal. Not everyone on your team needs to see recordings.

Audit log. Every admin action is logged. Who listened to what, when.

HIPAA does not turn a phone system into automatic compliance. You remain responsible for your own practices: staff training, physical safeguards at your office, access management, and patient consent for call recording.

Do not include PHI in automated public-facing transcripts or integrations that route to untrusted systems.

Standard SMS is not secure end-to-end. Do not send PHI over SMS to a patient without appropriate consent and risk analysis.

Email compliance@vocatech.com with your legal entity name, address, and a short description of your use case.

We return a signed BAA within 2 business days for most requests. No charge.

If you need custom terms, we will work through them with you; most customers accept our standard template.

In the unlikely event of a breach of unsecured PHI, we notify affected customers without unreasonable delay and in no event later than required by HIPAA and state law.

We maintain incident-response procedures and test them.

Email: compliance@vocatech.com

Phone: 718.395.1550

Mail: Vocatech Inc., 5314 18th Avenue, Brooklyn, NY 11204, USA