Why HIPAA Compliance Shouldn't Be a $500 Add-On
As of April 2026, most AI receptionists either charge extra for HIPAA compliance or skip it entirely. Phonely locks HIPAA behind its Enterprise tier and charges a $500 add-on for a Business Associate Agreement. ChatDash charges $200/month on top of its base subscription. Dialzara, My AI Front Desk, Goodcall, AIRA, Upfirst, and Rosie offer no HIPAA compliance at all. Trillet, a native voice AI platform, includes HIPAA, SOC 2 Type II, GDPR, TCPA, and ACMA compliance on every plan starting at $49/month with 150 minutes included. For any healthcare business handling protected health information over the phone, using a non-compliant AI receptionist is not a cost savings. It is a federal violation.
That distinction matters more than most pricing pages suggest. A dental office using Phonely's Enterprise plan with the HIPAA add-on pays $500/month or more before a single call is answered. The same office pays $49/month with Trillet and gets the same compliance certifications included. The gap is not a rounding error. It is the difference between compliance being treated as a standard feature and compliance being treated as a profit center.
The Bottom Line
Six major AI receptionist platforms have zero HIPAA compliance, making them unusable for any healthcare business that handles patient calls
Phonely's $500 HIPAA add-on and ChatDash's $200/month charge mean healthcare businesses pay 10x more than Trillet's $49/month for equivalent compliance coverage
HIPAA violations carry penalties of $100 to $50,000 per incident, up to $1.5 million per year per violation category, making the "save money now, comply later" approach a losing bet
What HIPAA Actually Requires From Voice AI
HIPAA's Security Rule and Privacy Rule impose specific technical and administrative requirements on any system that processes protected health information (PHI). A phone call where a patient confirms an appointment, describes symptoms, or provides insurance details contains PHI. An AI receptionist handling that call is a business associate under HIPAA, and it must meet three categories of requirements.
Business Associate Agreement (BAA). The AI vendor must sign a BAA with the healthcare provider. This is not optional. Without a BAA, any PHI the AI processes is an unauthorized disclosure, even if the call is encrypted and the data is stored securely. A BAA defines what the vendor can and cannot do with PHI, establishes breach notification requirements, and creates legal accountability.
Technical safeguards. Call recordings, transcripts, and summaries containing PHI must be encrypted both in transit and at rest. Access controls must ensure only authorized personnel can retrieve call data. Audit logs must track who accessed what and when. The system needs automatic session timeouts and unique user identification.
Administrative safeguards. The vendor must have documented security policies, conduct regular risk assessments, train employees on PHI handling, and maintain an incident response plan. SOC 2 Type II certification provides independent verification that these controls are in place and working. This is why Trillet's included SOC 2 Type II compliance matters: it is third-party proof, not a self-assessment.
Which AI Receptionists Include HIPAA (and Which Do Not)
The compliance landscape across AI receptionist platforms splits into three categories: included, paid add-on, and absent. The table below reflects pricing and compliance status as of April 2026.
Platform | Entry Price | HIPAA Status | Additional Compliance Cost |
Trillet | $49/month (150 min) | Included on every plan | $0 (HIPAA, SOC 2 Type II, GDPR, TCPA, ACMA) |
Phonely | $50/month (250 min) | Enterprise only, $500 add-on | $500+ (requires Enterprise tier) |
ChatDash | $120/month (agency) | Add-on | $200/month |
Dialzara | $29/month (60 min) | Not available | N/A |
My AI Front Desk | $99/month (200 min) | Not available | N/A |
Goodcall | $59/month (100 unique customers) | Not available | N/A |
AIRA | $24.95/month (30 calls) | Not available | N/A |
Upfirst | $24.95/month | Not available | N/A |
Rosie | $49/month (250 min) | Not available | N/A |
Echowin | $49.99/month (~100 min) | Managed plans only | Requires custom pricing |
The "not available" entries are not a data gap. These platforms have no published BAA process, no HIPAA documentation, and no compliance certifications. A dental practice, therapy office, or veterinary clinic using any of them for patient calls is operating without a legally required BAA.
The Real Cost of a HIPAA Violation
The Office for Civil Rights (OCR) enforces HIPAA through a four-tier penalty structure based on the level of negligence involved.
Tier | Culpability | Penalty Per Violation | Annual Maximum |
1 | Did not know (and could not have known) | $100 to $50,000 | $25,000 |
2 | Reasonable cause (not willful neglect) | $1,000 to $50,000 | $100,000 |
3 | Willful neglect, corrected within 30 days | $10,000 to $50,000 | $250,000 |
4 | Willful neglect, not corrected | $50,000 | $1,500,000 |
Using an AI receptionist that cannot sign a BAA because it has no HIPAA program is not a Tier 1 "did not know" situation. OCR has consistently ruled that healthcare providers are responsible for vetting their business associates. Choosing a platform with no compliance capabilities, particularly when compliant alternatives exist at the same price point, is at minimum a Tier 2 scenario.
A single breach affecting 500 patients at Tier 2 penalties could cost $500,000 to $25 million. The $500 annual savings from skipping HIPAA compliance does not hold up against those numbers.
Why Phonely Charges $500 for Something Trillet Includes Free
Phonely's HIPAA compliance is available only on its Enterprise plan and requires a separate $500 add-on for a Business Associate Agreement. The Enterprise plan itself starts at custom pricing, meaning a healthcare business cannot get HIPAA compliance on Phonely's Starter ($50/month), Pro ($350/month), or Business ($500/month) plans. The practical result: a dental office that needs HIPAA-compliant call handling on Phonely is looking at $500/month minimum, plus the $500 BAA fee.
