HIPAA Business Associate Agreement.

If you are a covered entity under HIPAA (a medical practice, therapy group, home care agency, or similar) or a business associate of one, Vocatech will sign a Business Associate Agreement with you. There is no charge.

We handle Protected Health Information (PHI) that passes through our platform, voicemails, transcripts, call recordings, messages, with appropriate safeguards. Per-extension recording toggles, controlled-access voicemail delivery, retention policies you configure.

This page describes what our BAA covers, who needs one, and how to execute one.

You need a BAA with Vocatech if your use of the Service will involve PHI.

Typical cases that need a BAA: medical or therapy practices with patient voicemails or recorded clinical calls; home care agencies coordinating with caregivers and patients; allied-health providers scheduling and documenting care over the phone; insurance and billing companies discussing patient information; behavioral health and ABA providers; any business associate of a covered entity that uses Vocatech for PHI-bearing work.

You do not need a BAA if PHI will never touch the platform (a plumber calling residential customers, a real estate office, a retail business that does not discuss patient information).

If unsure, email office@vocatech.com with a short description of your use case and we will confirm.

The BAA covers a specific list of Vocatech services, not the entire platform. If a service is not on this list, it is not covered by the BAA. PHI must not be sent through, stored in, or processed by any non-listed Vocatech feature.

This pattern of "specific listed eligible services" is the same one used by Twilio, Datadog, Salesforce, Slack, and other major SaaS vendors that sign HIPAA BAAs. Tight scope keeps customer obligations clear.

The BAA explicitly does not cover certain channels and integrations because the underlying providers do not offer HIPAA coverage, or because the channel cannot be reasonably secured for PHI:

• WhatsApp messaging. Meta does not offer HIPAA coverage. Customer must disable before HIPAA mode can be enabled.

• Standard SMS. Not end-to-end encrypted. Vocatech allows non-clinical SMS for HIPAA-covered customers (appointment reminders without diagnosis), but PHI in SMS is not appropriate.

• Voicemail-to-email and fax-to-email. Delivers PHI to email systems we do not control. Customer must disable before HIPAA mode can be enabled.

• Daily email reports. May contain PHI. Customer must disable before HIPAA mode can be enabled.

• Customer-built integrations to non-BAA vendors. If you connect Vocatech to a CRM, EHR, storage, or analytics service that does not have its own BAA with you, that is outside our coverage.

When activating HIPAA mode, the Portal warns Customer of any non-eligible features still configured for the company. Those must be disabled before HIPAA mode can be activated. Customer is responsible for not configuring or using any non-eligible feature for PHI, regardless of system warnings.

Per-extension recording toggles. Clinicians who do not want to record can opt out. Administrative lines can record.

Controlled voicemail delivery. Voicemails can land in a shared, access-controlled team inbox in the Portal instead of personal email.

Retention policies. Set per-mailbox and per-number retention. Auto-delete old recordings, transcripts, and voicemails on a schedule you configure.

Role-based access in the Portal. Not everyone on your team needs to see recordings. Assign roles to limit access.

PHI access audit log. Every Portal action that accesses PHI is logged. Who listened to what, when, from where. 6-year retention.

Recording announcement option. "This call may be recorded" can play at the start of outbound calls, supporting consent compliance in two-party-consent states.

The most important subprocessor is Google Cloud Platform (hosting and Vertex AI for AI call summaries, covered under our Google Cloud HIPAA BAA). The voice platform itself runs on Cisco BroadWorks.

Vocatech keeps a small, deliberately-limited set of additional vendors for back-office work (transactional email, fax, payment processing, accounting). The complete list is included in the executed BAA for HIPAA-covered customers and available on request under NDA. Each subprocessor that may touch PHI either has a signed HIPAA BAA in place with Vocatech, or operates as a network conduit under the HIPAA Conduit Exception (45 CFR §164.502(e)(1)).

Each subprocessor is bound by written contract to use customer data only to deliver the specific service for which it was engaged, and not for any other purpose (no marketing, no advertising, no AI training for other customers, no resale).

Vocatech has a self-service BAA acceptance flow in the Portal:

• Log in to portal.vocatech.com

• Open the Compliance section

• Read the current BAA

• Click Review and accept

• After acceptance, the executed BAA is available for download as a PDF

The current version is V3.0, modeled on Google Cloud's HIPAA BAA pattern. Vocatech's standard BAA is the BAA we offer. We do not negotiate or substitute customer-supplied templates by default.

In the unlikely event of a Breach of unsecured PHI, Vocatech will notify affected customers promptly and without unreasonable delay, and in no event later than required by HIPAA (45 CFR §164.410, generally 60 days after discovery) and applicable state law.

Notification will include, to the extent available: a description of what happened, the types of PHI involved, the approximate number of affected individuals, mitigation steps already taken, and Vocatech's point of contact.

Routine attempted attacks that do not result in unauthorized access (port scans, automated login attempts) are common on internet-connected systems and do not constitute Breaches; the BAA addresses these explicitly.

HIPAA does not turn a phone system into automatic compliance. You remain responsible for:

• Your own administrative, physical, and technical safeguards at your office and on workforce devices

• Staff training on HIPAA requirements and on proper use of Vocatech

• Access management within your organization (who gets which Portal role)

• Patient consent for call recording where state law requires

• Configuring features safely (not re-enabling voicemail-to-email without strong protection at the destination)

• Endpoint security (workstations, browsers, mobile devices)

• Designating a HIPAA Privacy Officer and Security Officer within your organization

• Verifying that any third-party integrations have their own BAAs

Are you HIPAA certified? No, and neither is anyone else legitimately. HIPAA does not provide a certification program. Companies that claim to be "HIPAA certified" are using a private auditor's certification, which is not a government-issued credential. Following industry best practice (Slack, Twilio, Datadog), we say Vocatech is "configurable for HIPAA compliance", the platform is engineered to support HIPAA-covered use, but actual compliance depends on your configuration and use.

What does the BAA cost? Nothing. Included for HIPAA-covered customers. We do not charge a separate "HIPAA tier" fee.

Can I use my own BAA template instead of yours? Vocatech's standard BAA is the BAA we offer. Customer-supplied templates and material redlines are not accepted by default; if a particular customer requires substantive deviation, attorney review is required at the customer's expense.

What happens if I send PHI without a BAA? It is a violation of our Terms of Service. We may remove the PHI and suspend the account until a BAA is in place.

Is the AI transcription HIPAA-compliant? Yes. AI call summaries run on Google Vertex AI, covered under Google's HIPAA BAA. Inference is per-call; outputs are returned only to your account. We do not use your call content to train general-purpose models shared with other customers. We do not use OpenAI or other consumer AI services for HIPAA-covered customers' calls. Call transcription itself runs on Vocatech-controlled Google Cloud infrastructure and is not sent to any third-party AI provider.

Email: office@vocatech.com

Phone: 718.395.1550

Mail: Vocatech Inc., 5314 18th Avenue, Brooklyn, NY 11204, USA