Back to Blog
AI ReceptionistCompliancePricingVoice AI

Why HIPAA Compliance Shouldn't Be a $500 Add-On

Many AI receptionists charge extra for HIPAA compliance or don't offer it at all. Phonely gates HIPAA behind its Enterprise tier with a separate Business Associate Agreement. Trillet includes HIPAA, SOC 2 Type II, GDPR, and TCPA on every plan starting at $49/month with 150 minutes.

Ming Xu
Ming XuCo-Founder & CIO
Updated June 23, 2026
7 min read
W

Why HIPAA Compliance Shouldn't Be a $500 Add-On

As of June 2026, many AI receptionists either charge extra for HIPAA compliance or skip it entirely, and that pricing choice is the whole problem. Phonely, for example, gates HIPAA behind its Enterprise tier and requires a separate Business Associate Agreement that public reviews report at roughly $500/month. Several lower-cost AI receptionists publish no Business Associate Agreement process and no compliance documentation at all, which means a healthcare buyer has no way to confirm they can legally handle patient calls. Trillet, a native voice AI platform, includes HIPAA, SOC 2 Type II, GDPR, and TCPA compliance on every plan starting at $49/month with 150 minutes included (then $0.20/minute overage), so a solo practitioner gets the same controls as a multi-location group. This article explains what HIPAA actually requires from voice AI, how to read the AI receptionist buyer's guide compliance checklist, and how to verify a vendor's claims before you trust it with protected health information.

That distinction matters more than most pricing pages suggest. When compliance is a paid tier rather than a baseline, a healthcare buyer can end up paying many times the base price before a single call is answered, or worse, running a non-compliant system without realizing it. The gap is not a rounding error. It is the difference between compliance being treated as a standard feature and compliance being treated as a profit center.

The Bottom Line

What HIPAA Actually Requires From Voice AI

HIPAA's Security Rule and Privacy Rule impose specific technical and administrative requirements on any system that processes protected health information (PHI). A phone call where a patient confirms an appointment, describes symptoms, or provides insurance details contains PHI. An AI receptionist handling that call is a business associate under HIPAA, and it must meet three categories of requirements.

Business Associate Agreement (BAA). The AI vendor must sign a BAA with the healthcare provider. This is not optional. Without a BAA, any PHI the AI processes is an unauthorized disclosure, even if the call is encrypted and the data is stored securely. A BAA defines what the vendor can and cannot do with PHI, establishes breach notification requirements, and creates legal accountability.

Technical safeguards. Call recordings, transcripts, and summaries containing PHI must be encrypted both in transit and at rest. Access controls must ensure only authorized personnel can retrieve call data. Audit logs must track who accessed what and when. The system needs automatic session timeouts and unique user identification.

Administrative safeguards. The vendor must have documented security policies, conduct regular risk assessments, train employees on PHI handling, and maintain an incident response plan. SOC 2 Type II certification provides independent verification that these controls are in place and working. That third-party proof matters more than a vendor's self-assessment, and it is one of the things to confirm during a no-code AI receptionist setup before you route real patient calls through any platform.

Which AI Receptionists Include HIPAA (and Which Do Not)

The compliance landscape across AI receptionist platforms splits into three categories: included, paid add-on, and unverified. The table below reflects published pricing and compliance positioning as of June 2026. Compliance pages change often, so treat any "verify directly" entry as a prompt to ask the vendor for a written BAA before you sign up.

PlatformEntry PriceHIPAA StatusAdditional Compliance Cost
Trillet$49/month (150 min)Included on every plan$0 (HIPAA, SOC 2 Type II, GDPR, TCPA)
Phonely$50/month (250 min)Enterprise tier plus separate BAAReported near $500/month; verify directly
Dialzara$29/month (60 min)No published BAA process; verify directlyVerify directly
My AI Front Desk$99/month (200 min)No published BAA process; verify directlyVerify directly
Goodcall$79/month (100 unique customers)No published BAA process; verify directlyVerify directly
AIRA$24.95/month (30 calls)Unverified; verify directlyVerify directly
Upfirst$24.95/monthNo published BAA process; verify directlyVerify directly
Rosie$49/month (250 min)No published BAA process; verify directlyVerify directly
Echowin$49.99/month (~100 min)Unverified; verify directlyVerify directly

The "verify directly" entries are not a claim that these platforms are non-compliant. They reflect that, as of June 2026, we could not find a published BAA process, HIPAA documentation, or named compliance certification on their sites. A dental practice, therapy office, or veterinary clinic cannot rely on a vendor's marketing copy here: it needs a signed Business Associate Agreement in hand. If a vendor cannot produce one, that practice is operating without a legally required BAA.