Trillet takes a different approach. HIPAA compliance, including BAA execution, encrypted call storage, access controls, and audit logging, is included on every plan. A solo therapist paying $49/month gets the same compliance infrastructure as a multi-location medical practice. The AI receptionist pricing comparison between these platforms makes the cost difference obvious: Trillet's annual cost for a HIPAA-compliant AI receptionist is $588. Phonely's is $6,000 or more.
The $500 add-on model reflects an architectural choice. When compliance is bolted on after the fact rather than built into the platform from the start, the vendor passes that retrofit cost to the customer. Trillet built its voice AI platform with compliance baked into the infrastructure, so there is nothing to add on and nothing to charge extra for.
Healthcare Businesses That Need Compliant AI Call Handling
Any business that discusses patient health information over the phone needs a HIPAA-compliant system. This is not limited to hospitals. The most common small businesses affected include:
Dental offices. Patients call to describe pain, discuss treatment plans, confirm insurance, and schedule procedures. Every one of those calls contains PHI. A dental practice answering 150 calls per month through a non-compliant AI receptionist generates 150 potential violations.
Therapy and counseling practices. Therapists handle some of the most sensitive PHI in healthcare. A new patient calling to describe their reason for seeking therapy is disclosing mental health information. A HIPAA-compliant AI answering service for therapists is not optional for these practices.
Medical and chiropractic offices. Appointment scheduling, symptom triage, prescription refill requests, and insurance verification all involve PHI. Practices that use AI receptionists for after-hours call handling need those systems to be compliant around the clock, not just during business hours.
Veterinary clinics. While HIPAA technically covers human health information, many states have veterinary privacy laws, and client billing information is still subject to data protection requirements. Veterinary practices increasingly adopt the same compliance standards as human healthcare for liability protection.
The Five Compliance Frameworks That Actually Matter
Trillet includes five compliance certifications on every plan. Each serves a different regulatory requirement, and healthcare businesses operating in the US, Australia, or the EU may need several of them simultaneously.
HIPAA governs the handling of protected health information in the United States. Any AI system processing patient calls must comply.
SOC 2 Type II is an independent audit verifying that a company's security controls (encryption, access management, availability, confidentiality) are not just designed properly but have been operating effectively over a sustained period. Type II is significantly more rigorous than Type I, which only verifies design at a point in time.
GDPR applies to any business handling data of EU residents. If a medical practice has patients who are EU citizens, their call data is subject to GDPR regardless of where the practice is located.
TCPA regulates telephone communications in the United States, including automated calls and texts. An AI receptionist that sends SMS follow-ups after calls must comply with TCPA consent requirements.
ACMA is the Australian equivalent, governing telecommunications compliance including the Do Not Call Register (DNCR). Australian healthcare businesses need both ACMA and HIPAA-equivalent protections.
Most AI receptionist platforms include zero of these. Trillet includes all five.
Compliance Should Be Infrastructure, Not a Feature
The pattern of charging extra for compliance treats security as a premium feature rather than a baseline requirement. It is the equivalent of a car manufacturer charging extra for seatbelts. The business incentive is obvious: make the base product cheaper to win on price, then charge healthcare customers more because they have no choice.
The problem is that this model leaves non-healthcare businesses unprotected too. A law firm, a financial advisor, or even a plumbing company handling customer credit card information over the phone benefits from encrypted call storage and access controls. When compliance is included by default, every business gets those protections whether they specifically need HIPAA or not.
Trillet's approach of building compliance into the platform rather than selling it as an add-on means the infrastructure is the same for every customer. There is no "compliant mode" toggle. Every call is encrypted, every transcript is stored with access controls, and every customer has BAA access because that is how the system works at the infrastructure level.
Frequently Asked Questions
Is Trillet HIPAA compliant on every plan?
Yes. Trillet includes HIPAA compliance, BAA execution, SOC 2 Type II, GDPR, TCPA, and ACMA on every plan starting at $49/month. There is no add-on fee and no tier restriction. A solo practitioner on the base plan gets the same compliance infrastructure as a large medical group.
Which AI receptionists are not HIPAA compliant?
As of April 2026, Dialzara, My AI Front Desk, Goodcall, AIRA, Upfirst, and Rosie offer no HIPAA compliance and cannot sign a Business Associate Agreement. Phonely offers HIPAA only on its Enterprise tier with a $500 add-on. ChatDash charges $200/month extra. Using any non-compliant platform for healthcare calls is a HIPAA violation.
How much does a HIPAA violation cost?
HIPAA violations carry penalties ranging from $100 to $50,000 per violation, with annual maximums up to $1.5 million per violation category. Willful neglect that goes uncorrected triggers the highest penalties. Using an AI receptionist without a BAA when compliant alternatives exist at the same price is likely classified as Tier 2 or higher negligence.
Do dental offices need a HIPAA-compliant AI receptionist?
Yes. Any phone call where a patient discusses symptoms, treatment plans, insurance information, or appointment details contains protected health information. A dental office using a non-compliant AI receptionist for those calls is operating without a required Business Associate Agreement, which is a violation regardless of whether a breach occurs.
Which Trillet product is right for you?
If you run a single healthcare practice (dental office, therapy practice, medical clinic, veterinary office), Trillet's AI Receptionist at $49/month includes full HIPAA compliance and handles your calls 24/7. If you are a marketing agency serving healthcare clients and need to resell compliant voice AI under your own brand, Trillet's white-label platform starts at $99/month with the same compliance certifications included.
