Is Retell AI HIPAA compliant?
Yes — Retell AI can be deployed in a HIPAA-compliant configuration. Retell offers a Business Associate Agreement (BAA) on its Enterprise plan, and provides the controls (PHI handling, access controls, audit logs) needed to meet the HIPAA Security Rule. Compliance, however, is the configuration around Retell — not Retell itself — and your team still owns workforce training, risk assessment, and the BAA chain with downstream sub-processors.
Below: the HIPAA detail, what you still have to configure, and what changes for Australia and New Zealand under the Privacy Act 1988 and the APPs.
What "HIPAA compliant" actually means for an AI voice platform
There is no HIPAA certification body. No vendor can be HIPAA-certified — the law doesn't work that way. What vendors can do is offer a Business Associate Agreement (BAA) and the controls required for a covered entity to operate a HIPAA-compliant workflow on top of the platform.
Retell offers a BAA on its Enterprise plan and provides the controls — access management, audit logging, encryption in transit and at rest, PHI handling configuration — needed to satisfy the HIPAA Security Rule. Whether your deployment is compliant is determined by how you configure and operate it, not by the platform alone.
The same logic applies to every major AI voice platform: Vapi, Bland, Synthflow, ElevenLabs Conversational AI, Sierra, Decagon. All offer BAAs; all require the covered entity to do the compliance work around the platform. The Compliance pillar of our CAPR framework is exactly this work — done once, per vendor, against a published bar.
Six things the platform doesn't do for you
- 1
Workforce HIPAA training and a documented access-control policy — who can see transcripts, who can edit prompts, who can pull recordings.
- 2
Risk assessment of the voice workflow itself. What PHI does the agent collect? What does it write to the PMS? What does it expose to the LLM?
- 3
PHI minimisation in prompts and tool calls. Don't pass fields the agent doesn't need. Mask DOB, MRN, and full address from anything the LLM sees if it doesn't need them to do the task.
- 4
Call recording, transcript retention and deletion policy. HIPAA doesn't set a recording retention period — your covered-entity rules do. Configure Retell's retention to match.
- 5
BAA chain with every downstream sub-processor that touches audio or transcripts — STT, TTS, LLM, transcription, analytics. A gap anywhere in the chain breaks the compliance posture.
- 6
Breach notification process — who's on the rota, how is a suspected breach triaged, what's the 60-day clock look like on your side.
HIPAA is US law. Here's what ANZ healthcare actually has to clear.
HIPAA doesn't apply in Australia or New Zealand. For ANZ healthcare networks, the framework that actually governs an AI voice deployment is the Privacy Act 1988, the Australian Privacy Principles (APPs), state health-records legislation, the Notifiable Data Breaches scheme, and — if you touch it — the My Health Records Act.
Retell's default hosting region is the United States. APP 8 (cross-border disclosure) and APP 11 (security of personal information) require you to either keep PHI in Australia or take reasonable steps to ensure the overseas recipient handles it to APP-equivalent standards. Practically: a signed DPA covering APP obligations, documented data residency for anything at rest, encryption in transit and at rest, a Notifiable Data Breaches process, and a clear retention and deletion policy.
This is the overlay Cadence runs every Retell deployment through before it touches a production line. Not because Retell is unusual — every major US-hosted AI voice platform needs the same overlay for ANZ — but because "the vendor said it's HIPAA-compliant" is not a defensible answer for an AHPRA-registered network.
FAQ
Is Retell AI HIPAA compliant?
Yes — Retell AI can be deployed in a HIPAA-compliant configuration. Retell offers a Business Associate Agreement (BAA) on its Enterprise plan, and provides the controls (PHI handling, access controls, audit logs) needed to meet the HIPAA Security Rule. Compliance, however, is the configuration around Retell — not Retell itself — and your team still owns workforce training, risk assessment, and the BAA chain with downstream sub-processors.
Does Retell AI sign a BAA?
Yes — Retell offers a BAA on its Enterprise tier. The BAA is a precondition for handling PHI in any HIPAA-covered workflow. Confirm directly with Retell that your specific deployment (including sub-processors like your STT, TTS and LLM providers) is in scope of the BAA before sending any PHI through the platform.
What do healthcare teams still have to configure themselves?
Six things, at minimum: (1) workforce HIPAA training and access policy; (2) a documented risk assessment of the voice workflow; (3) PHI minimisation in prompts and tool calls — don't send fields the agent doesn't need; (4) call recording, transcript retention and deletion policy aligned to your covered-entity rules; (5) BAA chain with every downstream sub-processor that touches the audio or transcript; (6) breach notification process. Retell provides the controls; your team operates them.
Is Retell good enough for clinical workflows?
For non-clinical workflows (booking, rescheduling, intake, billing-aware triage, after-hours capture) Retell is production-ready in healthcare. For anything that crosses into clinical decision-making — symptom assessment, medication advice, triage decisions that aren't keyword-routed to a human — the platform is not the limiting factor; the design of the workflow is. Cadence's standing rule: AI voice agents don't make clinical decisions, they route to humans who do.
How does this apply in Australia and New Zealand?
HIPAA is US law and doesn't apply in ANZ. The equivalent framework is the Privacy Act 1988 and the Australian Privacy Principles (APPs), plus state health-records legislation and the My Health Records Act for any My Health Record integration. Retell can be configured to meet APP obligations, but US-hosted by default — for ANZ healthcare networks we layer an AU-residency overlay (regional processing, signed DPA, retention controls) before any production rollout. See our ANZ section below.
What about Australian Privacy Act compliance for Retell?
Retell's default hosting region is the US. The Australian Privacy Principles (particularly APP 8 — cross-border disclosure — and APP 11 — security of personal information) require you to either keep PHI in Australia or take reasonable steps to ensure the overseas recipient handles it under APP-equivalent standards. In practice that means a signed Data Processing Agreement covering APP obligations, documented residency for any data at rest, encryption in transit and at rest, breach notification process aligned to the Notifiable Data Breaches scheme, and a clear retention and deletion policy. Cadence handles this overlay as part of any Retell deployment we run in ANZ.
Is Retell compliant with My Health Records?
There is no 'My Health Records certification' for AI voice platforms. If your workflow writes to or reads from My Health Record, the integration layer carries the My Health Records Act obligations — not the voice platform. Most ANZ AI voice deployments don't touch My Health Record directly; they touch the practice's PMS (Best Practice, Cliniko, Medical Director, Halaxy, Genie) which in turn may sync to My Health Record under existing arrangements.
Is there a HIPAA-compliant alternative to Retell?
Most major AI voice platforms — Vapi, Bland, Synthflow, ElevenLabs Conversational AI — offer a BAA on enterprise tiers and can be deployed in HIPAA-compliant configurations. The difference is in the controls, sub-processor chain, and operational governance. Cadence's CAPR framework scores all of them on Compliance (the C in CAPR) before they enter a shortlist.
Are you reselling Retell?
No. Cadence is the independent advisor — no referral fees, no resale margin, no preferred-vendor relationship with Retell or any other platform. We score, recommend, and deploy. If Retell is the right answer for your network, we say so. If it isn't, we say that too.
Want this scored against your specific deployment?
The 2-week paid Diagnostic runs the full Compliance pillar of the CAPR framework against your call profile, PMS and APP/HIPAA posture. You leave with a named pick and a defensible deployment plan.