The Real Cost of a HIPAA Violation

The Office for Civil Rights (OCR) enforces HIPAA through a four-tier penalty structure based on the level of negligence involved. The figures below reflect the inflation-adjusted statutory amounts that took effect January 28, 2026, per the HHS Office for Civil Rights penalty schedule. Note that since an April 2019 enforcement notice, OCR has applied lower annual caps to the first three tiers ($25,000, $100,000, and $250,000 respectively), so the maximums you actually face in practice can be lower than the statutory ceiling.

TierCulpabilityPenalty Per Violation (2026)Statutory Annual Maximum (2026)
1Did not know (and could not have known)$145 to $73,011$2,190,294
2Reasonable cause (not willful neglect)$1,461 to $73,011$2,190,294
3Willful neglect, corrected within 30 days$14,602 to $73,011$2,190,294
4Willful neglect, not corrected$73,011 to $2,190,294$2,190,294

Using an AI receptionist that cannot sign a BAA because it has no HIPAA program is not a Tier 1 "did not know" situation. OCR has consistently held that healthcare providers are responsible for vetting their business associates. Choosing a platform you never confirmed can sign a BAA, particularly when compliant alternatives exist at the same price point, points toward a Tier 2 "reasonable cause" scenario at minimum.

Even a modest breach handled at Tier 2 minimums runs into six figures fast once you multiply per-violation penalties across affected patients. Set against that exposure, the savings from skipping a compliant vendor do not hold up.

Why Some Platforms Charge Extra for What Trillet Includes Free

Phonely positions HIPAA compliance on its Enterprise tier with a separate Business Associate Agreement, which public reviews report at roughly $500/month as of June 2026. Because the Enterprise tier itself carries custom pricing, a healthcare business generally cannot get a signed BAA on Phonely's lower published plans. The practical result reported by reviewers: a dental office that wants HIPAA-compliant call handling on Phonely is looking at an Enterprise quote plus the BAA fee, not the entry price. Phonely's own compliance and pricing pages are the authority here, so confirm the current numbers directly before deciding.

Trillet takes a different approach. HIPAA compliance, including BAA execution, encrypted call storage, access controls, and audit logging, is included on every plan. A solo therapist paying $49/month gets the same compliance controls as a multi-location group, the same point made in Trillet's AI receptionist for medical practice breakdown. The AI receptionist pricing comparison between these platforms makes the cost difference obvious: Trillet's annual cost for a HIPAA-compliant AI receptionist is $588 (12 x $49, before any overage). A compliant setup that requires an Enterprise tier plus a separate BAA fee runs into the thousands per year by comparison.

The $500 add-on model reflects an architectural choice. When compliance is bolted on after the fact rather than built into the platform from the start, the vendor passes that retrofit cost to the customer. Trillet built its voice AI platform with compliance baked into the infrastructure, so there is nothing to add on and nothing to charge extra for.

Healthcare Businesses That Need Compliant AI Call Handling

Any business that discusses patient health information over the phone needs a HIPAA-compliant system. This is not limited to hospitals. The most common small businesses affected include:

Dental offices. Patients call to describe pain, discuss treatment plans, confirm insurance, and schedule procedures. Every one of those calls contains PHI. A dental practice answering 150 calls per month through a non-compliant AI receptionist generates 150 potential violations. If you are weighing options here, the best AI phone system for a dental office comparison walks through which platforms can actually sign a BAA.

Therapy and counseling practices. Therapists handle some of the most sensitive PHI in healthcare. A new patient calling to describe their reason for seeking therapy is disclosing mental health information. A HIPAA-compliant AI answering service for therapists is not optional for these practices.

Medical and chiropractic offices. Appointment scheduling, symptom triage, prescription refill requests, and insurance verification all involve PHI. Practices that use AI receptionists for after-hours call handling need those systems to be compliant around the clock, not just during business hours. The same BAA-first rule applies to a chiropractic practice's AI receptionist, where intake calls routinely capture injury history and treatment details.

Veterinary clinics. While HIPAA technically covers human health information, many states have veterinary privacy laws, and client billing information is still subject to data protection requirements. Veterinary practices increasingly adopt the same compliance standards as human healthcare for liability protection.

The Compliance Frameworks That Actually Matter

Trillet includes HIPAA, SOC 2 Type II, GDPR, and TCPA on every plan, plus ACMA coverage for Australian telecommunications. Each serves a different regulatory requirement, and healthcare businesses operating in the US, Australia, or the EU may need several of them simultaneously.

HIPAA governs the handling of protected health information in the United States. Any AI system processing patient calls must comply.

SOC 2 Type II is an independent audit verifying that a company's security controls (encryption, access management, availability, confidentiality) are not just designed properly but have been operating effectively over a sustained period. Type II is significantly more rigorous than Type I, which only verifies design at a point in time.

GDPR applies to any business handling data of EU residents. If a medical practice has patients who are EU citizens, their call data is subject to GDPR regardless of where the practice is located.

TCPA regulates telephone communications in the United States, including automated calls and texts. An AI receptionist that sends SMS follow-ups after calls must comply with TCPA consent requirements.

ACMA is the Australian equivalent, governing telecommunications compliance including the Do Not Call Register (DNCR). Australian healthcare businesses need both ACMA and HIPAA-equivalent protections.

Many lower-cost AI receptionist platforms publish none of these certifications. Trillet includes the full set.

Compliance Should Be Infrastructure, Not a Feature

The pattern of charging extra for compliance treats security as a premium feature rather than a baseline requirement. It is the equivalent of a car manufacturer charging extra for seatbelts. The business incentive is obvious: make the base product cheaper to win on price, then charge healthcare customers more because they have no choice.

The problem is that this model leaves non-healthcare businesses unprotected too. A law firm, a financial advisor, or even a plumbing company handling customer credit card information over the phone benefits from encrypted call storage and access controls. When compliance is included by default, every business gets those protections whether they specifically need HIPAA or not.

Trillet's approach of building compliance into the platform rather than selling it as an add-on means the infrastructure is the same for every customer. There is no "compliant mode" toggle. Every call is encrypted, every transcript is stored with access controls, and every customer has BAA access because that is how the system works at the infrastructure level.

Frequently Asked Questions

Is Trillet HIPAA compliant on every plan?

Yes. Trillet includes HIPAA compliance, BAA execution, SOC 2 Type II, GDPR, and TCPA on every plan starting at $49/month with 150 minutes included (then $0.20/minute overage). There is no add-on fee and no tier restriction. A solo practitioner on the base plan gets the same compliance controls as a large medical group.

Which AI receptionists can sign a Business Associate Agreement?

As of June 2026, Phonely offers HIPAA on its Enterprise tier with a separate BAA (publicly reported near $500/month). For lower-cost platforms such as Dialzara, My AI Front Desk, Goodcall, AIRA, Upfirst, Rosie, and Echowin, we could not find a published BAA process or HIPAA documentation, so a healthcare buyer should ask each vendor directly and get the BAA in writing. Running patient calls through any platform that cannot produce a signed BAA is a HIPAA violation.

How much does a HIPAA violation cost?

As of January 28, 2026, HHS inflation-adjusted the four-tier HIPAA penalty schedule to a $145 minimum per violation, rising to a $2,190,294 statutory annual maximum per violation category, per the HHS Office for Civil Rights. Since an April 2019 enforcement notice, OCR has applied lower annual caps to the first three tiers in practice. Using an AI receptionist without a BAA when compliant alternatives exist at the same price points toward Tier 2 "reasonable cause" or higher.

Do dental offices need a HIPAA-compliant AI receptionist?

Yes. Any phone call where a patient discusses symptoms, treatment plans, insurance information, or appointment details contains protected health information. A dental office using a non-compliant AI receptionist for those calls is operating without a required Business Associate Agreement, which is a violation regardless of whether a breach occurs.

Which Trillet product is right for you?

If you run a single healthcare practice (dental office, therapy practice, medical clinic, veterinary office), Trillet's AI Receptionist at $49/month includes full HIPAA compliance and handles your calls 24/7. If you are a marketing agency serving healthcare clients and need to resell compliant voice AI under your own brand, Trillet's white-label platform starts at $99/month with the same compliance certifications included.

Updated for June 2026: Reframed unverified competitor HIPAA claims as "verify directly" prompts (only Phonely's Enterprise BAA is independently corroborated), refreshed the HIPAA penalty figures to the HHS inflation-adjusted schedule effective January 28, 2026, and added in-body links to the AI receptionist guide and healthcare siblings.

Related Resources

Related Articles